Authentication overview

Flipkart Marketplace employs a signature-based authentication mechanism for its API, ensuring that requests originate from authorized sellers or integration partners. This approach combines an API key, which identifies the calling application, with a digital signature, which verifies the integrity and authenticity of each request. The signature is generated using a shared secret key and specific request parameters, preventing tampering and unauthorized access.

This method is designed to secure programmatic interactions with seller accounts, covering operations such as managing product listings, processing orders, and updating inventory. Access to Flipkart's APIs typically requires an application process, primarily catering to large sellers and official integration partners, as noted in Flipkart's developer experience documentation. Developers are expected to manage their API credentials securely and implement the signature generation logic within their client applications.

The authentication process ensures that every API call is validated against the registered credentials, maintaining the security and integrity of seller data on the platform. This is a common pattern in e-commerce APIs, where data sensitivity necessitates robust verification of request origins and content integrity.

Supported authentication methods

Flipkart Marketplace primarily uses a combination of API keys and digital signatures for authenticating API requests. This method ensures both identification of the caller and verification that the request has not been altered in transit.

Method When to Use Security Level
API Key & Digital Signature All programmatic API interactions for managing listings, orders, inventory, and other seller operations. High. Provides both authentication and message integrity.
Seller Portal Login Manual management of seller accounts, listings, and orders via the web interface. Standard web session security (username/password, potentially MFA).

API Key and Digital Signature Details

The API Key is a unique identifier issued to your application or seller account. It is included directly in API requests to identify the caller. The digital signature, on the other hand, is a cryptographic hash of the request payload, specific headers, and a shared secret key. This signature is then included in a request header, usually FK-SECURITY-TOKEN or similar, allowing Flipkart's servers to verify the request's authenticity and integrity.

The process generally involves:

  1. Obtaining API Key and Secret: These are generated within the Flipkart Seller Portal.
  2. Constructing the Signature String: A canonical string is created from relevant request parameters (e.g., HTTP method, URI, query parameters, request body, timestamp).
  3. Hashing the String: The canonical string is hashed using a cryptographic algorithm (e.g., HMAC-SHA256) with the shared secret key.
  4. Encoding the Signature: The resulting hash is typically Base64 encoded.
  5. Including in Headers: The API Key and the generated signature are added to specific HTTP headers in the API request.

This method is similar to how many REST APIs secure their endpoints, ensuring that only authorized and unaltered requests are processed. For a broader understanding of API key security, the Cloudflare API key security guide provides relevant insights into managing and protecting API keys.

Getting your credentials

To integrate with Flipkart Marketplace APIs, you must first obtain the necessary API credentials. This process is initiated through the Flipkart Seller Portal, which serves as the central hub for all seller operations, including API access management.

Steps to obtain API credentials:

  1. Access the Flipkart Seller Portal: Log in to your existing Flipkart Seller account at Flipkart Seller Login. If you do not have a seller account, you must first register and complete the seller onboarding process.
  2. Navigate to API Settings: Within the Seller Portal, locate the section related to 'API Settings', 'Integrations', or 'Developer Access'. The exact path may vary based on updates to the portal's user interface.
  3. Apply for API Access: Flipkart's API access is often restricted and requires an application, especially for new integrations or larger scopes. You may need to describe your integration purpose and expected API usage.
  4. Generate API Key and Secret Key: Once your API access is approved, you will typically find an option to generate your API Key and a corresponding Secret Key. The Secret Key is crucial for generating digital signatures and should be treated with the highest level of confidentiality.
  5. Review API Documentation: Flipkart provides specific API documentation for sellers and partners, detailing how to use the generated credentials, construct requests, and implement the signature generation logic. Refer to the official Flipkart Seller API documentation for the most accurate and up-to-date instructions.

It's important to note that the Secret Key is often displayed only once upon generation. You should copy and store it securely immediately. If lost, you might need to revoke the existing key and generate a new one, which could temporarily disrupt your integration.

Authenticated request example

This example demonstrates a hypothetical authenticated GET request to retrieve seller inventory using Flipkart's API key and digital signature method. The exact headers and signature generation algorithm will be specified in Flipkart's official API documentation.

Assumptions:

  • API Key: YOUR_FLIPKART_API_KEY
  • Secret Key: YOUR_FLIPKART_SECRET_KEY
  • Request URI: /v1/seller/inventory
  • Timestamp Header: FK-TIMESTAMP (Unix epoch in milliseconds)
  • Signature Header: FK-SECURITY-TOKEN
  • Signature Algorithm: HMAC-SHA256

Signature Generation Pseudocode:

import hashlib
import hmac
import base64
import time

def generate_signature(api_key, secret_key, method, uri, timestamp, query_params=None, body_hash=""):
    # 1. Construct the canonical string
    canonical_string_parts = [
        method.upper(),
        uri,
        str(timestamp),
        api_key
    ]
    
    # Add query parameters if present, sorted alphabetically
    if query_params:
        sorted_params = sorted(query_params.items())
        for k, v in sorted_params:
            canonical_string_parts.append(f"{k}={v}")
            
    # Add body hash if present for POST/PUT requests
    if body_hash:
        canonical_string_parts.append(body_hash)

    canonical_string = "\n".join(canonical_string_parts)
    
    # 2. Hash the canonical string using HMAC-SHA256 with the secret key
    hashed = hmac.new(secret_key.encode('utf-8'), canonical_string.encode('utf-8'), hashlib.sha256).digest()
    
    # 3. Base64 encode the result
    signature = base64.b64encode(hashed).decode('utf-8')
    return signature

# Example Usage:
api_key = "YOUR_FLIPKART_API_KEY"
secret_key = "YOUR_FLIPKART_SECRET_KEY"
method = "GET"
uri = "/v1/seller/inventory"
timestamp = int(time.time() * 1000) # Current Unix epoch in milliseconds

signature = generate_signature(api_key, secret_key, method, uri, timestamp)

print(f"Generated Signature: {signature}")
print(f"Timestamp: {timestamp}")

HTTP Request Example:

GET /v1/seller/inventory HTTP/1.1
Host: api.flipkart.com
FK-API-KEY: YOUR_FLIPKART_API_KEY
FK-TIMESTAMP: <Generated Timestamp>
FK-SECURITY-TOKEN: <Generated Signature>
Content-Type: application/json

Replace <Generated Timestamp> and <Generated Signature> with the actual values computed by your client application. For POST or PUT requests, the request body would also be incorporated into the signature calculation, typically by hashing the body content itself.

Security best practices

Securing your integration with Flipkart Marketplace APIs is critical to protect your seller data and prevent unauthorized transactions. Adhering to these best practices will help maintain the integrity and confidentiality of your API interactions.

  1. Protect your Secret Key:
    • Confidentiality: Your Secret Key is equivalent to a password. Never hardcode it directly into client-side code, expose it in public repositories, or transmit it over unsecured channels.
    • Environment Variables/Vaults: Store Secret Keys in environment variables, dedicated secret management services (e.g., AWS Secrets Manager, Google Secret Manager), or secure configuration files that are not committed to version control.
    • Limited Access: Restrict access to Secret Keys only to personnel and systems that absolutely require it.
  2. Regular Key Rotation:
    • Establish a policy for periodically rotating your API Key and Secret Key. This minimizes the window of exposure if a key is compromised.
    • Flipkart's Seller Portal should provide functionality to regenerate keys.
  3. Secure Communication (HTTPS):
    • Always use HTTPS for all API communications. This encrypts data in transit, protecting your API Key, signature, and request/response payloads from eavesdropping.
    • Most modern API clients and libraries enforce HTTPS by default, but always verify.
  4. Implement Secure Signature Generation:
    • Follow Flipkart's precise instructions for signature generation. Any deviation can lead to authentication failures or, worse, security vulnerabilities if the signature logic is flawed.
    • Ensure the hashing algorithm (e.g., HMAC-SHA256) and encoding method (e.g., Base64) are correctly implemented.
  5. Error Handling and Logging:
    • Implement robust error handling for authentication failures. Avoid logging sensitive information (like Secret Keys or full request signatures) in plain text in your application logs.
    • Log only enough information to diagnose issues, such as HTTP status codes and non-sensitive parts of the error response.
  6. Least Privilege Principle:
    • If Flipkart provides granular permissions for API keys, configure your keys with the minimum necessary permissions required for your application's functionality. This limits the damage if a key is compromised.
  7. IP Whitelisting (if available):
    • If Flipkart's API gateway supports IP whitelisting, configure it to allow API calls only from your application's known IP addresses. This adds an extra layer of security, preventing unauthorized calls even if a key is stolen.
  8. Monitor API Usage:
    • Regularly monitor your API usage for unusual patterns or spikes that could indicate unauthorized access or misuse of your credentials.
  9. Keep Dependencies Updated:
    • Ensure that all libraries and frameworks used in your integration are kept up-to-date to patch known security vulnerabilities.

Following these practices helps in building a secure and resilient integration with the Flipkart Marketplace APIs, protecting your business operations and customer data. For general API security principles, the OAuth 2.0 specification, while not directly used by Flipkart's signature method, outlines many concepts relevant to secure API interactions.