eBay seller account

Connecting unlocks features that need to act on your eBay seller account on your behalf. None of these features fire automatically — we never list, sell, or move money without an explicit click.

• Draft listings — one-click “List on eBay” from a card’s detail page. We pre-fill the title, item specifics, and photos, then drop you into eBay’s editor to set price and finalize.
• Auto-import sales — when a card sells through your eBay account, the binder can pick up the sale event automatically and create the matching sales_events row. Saves you the Mark Sold data entry.
• Active-listing badges — cards currently listed on your account get a passive “Listed for $X” indicator in the binder so you don’t accidentally double-list.

All of these are explicit-action features built on top of the connection. Connecting alone doesn’t change what CardboardChasr does today.

When you click Connect eBay account, eBay shows you a consent screen listing the exact scopes we request. Today we ask for two:

• sell.inventory— required to create draft listings on your behalf.
• commerce.identity.readonly — lets us read your eBay username so we can show “Connected as @yourhandle” in Settings. Read- only, no transactional power.

We do not request permission to:

• Move money in or out of your eBay account.
• Edit, end, or relist existing listings.
• Read your buyer activity (purchases, watchlist).
• Read your messages or feedback.

On a successful connection, CardboardChasr stores under your profiles.preferences row (RLS-protected, owner-readable only):

• An access token (~2-hour validity).
• A refresh token (~18-month validity) used to obtain new access tokens without prompting you again.
• Token expiry timestamps, your eBay user id and username, the granted scope list, and the environment (sandbox or production).

Tokens never leave the server. They are never shipped to your browser bundle. They are not currently column-level encrypted — security depends on the same Supabase RLS + service_role isolation that protects every other row in your profile. Column-level encryption is on the roadmap.

1. Go to Settings → Integrations.
2. Click Disconnect on the eBay connection card. Confirm.
3. CardboardChasr calls eBay’s revoke endpoint best-effort, then clears our local credential immediately. Future API calls fail with “eBay not connected” until you connect again.

You can also revoke CardboardChasr from eBay’s side at any time: eBay → Account Settings → Site Preferences → 3rd Party Authorizations. That has the same effect (our access stops working) but leaves our local reference until you also click Disconnect here.