Transition to New API Request Authorization
For third-party services from the Business Solutions Catalog
Publication date: 25.09.2025
In this article, we have described a new approach to authorizing API requests for third-party services from the Business Solutions Catalog.
OAuth 2.0 technology is the optimal way to authorize service API requests. However, we see that not all developers from the solutions catalog are ready to support this technology at this time. Therefore, we are planning to implement simplified authorization for API requests from catalog services.
Changing the authorization technology is important for enhancing security. In the future, this will become the foundation for new capabilities for services from the Solutions Catalog: for example, we will be able to provide services with separate rate limits independent of sellers.
Changes affect only services from the Business Solutions Catalog
How API Request Authorization Works Now
For a service to gain access to seller data, currently one of two conditions is sufficient:
- Receive an API token from the seller.
- Connect to the seller's profile via OAuth 2.0, if the service supports connection through this technology.
If you are connected to seller profiles only via OAuth 2.0, authorization changes will not affect you
What Is Changing
Changes will affect services connected to seller profiles via API token
For all services from the Business Solutions Catalog, a special service token-secret or Service Secret will be generated.
You will need to pass the service secret in all requests to seller data through the WB API, in the X-Client-Secret header. This will be used to identify which specific service is accessing seller data on their behalf.
The service secret lifetime is 180 days. A new service secret will be generated 30 days before expiration. Two secrets will be valid simultaneously until the old one expires.
The service secret does not replace the User-Agent (UA) that services currently pass in their requests. UA must not be removed from requests
Sellers will also be able to create four types of tokens instead of one:
| Token Type | Purpose | Access |
|---|---|---|
| Base Token | For most integrations working with basic data categories | Basic data categories: orders, products, etc. Some new data categories will not be available with this token |
| Personal Token | For seller's own integrations, including on-premise solutions installed on seller's servers | All API data categories, including those not accessible via Base Token. Personal Token cannot be used when working with any cloud services, including those from the Solutions Catalog. The exception is on-premise solutions |
| Service Token | For connecting a specific cloud service from the Solutions Catalog | Seller data. Quick token creation is available for sellers for a specific service using a pre-configured token settings template. The token will only work with the service for which it was issued and will not work with on-premise solutions from the Catalog |
| Test Token | For testing integration during development | Test data (sandbox). No access to real seller data |
New API Workflow
All services from the Business Solutions Catalog must pass when sending API requests:
- the Service Token provided to them by the seller
- the Service Secret, encoded using the open JWT standard.
To receive a service secret, write to business-solutions@rwb.ru
Tokens that services received from sellers before the launch of the new authorization scheme will continue to work as Base Tokens until the end of their validity period. All requests to WB API using base tokens must also be signed with a service secret.
New services just added to the catalog can temporarily use base tokens until they expire. Requests with them must be signed with a service secret.
Using base tokens without a service secret is not allowed
It is prohibited to use Personal and Service Tokens from other services in the Solutions Catalog to connect new sellers. Requests with such tokens will not pass through WB API.
We do not recommend accepting Test Tokens for connecting sellers, as they do not provide access to real data. Using a test token to evaluate the performance of a finished third-party service can negatively impact the seller's experience.
- If your service is a ready-made corporate solution as an on-premise version deployed on seller's servers, such an integration is considered the seller's own integration. In this case, you may not sign requests to WB API with a service secret. Use the seller's Personal Token for connection.
- If a service from the Solutions Catalog is distributed in both cloud and on-premise versions, the service secret should only be passed in requests to the cloud version of the WB API product. Use a Service Token to connect the cloud version of the product.
How to Verify a Token Received from a Seller
Tokens issued by sellers are encoded using the open JWT standard.
Decode the token in a convenient way. Determine the token type by the list of fields from the token's payload:
| Token | acc Value | for Value | t Value |
|---|---|---|---|
| Base Token | 1 | Field absent | false |
| Test Token | 2 | Field absent | true |
| Personal Token | 3 | self | false |
| Service Token | 4 | asid:{Service ID} | false |
Compare the asid of the seller's Service Token with your asid:
- If the values match, the token was issued for your service.
- If the values do not match, the token was not issued for your service and cannot be accepted. Inform the user about this.
How to Sign API Requests with a Service Secret
In each request on behalf of the seller, in addition to the Authorization header with the seller's token, you must add the X-Client-Secret header with the value of the service secret issued to a specific service from the Catalog.
Example request to WB API with service secret:
curl \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
-H "X-Client-Secret: ${SECRET_TOKEN}" \
https://marketplace-api.wildberries.ru/api/v3/orders/new
Responses
| Response Code | Description | Error Text Examples |
|---|---|---|
2xx | Any successful response from any method | |
401 Unauthorized | • Request signed with revoked service secret or expired secret. • Failed to verify secret: invalid secret format or request signed with invalid signature | Error texts for 401 will be the same as for access token verification |
403 Forbidden | • Request to seller data not signed with service secret or request contains service token from another service. • Attempt to use secret with personal token | • X-Client-Secret is missing for this token type• access token and X-Client-Secret are for different authorized services• X-Client-Secret is not allowed with private token |
Implementation Stages
Stage 1
Deadline — by October 14, 2025
- We will generate and provide individual Service Secrets to all services. You can reissue your secret by writing to business-solutions@rwb.ru.
- On their side, the service must:
- Implement an additional service secret in the signature of all API requests.
- Launch the process of determining token type passed by the seller.
- Not accept Personal or Service Tokens issued for other services from the Catalog.
Stage 2
Deadline — November 2025
- Sellers on the Portal will be able to issue Personal, Service, and Base Tokens.
- Services will be provided with links that can be added to instructions for connecting services to the seller's profile on WB Partners. Via the link, the seller will go to authorization on WB Partners and then to creating a Service Token for a specific cloud service. All mandatory token settings for working with the service will be automatically filled in advance. The seller will only need to confirm token creation and provide it to the service for integration connection.
- The service must not accept Personal or Service Tokens from other services in the Solutions Catalog for connecting cloud versions of products.
- The service must update user instructions for sellers, considering the changed process of creating and transferring tokens. If the service is distributed in cloud and on-premise versions, the instructions should specify which token type the seller needs to use to connect their product version.
Contacts and Support
For all questions, contact:
- Telegram chats for each service from the Catalog.
- email at business-solutions@rwb.ru.