I have a web application that will authorize a user with eBay so that I can post items for them. But I want to cap the limit at 50 per account and eBay account. I can easily track how many item posts they performed in my application. But what prevents the user from opening another account with my application and re-authorize with the same eBay account.
So I tried it with my application and my eBay account and looking at the tokens from account1 and account 2 there's literally 5 characters difference at the beginning of the token String (around character 15). Rest of the token is the same.
Is there a way to tell from the token if it's the same account?
Ok to handle this you would need to get the eBay User and compare to see if they have already registered. Using the user authorized token make a call to get the user details via:
ApiContext.getApiCredential().seteBayToken(FetchTokenCall.fetchToken());
GetUserCall gu = new GetUserCall(ApiContext);
UserType user = gu.getUser();
Now compare and save relevant data.