ShipBob’s Developer API allows two forms of authentication, depending on the use case: Personal Access Token (PAT) or OAuth 2.0.
To generate authentication credentials, you must have an account on the ShipBob dashboard. If you don’t have one, you can sign up:
ShipBob offers two authentication methods based on integration needs:
If you’re building a single-user custom integration, use this method. It generates a ready-to-use bearer-type token with full access to the merchant’s account.
If you are building a multi-user integration or an app listed on our App Store, you must use OAuth.
All API authentication operates against the root user of the account. When requesting a PAT token or installing an OAuth app, do so against the root user.
When you request your first PAT, ShipBob automatically generates an application (“SMA” or single-merchant application) and channel to house all your future PATs. You can request multiple tokens and revoke them anytime.
These tokens do not expire, so exercise caution when sharing them.
To authenticate API requests, include the PAT in the Authorization
header:
Before making API calls, retrieve your channel ID using the GET Channel endpoint:
To authenticate via OAuth, follow these steps:
Generate credentials from the ShipBob dashboard:
Make a GET
request to:
Include the following query parameters (URL-encoded):
Parameter | Description |
---|---|
client_id | Your client ID (from Step 1). |
scope | Space-separated list of scopes granted in Step 1. If using refresh tokens, include offline_access . |
redirect_uri | Callback URI that must match one provided during client registration. |
state | Recommended for preventing replay attacks; echoed back in the callback. |
nonce | A random string to prevent token replay attacks. |
When the user grants access, ShipBob redirects to your callback URI with the following parameters:
The data returns as a fragment, not a query string.
Exchange the authorization code for an access token by making a POST
request:
If using offline_access
, a refresh_token
will also be provided. Use it to obtain new tokens without requiring user login:
Access tokens expire in 1 hour. Refresh tokens are valid for 30 days.
All API requests must include shipbob_channel_id
in headers. Retrieve it via:
If you are using a ShipBob sandbox account, make sure to update your endpoint to sandbox-api.shipbob.com/1.0/channel
Example Response:
You’re now ready to make authenticated API requests using ShipBob!