Bug: Token from 'refreshAuthToken' event lacks permissions for Business Policies

[evers-hamza]

When the ebay-api client automatically refreshes the OAuth2 token (via the autoRefreshToken: true configuration), the new token emitted in the refreshAuthToken callback appears to have restricted permissions. Specifically, it fails to fetch Business Policies, resulting in unauthorized/permission errors. However, creating a new token manually via the eBay Auth API using the same credentials and scopes works perfectly.

To Reproduce

Initialize the eBay client with autoRefreshToken: true.

Wait for the initial token to expire (2 hours).

Catch the new token in the event listener:

client.OAuth2.on('refreshAuthToken', async (newToken) => {
    // Use this newToken to call Business Policy APIs (e.g., Account API)
});

Observe that API calls to Business Policies fail with this newToken.

Manually request a token using the same refresh token/scopes via a separate API call—this manual token works.

Expected behavior The newToken provided by the refreshAuthToken event should be functionally identical to a manually refreshed token and should maintain all scopes (including those required for Business Policies/Account API) granted during the initial user consent.

- API Scopes Used

1. https://api.ebay.com/oauth/api_scope,
2. https://api.ebay.com/oauth/api_scope/sell.marketing.readonly,
3. https://api.ebay.com/oauth/api_scope/sell.marketing,
4. https://api.ebay.com/oauth/api_scope/sell.inventory.readonly,
5. https://api.ebay.com/oauth/api_scope/sell.inventory,
6. https://api.ebay.com/oauth/api_scope/sell.account.readonly,
7. https://api.ebay.com/oauth/api_scope/sell.account,
8. https://api.ebay.com/oauth/api_scope/sell.fulfillment.readonly,
9. https://api.ebay.com/oauth/api_scope/sell.fulfillment,
10. https://api.ebay.com/oauth/api_scope/sell.analytics.readonly,
11. https://api.ebay.com/oauth/api_scope/sell.finances,
12. https://api.ebay.com/oauth/api_scope/commerce.notification.subscription,
13. https://api.ebay.com/oauth/api_scope/commerce.notification.subscription.readonly,
14. https://api.ebay.com/oauth/api_scope/sell.marketplace.insights.readonly,
15. https://api.ebay.com/oauth/api_scope/sell.item.draft,
16. https://api.ebay.com/oauth/api_scope/sell.item

[dantio]

@evers-hamza
Please provide more code or a reproduceable repo.

[evers-hamza]

import eBayApi from 'ebay-api';
import merchantRepository from '../repositories/merchant.repository.js';
import logger from '../utils/logger.js';

// === SCOPES - BEAY ===
const SCOPES = process.env.EBAY_SCOPES.split(',').map((scope) => scope.trim());

class EbayAuthFactory {
  config = {
    appId: process.env.EBAY_CLIENT_ID,
    certId: process.env.EBAY_CLIENT_SECRET,
    ruName: process.env.EBAY_REDIRECT_URI,
    scope: SCOPES,
    sandbox: true,
    autoRefreshToken: true,
  };

  // === Public method (replacement of getValidEbayAccessToken) ===
  getClient = async (masterMerchantId) => {
    const merchant = await this.getMerchant(masterMerchantId);

    const client = this.createClient();

    this.setRefreshToken(client, merchant.refresh_token, merchant.access_token);

    this.attachRefreshListener(client, masterMerchantId);

    return client;
  };

  getTradingClient = async (masterMerchantId) => {
    const merchant = await this.getMerchant(masterMerchantId);

    if (!merchant.access_token) {
      throw new Error('Missing eBay AuthNAuth token');
    }

    return new eBayApi({
      sandbox: true,
      siteId: 0,
      autoRefreshToken: false,
      scope: [],
      authToken: merchant.access_token,
    });
  };

  // -----------------------
  // Internal methods
  // -----------------------

  getMerchant = async (masterMerchantId) => {
    const merchant = await merchantRepository.getEbayCredentials(masterMerchantId);

    if (!merchant) {
      throw new Error('Merchant not connected to eBay');
    }

    return merchant;
  };

  createClient = () => {
    return new eBayApi(this.config);
  };

  setRefreshToken = (client, refreshToken, authToken) => {
    client.OAuth2.setCredentials({
      refresh_token: refreshToken,
      access_token: authToken,
    });
  };

  attachRefreshListener = (client, masterMerchantId) => {
    client.OAuth2.on('refreshAuthToken', async (newToken) => {
      try {
        const accessExpiry = new Date(Date.now() + newToken.expires_in * 1000);

        const refreshExpiry = newToken.refresh_token_expires_in
          ? new Date(Date.now() + newToken.refresh_token_expires_in * 1000)
          : null;

        await merchantRepository.saveEbayOauthCredentials({
          master_merchant_id: masterMerchantId,
          access_token: newToken.access_token,
          refresh_token: newToken.refresh_token ?? null, // only update if present
          token_expires_at: accessExpiry,
          refresh_token_expires_at: refreshExpiry,
          token_type: newToken.token_type,
        });

        [logger.info](http://logger.info/)(`Merchant ${masterMerchantId} token updated successfully`);
      } catch (err) {
        logger.error(`Failed to persist refreshed token`, err);
      }
    });
  };
}

export default new EbayAuthFactory();`

@dantio This is my code, please help, Thank you

[dantio]

// your method
setRefreshToken = (client, refreshToken, authToken) => {
    client.OAuth2.setCredentials({
      refresh_token: refreshToken,
      access_token: authToken,
    });
  };

Try to put all information here, see:

public setCredentials(authToken: AuthToken | string) {
    if (typeof authToken === 'string') {
      this._authToken = {
        refresh_token: '',
        expires_in: 7200,
        refresh_token_expires_in: 47304000,
        token_type: 'User Access Token',
        access_token: authToken
      };
    } else {
      this._authToken = authToken;
    }
  }

[evers-hamza]

@dantio Thank you, I will apply this and check and get back to you

[dantio]

@evers-hamza I hope you fixed it. I'll close this issue.