Attention: The following procedure only applies to 3rd party apps!
To request a protected resource through the API you basically need to identify an app (with its token and secret), as well as the user whose protected source is requested (through his token and secret).
To get token and secret for that respective user, here's the process overview.
You need to redirect (simply HTTP link) the user to our login page. This is not a normal request, so don't expect an answer from that site!
https://api.cardmarket.com/ws/v1.0/authenticate/bfaD9xOU0SXBhtBP // OR https://api.cardmarket.com/ws/v1.1/authenticate/bfaD9xOU0SXBhtBP // OR https://api.cardmarket.com/ws/v2.0/authenticate/bfaD9xOU0SXBhtBP // Attention: You can also specify a language the login site should show // with "en|fr|de|es|it" being possible // The following shows the login site in French https://api.cardmarket.com/ws/v2.0/authenticate/bfaD9xOU0SXBhtBP/fr
The user will login at that site with his normal MKM credentials.
Once the user has successfully authenticated the API redirects to the provided callback URI which is expanded by the request token:
http://www.awesomemkm3rdpartyapp.eu/callback.php?request_token=HSZorctm86Cw6OHKfRkr8xoSlt1SKE5Z
Please make sure to provide the complete callback URI string at your profile page for your app, we only expand that string by the request token and redirect to it!
This request token is issued for your app, authenticating the respective user and is valid the next 24 hours.
Your app reads that request token and needs to make a POST request to exchange this request token into an access token and access token secret. As you need to include an Authorization header with all of your API requests, you also need to do it here - please refer to OAuth Header how to assemble that header.
POST https://api.cardmarket.com/ws/v1.1/access
Authorization: OAuth realm="https://api.cardmarket.com/ws/v1.1/access",
oauth_consumer_key="bfaD9xOU0SXBhtBP",
oauth_token="HSZorctm86Cw6OHKfRkr8xoSlt1SKE5Z",
oauth_nonce="53eb19e2be50f",
oauth_timestamp="1407916514",
oauth_signature_method="HMAC-SHA1",
oauth_version="1.0",
oauth_signature="dg0/wVYU5cIUjU/fV+IS+pxAP0E="
<?xml version="1.0" encoding="UTF-8" ?>
<request>
<app_key>bfaD9xOU0SXBhtBP</app_key>
<request_token>HSZorctm86Cw6OHKfRkr8xoSlt1SKE5Z</request_token>
</request>
This very request will return the access token and secret and for all future requests your app can act on behalf of the user.
<?xml version="1.0" encoding="utf-8"?>
<response>
<oauth_token>lBY1xptUJ7ZJSK01x4fNwzw8kAe5b10Q</oauth_token>
<oauth_token_secret>hc1wJAOX02pGGJK2uAv1ZOiwS7I9Tpoe</oauth_token_secret>
</response>
These tokens are issued for your app, authenticating the respective user and are valid for the next 24 hours day.