Authentication
OAuth 2.0
Veeqo uses OAuth 2.0 for authentication when connecting third-party apps through the Veeqo Appstore.
We do not allow API key-based authentication for new public apps listed on the Appstore. This ensures:
- Security - OAuth 2.0 enables secure, scoped access without exposing long-lived credentials.
- User Control - our sellers can grant and revoke access at any time.
- Compliance - OAuth 2.0 meets current industry standards for authorization.
User Experience
- A Veeqo seller clicks Get App from your Appstore listing.
- The link opens your app's site or onboarding flow.
- Your app authenticates the merchant via your own login/sign-up process (if needed).
- The Veeqo seller is redirected to the Veeqo OAuth 2.0 authorization page.
- Once they approve, your app receives an authorization code, which you exchange for an access token and refresh token via Veeqo's OAuth 2.0 token endpoint.
- You use the access token to make API calls on behalf of that Veeqo seller.
Register for OAuth Authentication with Veeqo Support
-
Set up your
redirect_uri
. This is the URL that the user will be redirected to after authentication. If you're new to OAuth, Aaron Parecki has a really great guide for getting started. -
Send your details to helpme@support.veeqo.com. Please provide us with:
- The name of your applications
- Your redirect/callback URI
-
We register your application with OAuth. Once registered we will provide
you with your
client_id
andclient_secret
by email.
Authorizing the user
Within your application, you need to redirect the user to the authorize URL
on app.veeqo.com. For example:
https://app.veeqo.com/oauth/authorize?client_id=4f8a5d37071f0955e3c8a3dcbf3ff0b53c0699d2085cc6b01707fb3eb9912652&redirect_uri=http%3A%2F%2Fexample.com%2Ftest_oauth_callback&response_type=code&scope=
The user will then confirm authorization of the app and be redirected back to your application.
Get authorization code
The authorization code is returned in the code parameter of the redirect uri
e.g.
http://example.com/test_oauth_callback?code=acc2658ced4f9eea257c9da72acea1c97f9e1b1db2118b565355532af13591d7
Note: this code lasts only 10 minutes.
Make a request for the permanent access token
Make a request to https://api.veeqo.com/oauth/token
using your client
ID, client secret, redirect URI, and the temporary code:
Request URL: /oauth/token
Method: POST
Header Parameters: Accept: application/json
Body Parameters:
{
"grant_type": "authorization_code",
"redirect_uri": "http://example.com/test_oauth_callback",
"client_id": "<YOUR CLIENT ID HERE>",
"client_secret": "<YOUR CLIENT SECRET HERE>",
"code": "acc2658ced4f9eea257c9da72acea1c97f9e1b1db2118b565355532af13591d7"
}
let xhr = new XMLHttpRequest();
xhr.open("POST", "https://api.veeqo.com/oauth/token");
xhr.setRequestHeader("Accept", "application/json");
let body = {
"grant_type": "authorization_code",
"redirect_uri": "http://example.com/test_oauth_callback",
"client_id": "<YOUR CLIENT ID HERE>",
"client_secret": "<YOUR CLIENT SECRET HERE>",
"code": "acc2658ced4f9eea257c9da72acea1c97f9e1b1db2118b565355532af13591d7"
};
xhr.send(JSON.stringify(body));
$body = [
"grant_type" => "authorization_code",
"redirect_uri" => "http://example.com/test_oauth_callback",
"client_id" => "<YOUR CLIENT ID HERE>",
"client_secret" => "<YOUR CLIENT SECRET HERE>",
"code" => "acc2658ced4f9eea257c9da72acea1c97f9e1b1db2118b565355532af13591d7"
];
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api.veeqo.com/oauth/token",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => json_encode($body),
CURLOPT_HTTPHEADER => [
"Accept: application/json",
]
]);
$response = curl_exec($curl);
The API request will return a JSON object with the following properties:
{
"access_token": "82d7b651f3634a5243c4155f8832f09b30de0c115280d0c2ef62512e6bc5312e",
"token_type": "bearer",
"created_at": 1510741588
}
From this point, you can save the returned access_token
from the previous request and use this for any future requests as a bearer token.
Here's an example of using the bearer token in an API request:
Request URL: /current_user
Method: GET
Headers: Authorization: Bearer (access_token)
let xhr = new XMLHttpRequest();
xhr.open("GET", "https://api.veeqo.com/current_user");
xhr.setRequestHeader("Authorization", `Bearer ${accessToken}`);
xhr.setRequestHeader("Accept", "application/json");
xhr.send();
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api.veeqo.com/current_user",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPGET => true,
CURLOPT_HTTPHEADER => [
"Authorization: Bearer $accessToken",
"Accept: application/json"
]
]);
$response = curl_exec($curl);
API keys for private usage
If you are a Veeqo seller building a private integration for your own business, you may use API keys instead of OAuth 2.0.
These keys give full API access to your account — treat them like passwords.
Generating your API keys
- Log in into your Veeqo account
- Navigate to Employees page
- Click on your user or create a + New Employee (recommended for tracking activity).
- Click Refresh API Key
Your API key will be generated and stored in Veeqo for reference.
⚠️ Security tip: Do not share your API key. Anyone with the key has full API access to your account.
Using API Key
Simply include x-api-key
into request header, for example:
curl --request GET \
--url 'https://api.veeqo.com/orders' \
--header 'accept: application/json' \
--header 'x-api-key: YOUR API KEY HERE'