Documentation Mercado LibreCheck out all the necessary information about APIs Mercado Libre.
Authorization and Token Best Practices
Obtain access token by sending body parameters
When you POST to the /oauth/token resource to get the access token, you should send the parameters in the body and not as a query. This will allow a much more secure exchange of information!
curl -X POST \ -H 'accept: application/json' \ -H 'content-type: application/x-www-form-urlencoded' \ 'https://api.mercadolibre.com/oauth/token' \ -d 'grant_type=authorization_code' \ -d 'client_id=$client_id' \ -d 'client_secret=$client_secret' \ -d 'code=$code' \ -d 'redirect_uri=$redirect_uri'
ID generation to obtain an access token
As an optional measure to increase security in the processes to obtain access tokens, we recommend that you generate a secure type random value and send it as a state parameter.
For example to create the secure random id, in Java:
SecureRandom random = new SecureRandom();
Example adding state:
curl -X GET https://auth.mercadolibre.com.ar/authorization?response_type=code&client_id=$APP_ID&state=ABC123&redirect_uri=$REDIRECT_URL
You will receive the authorization code and also the secure identifier in the specified return URL:
Remember to check the value to make sure that the response belongs to a request initiated by your application!
Use of same redirect URI
Remember to send as redirect_uri the same URL you set when creating your application!
Validation of URLs to receive notifications
First validate the origin to know that you are receiving notifications only from Mercado Libre and then keep in mind to check the URLs when receiving notifications to make sure that the resources that your application is going to consult are valid.
Access token on all requests
In every call you make to the Mercado Libre API, remember to add the access token in all public and private resources.