Authentication

OAuth 2.0

Veeqo uses OAuth 2.0 for authentication when connecting third-party apps through the Veeqo Appstore.

We do not allow API key-based authentication for new public apps listed on the Appstore. This ensures:

Security - OAuth 2.0 enables secure, scoped access without exposing long-lived credentials.
User Control - our sellers can grant and revoke access at any time.
Compliance - OAuth 2.0 meets current industry standards for authorization.

User Experience

A Veeqo seller clicks Get App from your Appstore listing.
The link opens your app's site or onboarding flow.
Your app authenticates the merchant via your own login/sign-up process (if needed).
The Veeqo seller is redirected to the Veeqo OAuth 2.0 authorization page.
Once they approve, your app receives an authorization code, which you exchange for an access token and refresh token via Veeqo's OAuth 2.0 token endpoint.
You use the access token to make API calls on behalf of that Veeqo seller.

Register for OAuth Authentication with Veeqo Support

Set up your redirect_uri. This is the URL that the user will be redirected to after authentication. If you're new to OAuth, Aaron Parecki has a really great guide for getting started.
Send your details to helpme@support.veeqo.com. Please provide us with:
- The name of your applications
- Your redirect/callback URI
We register your application with OAuth. Once registered we will provide you with your client_id and client_secret by email.

Authorizing the user

Within your application, you need to redirect the user to the authorize URL on app.veeqo.com. For example: https://app.veeqo.com/oauth/authorize?client_id=4f8a5d37071f0955e3c8a3dcbf3ff0b53c0699d2085cc6b01707fb3eb9912652&redirect_uri=http%3A%2F%2Fexample.com%2Ftest_oauth_callback&response_type=code&scope=

The user will then confirm authorization of the app and be redirected back to your application.

Get authorization code

The authorization code is returned in the code parameter of the redirect uri e.g. http://example.com/test_oauth_callback?code=acc2658ced4f9eea257c9da72acea1c97f9e1b1db2118b565355532af13591d7

Note: this code lasts only 10 minutes.

Make a request for the permanent access token

Make a request to https://api.veeqo.com/oauth/token using your client ID, client secret, redirect URI, and the temporary code:

Request URL: /oauth/token

Method: POST

Header Parameters: Accept: application/json

Body Parameters:

{
  "grant_type": "authorization_code",
  "redirect_uri": "http://example.com/test_oauth_callback",
  "client_id": "<YOUR CLIENT ID HERE>",
  "client_secret": "<YOUR CLIENT SECRET HERE>",
  "code": "acc2658ced4f9eea257c9da72acea1c97f9e1b1db2118b565355532af13591d7"
}

let xhr = new XMLHttpRequest();
xhr.open("POST", "https://api.veeqo.com/oauth/token");
xhr.setRequestHeader("Accept", "application/json");

let body = {
  "grant_type": "authorization_code",
  "redirect_uri": "http://example.com/test_oauth_callback",
  "client_id": "<YOUR CLIENT ID HERE>",
  "client_secret": "<YOUR CLIENT SECRET HERE>",
  "code": "acc2658ced4f9eea257c9da72acea1c97f9e1b1db2118b565355532af13591d7"
};

xhr.send(JSON.stringify(body));

$body = [
    "grant_type" => "authorization_code",
    "redirect_uri" => "http://example.com/test_oauth_callback",
    "client_id" => "<YOUR CLIENT ID HERE>",
    "client_secret" => "<YOUR CLIENT SECRET HERE>",
    "code" => "acc2658ced4f9eea257c9da72acea1c97f9e1b1db2118b565355532af13591d7"
];

$curl = curl_init();

curl_setopt_array($curl, [
    CURLOPT_URL => "https://api.veeqo.com/oauth/token",
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => json_encode($body),
    CURLOPT_HTTPHEADER => [
        "Accept: application/json",
    ]
]);

$response = curl_exec($curl);

The API request will return a JSON object with the following properties:

{
  "access_token": "82d7b651f3634a5243c4155f8832f09b30de0c115280d0c2ef62512e6bc5312e",
  "token_type": "bearer",
  "created_at": 1510741588
}

From this point, you can save the returned access_token from the previous request and use this for any future requests as a bearer token.

Here's an example of using the bearer token in an API request:

Request URL: /current_user

Method: GET

Headers: Authorization: Bearer (access_token)

let xhr = new XMLHttpRequest();

xhr.open("GET", "https://api.veeqo.com/current_user");
xhr.setRequestHeader("Authorization", `Bearer ${accessToken}`);
xhr.setRequestHeader("Accept", "application/json");

xhr.send();

$curl = curl_init();

curl_setopt_array($curl, [
    CURLOPT_URL => "https://api.veeqo.com/current_user",
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPGET => true,
    CURLOPT_HTTPHEADER => [
        "Authorization: Bearer $accessToken",
        "Accept: application/json"
    ]
]);

$response = curl_exec($curl);

API keys for private usage

If you are a Veeqo seller building a private integration for your own business, you may use API keys instead of OAuth 2.0.

These keys give full API access to your account — treat them like passwords.

Generating your API keys

Log in into your Veeqo account
Navigate to Employees page
Click on your user or create a + New Employee (recommended for tracking activity).
Click Refresh API Key

Your API key will be generated and stored in Veeqo for reference.

⚠️ Security tip: Do not share your API key. Anyone with the key has full API access to your account.

Using API Key

Simply include x-api-key into request header, for example:

curl --request GET \
      --url 'https://api.veeqo.com/orders' \
      --header 'accept: application/json' \
      --header 'x-api-key: YOUR API KEY HERE'