Security and Best Practices

  • Never store access tokens or private keys in client-side or web-facing code
  • All API calls must use HTTPS
  • Revoke compromised tokens using DELETE /auth/revokeAccessToken
  • Use dedicated binary endpoints (/seller/v2/content/binary) instead of contentUpdate for binary operations (the legacy binaryList parameter in contentUpdate will stop working July 2026)
  • Handle error codes appropriately (400 for bad parameters, 401 for authorization issues, 403 for permission/ownership errors)