Authentication
All Public API requests require a Bearer token. Channel credentials and warehouse codes are managed in the developer portal — never embed them in your client apps.
API keys {#api-keys}
Create keys under Developer Portal → API Keys after your app is approved.
| Item | Description |
|---|---|
| Format | Authorization: Bearer hio_live_… (production) or test keys as issued by portal |
| Scope | One key per app. Quotas and channel access follow the app’s subscription plan. |
| Rotation | Revoke compromised keys immediately; create a replacement before revoking in production. |
| Storage | Server-side only. Do not expose keys in mobile apps, browser JS, or public repos. |
Example request
curl https://api.hiobuy.com/v1/products/detail \
-H "Authorization: Bearer hio_live_xxxxxxxx" \
-H "Content-Type: application/json" \
-d '{
"channel": "1688",
"product_id": "554456348334",
"language": "en"
}'Channel authorization (prerequisite) {#channel-authorization}
An API key alone is not enough. Each app must complete channel authorization before calling product or order APIs for that marketplace.
| Mode | What you configure | What Gateway uses |
|---|---|---|
| Self fulfillment | Per-channel OAuth or token JSON in portal | Stored tokens per app + channel |
| HIOBuy warehouse | One warehouse developer code | Code + managed tokens server-side; procurement/fulfillment forwarded to HIOBuy |
See Portal authorization. If a channel is not authorized, calls return 401 CHANNEL_NOT_AUTHORIZED (Errors).
What you never send {#what-not-to-send}
- Taobao / 1688 / Weidian access tokens or refresh tokens
- Warehouse developer code (Gateway attaches it for fulfillment routes)
- Portal session JWT on Public API calls
Request tracing {#tracing}
Every response includes:
x-request-idheader — correlate withrequest_idin the JSON body- Optional quota headers on billable routes — see Rate limits
Include x-request-id when contacting HIOBuy support.
Common auth errors {#auth-errors}
| HTTP | Code | Meaning |
|---|---|---|
| 401 | INVALID_API_KEY | Missing, revoked, or malformed Bearer token |
| 401 | CHANNEL_NOT_AUTHORIZED | App has not authorized the requested channel in portal |
| 403 | INSUFFICIENT_SCOPE | Key or app lacks permission for the operation |
| 403 | FULFILLMENT_MODE_NOT_SUPPORTED | Fulfillment API called while app is in self-fulfillment mode |