To add Lazada, the following parameters are required:

  • lazada_app_id - Lazada application ID
  • lazada_app_secret - Lazada application secret
  • lazada_refresh_token - Refresh token received after the Lazada application is authorized by the seller
  • lazada_region - Region. Lazada supports the following regions: Indonesia, Malaysia, Philippines, Singapore, Thailand, Vietnam

To create an application on Lazada, you need to log in to the Open Platform and go to https://isvconsole.lazada.com/apps/console/apps to create your application.

Choose the category Seller In-house APP.

Fill in the necessary fields to create the application.

In the Callback URL field, specify the URL where the code for receiving the refresh token will be sent during the OAuth authorization process of the application.

The selected application type Seller In-house APP will have scopes to work with products, orders, and categories.

You also need to add the seller ID who will authorize the application.

To authorize the application on the seller's store, follow the instructions at https://open.lazada.com/apps/doc/doc?nodeId=10777&docId=108260

The seller must go to the link https://auth.lazada.com/oauth/authorize?response_type=code&force_auth=true&redirect_uri=app_callback_url&client_id=app_id, where

  • app_callback_url - the Callback URL field specified when creating the application
  • app_id - the application's App Key

You can also specify the parameter force_auth=false to prevent updating the browser session cookie during authorization.

A redirect will happen to the authorization page.

Note: For the test account LzdOp_MY_test@163.com in the Malaysia region, the password lzd@1234 is used (as of the time of writing this article).

After receiving the code at the Callback URL, you need to create a token at the endpoint https://open.lazada.com/apps/doc/api?path=%2Fauth%2Ftoken%2Fcreate

For this, you can go to API Testing Tools

and select the application for which the seller's store was authorized and the region. After clicking Submit, you will get a refresh_token that can be used as the lazada_refresh_token parameter to add the store to API2Cart.

The refresh token for applications in Testing status will be valid for 30 days, and for Online status, it will be valid for 180 days.

You can also generate an access token and refresh token not from API Testing Tool, but for example, using Postman.
To do this, send a request to the endpoint https://api.lazada.com/rest/auth/token/create

curl --location 'https://api.lazada.com/rest/auth/token/create' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'code=your_auth_code \
--data-urlencode 'app_key=your_app_key \
--data-urlencode 'timestamp=1742973305000' \
--data-urlencode 'sign_method=sha256' \
--data-urlencode 'sign=calculated sign'

Where:

  • code - the authorization code received when authorizing the application
  • app_key - the application's App Key
  • timestamp - the timestamp (in milliseconds)
  • sign_method - the HMAC hash algorithm used to calculate your signature
  • sign - the calculated signature. Instructions on how to calculate the signature can be found here

For Postman, you can use a pre-script that calculates the signature based on the request parameters and the application's App Secret.

    const CryptoJS = require('crypto-js');

    function generateSign(url, parameters) {
      let sortedKeys = Object.keys(parameters).sort();
      let stringToBeSigned = url;
      let appSecret = "your_app_secret";

      sortedKeys.forEach(key => {
        stringToBeSigned += key + parameters[key];
      });
    
      let signature = CryptoJS.HmacSHA256(stringToBeSigned, appSecret).toString(CryptoJS.enc.Hex).toUpperCase();
      return signature;
    }

    let url = "/auth/token/create";
    let requestBody = {};
    let urlencodedParams = pm.request.body.urlencoded.all();

    urlencodedParams.forEach(param => {
      requestBody[param.key] = param.value;
    });

    let parameters = {
      app_key: requestBody.app_key,
      timestamp: requestBody.timestamp,
      sign_method:requestBody.sign_method,
      code:requestBody.code
    };

    let sign = generateSign(url, parameters);
    parameters.sign = sign;
    pm.request.body.urlencoded.add({ key: "sign", value: sign });

After successfully calculating the signature, you will receive a refresh_token that can be used as the lazada_refresh_token parameter to add the store to API2Cart.