API Authentication

Updated 3 months ago ​by Merch Transformation Change Management

As of September 18, 2024, U.S. suppliers are automatically redirected from Item 360 to Supplier One for item and inventory workflows. Suppliers who also sell in Canada and category advisors will continue using Item 360.

APIs, or Application Programming Interfaces, allow suppliers and sellers to view and provide large amounts of data quickly and accurately.

The Walmart Supplier Team is excited to launch new and updated API functionality for suppliers who already use the APIs or want to start using them. Using APIs is optional, and there are many benefits for you and 3rd-party Content Service Providers who use APIs on your behalf. 

Below is an overview of API authentication mechanisms for suppliers who use Walmart APIs.

What Has Changed?

Walmart has updated the API authentication mechanism from Digital Signature to O-Auth:

  • Walmart is providing API access to all supplier types (DSV and Owned). Previously, APIs were only available for our DSV suppliers.
  • This industry-standard, token-based authentication mechanism increases security, eases integration, and provides the foundation for future delegated access. Walmart US Marketplace sellers already use O-Auth, so this also streamlines processes for 3rd-party Content Service Providers who work across 1P and 3P.
  • All suppliers are issued new API credentials in Developer Portal for O-Auth. 

Digital Signature Authentication

O-Auth Authentication

Available to

Only DSV suppliers

Any supplier (DSV and Owned)

How it works

  • You needed a Consumer ID and Private Key
  • You had to execute code to generate a "digital signature"
  • You included the digital signature for all API actions to authenticate themselves
  • You are provided a Client ID and Client Secret
  • You call a Walmart Authentication API to get a "token" that is valid for 15 minutes
  • You include the token for all API actions, authenticating themselves to access the API​

Added benefits

  • More secure: Industry-standard authentication
  • Improved user experience: More simple to implement than digital signature and enables visibility into current rate limiting usage 
  • Enables future delegated access: Will allow you to grant 3rd parties access to view their data without sharing login credentials

Notes

  • Support is no longer available for Digital Signature authentication

To use the new and updated APIs:

  • You have to update the authentication mechanism
  • You have to change the API headers for every API call

Frequently Asked Questions

General

1. What is O-Auth authentication?

O-Auth 2.0 is the industry standard for token-based authentication and authorization for APIs.

2. What are the primary benefits of O-Auth?

O-Auth standardizes the API authentication model across suppliers and Marketplace sellers. It also increases security, simplifies the authentication process, and will enable us to build delegated access/App Store for suppliers who work with Content Service Providers.

3. What changes are there to move to O-Auth?

There are three major changes:

  • All suppliers, DSV and Owned, are issued new API credentials (a Client ID and Client Secret).
  • You have to call a Token API to generate a token used in authentication for all API calls.
  • Headers for all API integrations have been updated to change authentication from Digital Signature to Token.

4. Are the Consumer ID and Private Key the same as the Client ID and Client Secret?

No. There is no relationship between your existing Consumer ID and Private Key and your new Client ID and Client Secret.

5. Where can I view my new API Keys?

When you log in to the Developer Portal, it takes you to the Production Keys authentication area, where you can see your Client ID and Client Secret.

6. Can I view my Client Secret without resetting it? Do I need to store it locally?

Yes, one of the enhancements with O-Auth is that supplier administrators can now view their Client Secret without resetting it like they previously did with their Private Key.

With O-Auth, you can get the Client ID and Client Secret at any time on the Developer Portal. You no longer need to store the Client Secret locally and regenerate it if it is lost.

7. Which API Headers are changing?

For all Headers outside of the Token API, you need to:

  • Remove these header parameters: WM_SVC.NAME, WM_SEC.TIMESTAMP, WM_SEC.AUTH_SIGNATURE, WM_CONSUMER.ID
  • Add this header parameter for authorization: WM_SEC.ACCESS_TOKEN

Scope

1. Is O-Auth available for all Supplier types?

Yes, API credentials are now provided to all suppliers (DSV and Owned) who have a signed agreement with Walmart.

Previously, API credentials were only provided to suppliers with active DSV agreements.

2. I already use Walmart APIs. What is the timeline for them to cut over from Digital Signature?

We expect all existing DSV suppliers integrated via API to move to the O-Auth authentication mechanism as soon as possible.

Walmart no longer supports the Digital Signature authentication mechanism.

3. Does this impact my current integrations with Walmart APIs?

No, existing supplier API integrations will continue to function until they migrate to O-Auth authentication. There is no impact to existing DSV APIs.

4. I already work with Marketplace APIs. Is this the same thing?

Yes. O-Auth is the same authentication mechanism and follows the same process that is currently used by Marketplace sellers.

5. Does every supplier have access to every supplier API?

No, you only have access to APIs that are applicable to your supplier type. Suppliers who do not have a DSV agreement with Walmart will not have access to DSV Orders or DSV Inventory APIs and will receive an “unauthorized” error when trying to access them.

Once you sign a new business agreement with Walmart, you should have access to the associated APIs within 24 hours.

Additionally, there are specific APIs (such as Cost and Lag Time updates) that require business approval before you can access and use them.

6. Does O-Auth also enable delegated access for suppliers?

No, at this time, delegated access is not yet available for suppliers. You can still work through 3rd parties by providing your API credentials to the 3rd party.

We are currently working on a pilot for delegated access. If you or your Content Service Provider want to be included in the pilot, email wmapilaunch@walmart.com.

Support

1. Who can I contact for API troubleshooting support?

Contact Partner Support. Make sure to file the case through the correct tile path (Integration Questions or Issues > API) for faster resolution.

2. Where can I find documentation on integrating Walmart APIs?

You can find documentation on the Developer Portal.


Was this article helpful?