API Ceneo.pl - AuthorizationService documentation - AuthorizationService

Table of contents:

    Site definition

    Name: AuthorizationService
    Address: https://partnerzyapi.ceneo.pl/AuthorizationService.svc
    Metadata: https://partnerzyapi.ceneo.pl/AuthorizationService.svc/$metadata

    Version history

    Version number Description of changes Date
    1.1.0 Extension of GetProducts method by the following parameters: 'lowestPrice', 'highestPrice' and 'onlyBasketOffers'. Products was extended by 'HasBasketOffers'. 2013-02-07
    1.0.0 First service version 2012-07-23

    Glossary of terms

    REST Representational state transfer (REST) - a style of software architecture for services providing data in the form of resources. Individual resources are identified using a uniform resource identifier (URI).
    URI Uniform Resource Locator - a uniform resource identifier on the Web.
    OData Open Data Protocol - a REST protocol dedicated for loading and updating data. It uses the ATOM standard and AtomPub protocol.
    OAuth 2.0 Authorization protocol in HTTP services
    Atom Standard of data definition based on XML document.
    AtomPub Atom Publishing Protocol – information publishing standard in services, which is to replace RSS channels in the future.
    JSON JavaScript Object Notation – a text-based notation of data entry, based on the JavaScript language.
    HTTP status codes HTTP queries always return a status code informing about operation result. Below you may find a link to the list of statuses:

    Site operations

    The site is a REST-based service providing resources using the OData protocol, allowing for performance of selected operations using the GET protocol. Data and access security is ensured by encrypted connection and use of the OAuth protocol for authorisation. The site automatically provides data on resources, data types and operations it contains. Errors are always return in an http reply header.
    The site can be accessed only by users of the Affiliate Program on Ceneo.pl.


    Access to authorisation is secured with an SSL certificate and should be made using https. Access to data may be provided using non-encrypted http.

    Access to the site, its resources and operations needs to be authorised first using a special token (a string of characters) which is generated once for a specified period of time after which it expires. The token is of a single use, which means that after its expiry, it will be impossible to use it for authorisation.

    Note! An authorisation token cannot be downloaded using http, because it may compromise the API key.


    Access to each resource and operation is based on the OAuth 2.0 protocol and the client_credentials authorisation type. To connect to the site, the customer needs to download an access token first by providing an API key. The token is generated in the Basic authorisation mode using a special service, i.e. AuthorizationService.svc, and the GetToken method accepting the grant type as a parameter and requiring the API key to be sent in the GET https query header.

    Data to be sent in the header:
    Authorization: Basic api_key

    Sample call:
    Authorization: Basic F7869662-F334-427C-94B9-2D876BFCD589

    In reply a customer receives a token in the header together with information on its type and validity time in seconds after which it will expire. The token type has always the “bearer” value.

    If any parameter is incorrect, the HTTP 400 BadRequest error will be returned together with a detailed message in accordance with the OAuth 2.0 specification.

    If a user has no rights to access the resources, the HTTP 401 Unauthorized error will be returned.

    Data to be read in the header:
    access_token: token
    expires_in: time_in_seconds
    token_type: token_type

    Sample response:
    access_token: 8aYW5uonggPM0mKtARb0TyT_rOtCxJIChmmWWfmD-_c.
    expires_in: 900
    token_type: bearer

    The token should be added to the header of each query for resources and performance of operation (except for loading a new token) in the following way: Authorization: Bearer token Sample header:
    Authorization: Bearer 8aYW5uonggPM0mKtARb0TyT_rOtCxJIChmmWWfmD-_c. It can also be added as URI parameter: /Categories?access_token=8aYW5uonggPM0mKtARb0TyT_rOtCxJIChmmWWfmD-_c.

    If the token has expired or the query is without any token, the HTTP 401 Unauthorized error is to be returned.

    Error handling

    HTTP error details are returned in the http header in three parameters (also compliant with OAuth 2.0): error: shortened error_code_–_string_of_characters
    error_description: short_description_–_string_of_characters,_optionally
    error_uri: address_to_webpage_with_detailed_description_–_string_of_characters,_optionally

    Site definition (metadata)

    The site provides metadata describing all available resources and operations as well as data types.
    Metadata is available at /Service_name.svc/$metadata

    To access it, no encrypted connection or authorization is required (it is possible to query using http).

    URI structure

    URI is defined using OData protocol.

    The resource access template is as follows: /Site_name.svc/Resource_name?$optional_parameters The operation call template is as follows: /Site_name.svc/Operation_name?optional_parameters

    Transmitting collections for operations

    Collections may be transmitted for operations only in Query String parameters in GET operations. A collection needs to be serialised to the JSON format.

    Query String encoding

    Query String parameters need to be encoded as UTF8. For example, in JavaScript this can be done using the encodeURIComponent function. Encoding is defined in the URI standard.

    Data format

    Data is returned by default as ATOM XML, but it is possible to request JSON format by adding the $format=json parameter.

    Sample: /Site_name.svc/Resource_name_or_Operation_name?optional_parameters&$format=json

    Data cache

    Results of queries for resources and operations (except for loading a token) are kept for 15 minutes, which means that during that time the same query will return the same data even though it could change. The data storage time may change.

    Limits of call number

    Quantitative limits may be imposed for queries for resources and operations (hourly, daily, etc.). Then, after the limit is exceeded, the HTTP 403 Forbidden error will be returned together with the error code and description informing that the number of calls has been exceeded.

    Available resources


    Available fields
    Name Type Description
    Type String

    Available operations


    Generating an access token.

    Http method: GET
    Output parameter: Void

    Input parameters
    Name Type Description
    grantType String


    Frequently asked questions

    1. Why does this date has a strange format?

      The date format in XML is compliant with the ISO 8601 standard specification http://en.wikipedia.org/wiki/ISO_8601.
      In the JSON format, date is a millisecond number Date(1309874335920). The way on how to use is can be found at http://www.w3schools.com/jsref/jsref_obj_date.asp

    2. Why do Polish characters not display correctly in the JSON format?

      All national characters (including Polish) are in the Unicode format whose description can be found at http://en.wikipedia.org/wiki/List_of_Unicode_characters#Latin_Extended-A. For example, "ó" has the Unicode number U+00F3 which is shown as \u00f3.