Already know what you're doing? Skip to the endpoints documentation.
Rest API
The Marketplace Seller API by Kaufland is an HTTP interface to the Kaufland marketplace. It allows you to search the site, retrieve information about products, and manage your own inventory and sales. This page provides a general overview of the Marketplace Seller API and the endpoints documentation page provides detailed information about each of the available API endpoints.
Overview
- The Marketplace Seller API uses a Representational state transfer (REST) interface and uses a simple password and HMAC based authentication method.
- The Marketplace Seller API allows you to query the Kaufland marketplace. For example, you can search the site for products or categories. It also enables you to manage your own account data. For example, you can add new units you are offering for sale or get reports about your recent sales.
- All Marketplace Seller API requests must be authenticated and signed with the keys from your seller account. There is no anonymous access to the Marketplace Seller API.
Requirements
Before you start make sure that you have both a Client Key
(a 32 character string) and
Secret Key
(a 64 character string). If you have not already received these keys from Kaufland marketplace,
or you have lost your keys, you can generate new ones on your API settings page.
Examples:
Client Key: 7bffc16ba2cc5ac1cbf527d6fa39263
Secret Key: a7d0cb1da1ddbc86c96ee5fedd341b7d8ebfbb2f5c83cfe0909f4e57f05dd403
Warning: Do not lose your API keys. For security, they cannot be retrieved if they are lost. If you lose them, you will have to generate new ones on your API settings page.
Sending Requests
General Information
In order to interact with the API, you must send an HTTPS (SSL encrypted) request to one of the available API
endpoints. All requests must contain several HTTP headers (see below). Some of the API actions require use of
the PATCH
or POST
verbs, and the body of those requests must be in a valid
JSON
format.
Required Headers
Each request must contain 5 headers:
Accept
- All requests must contain anAccept
header set toapplication/json
.Shop-Client-Key
- All requests must contain anShop-Client-Key
header with the value of yourClient Key
.Shop-Timestamp
- All requests must contain anShop-Timestamp
header with the current Unix Timestamp in seconds and must be current at the time the request is made. There is a 10-minute window around the current time to account for clock skew. In other words, your timestamp can be up to 5 minutes earlier or 5 minutes later than the current server time. If the timestamp is more than 5 minutes different from the current server time when the request is received, the request will be rejected.Shop-Signature
- All requests must contain anShop-Signature
header which contains an HMAC signature of the request. The HMAC is specific to each request, so it must be regenerated for each request.User-Agent
- All requests must include aUser-Agent
header containing either the name of your software solution if you are a software provider, or the term "Inhouse_development" if it is your individual and customized connection.- POST/PATCH requests will need the
Content-Type
header with the valueapplication/json
.
Signing Requests
Each request must be signed by a SHA-256 HMAC in base64 encoding. This HMAC is generated by concatenating the
request information together, separated by newline characters, and generating a SHA-256 HMAC from the resulting
string and your Secret Key
.
Here is an implementation of the HMAC generation function in PHP:
function signRequest($method, $uri, $body, $timestamp, $secretKey)
{
$string = implode("\n", [
$method,
$uri,
$body,
$timestamp,
]);
return hash_hmac('sha256', $string, $secretKey);
}
The required values in the signature string are:
$method
- The HTTP method of the request, uppercased (e.g. GET, POST, PATCH, DELETE).$uri
- The full URI of the request, includinghttps://
and the full domain name (e.g.https://sellerapi.kaufland.com/v2/units/
).$body
- The body of the request. If request doesn't contain a body, the empty string should be used.$timestamp
- The value of the current Unix timestamp at the time of the request. This must be the same as the value of theShop-Timestamp
header.$secretKey
- YourSecret Key
, which you received from the Kaufland marketplace.
The PHP function hash_hmac()
produces an
HMAC using SHA-256 as
the cryptographic hash function.
For example, you could generate an HMAC for the following values (again, in PHP):
$method = "POST";
$uri = "https://sellerapi.kaufland.com/v2/units/";
$body = "";
$timestamp = 1411055926;
$secretKey = "a7d0cb1da1ddbc86c96ee5fedd341b7d8ebfbb2f5c83cfe0909f4e57f05dd403";
The correct Shop-Signature
generated by these values is:
da0b65f51c0716c1d3fa658b7eaf710583630a762a98c9af8e9b392bd9df2e2a
.
Here is the same function written in several different languages, along with a full test program:
Signature function
function signRequest($method, $uri, $body, $timestamp, $secretKey)
{
$string = implode("\n", [
$method,
$uri,
$body,
$timestamp,
]);
return hash_hmac('sha256', $string, $secretKey);
}
Full example
Signature function
import hmac
import hashlib
def sign_request(method, uri, body, timestamp, secret_key):
plain_text = "\n".join([method, uri, body, str(timestamp)])
digest_maker = hmac.new(secret_key.encode(), None, hashlib.sha256)
digest_maker.update(plain_text.encode())
return digest_maker.hexdigest()
Full example
Signature function
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import java.security.NoSuchAlgorithmException;
import java.security.InvalidKeyException;
public static String signRequest(String method, String uri, String body, long timestamp, String secretKey)
throws NoSuchAlgorithmException, InvalidKeyException {
String plainText = method + "\n" + uri + "\n" + body + "\n" + timestamp;
Mac mac = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getBytes(), "HmacSHA256");
mac.init(secretKeySpec);
byte[] rawHmac = mac.doFinal(plainText.getBytes());
return DatatypeConverter.printHexBinary(rawHmac);
}
Full example
Note that the Secret Key
is always a string that just happens to look like a hexadecimal
number. Do not interpret it as a hex value, or you will generate the wrong signature!
Reading Responses
Responses from the Marketplace Seller API can either have an empty body or contain a UTF-8 encoded JSON string in the
body. Only GET operations respond with a non-empty body. When a body is sent, the Content-Type
of the
response will be application/json
.
JSON responses may have one of two formats:
Object
- represents a single model entity, e.g. a product, or an order. The corresponding javascript type of the root-level element isobject
.Collection
- represents a set ofObjects
of the same type. The corresponding javascript type of the root-level element isarray
.
An example of an Object
response:
{
"data": {
"id_category": 21,
"name": "parfuem",
"id_parent_category": 11,
"title_singular": "Parfüm",
"title_plural": "Parfüms",
"level": 2,
"url": "https://www.kaufland.de/parfuem/",
"shipping_category": "D",
"variable_fee": "8.50",
"fixed_fee": 0,
"vat": "19.00",
"parent": {
"id_category": 11,
"name": "koerperpflege-und-gesundheit",
"id_parent_category": 1,
"title_singular": "Körperpflege & Gesundheit",
"title_plural": "Körperpflege & Gesundheit",
"level": 1,
"url": "https://www.kaufland.de/koerperpflege-und-gesundheit/",
"shipping_category": "D",
"variable_fee": "12.50",
"fixed_fee": 0,
"vat": "19.00"
}
}
}
An example of a Collection
response:
{
"data": [
{
"id_category": 39231,
"name": "laptops-und-zubehoer",
"id_parent_category": 39161,
"title_singular": "Laptop & Zubehör",
"title_plural": "Laptops & Zubehör",
"level": 4,
"url": "https://www.kaufland.de/laptops-und-zubehoer/",
"shipping_category": "D",
"variable_fee": "5.90",
"fixed_fee": 0,
"vat": "19.00"
},
{
"id_category": 46051,
"name": "laptops",
"id_parent_category": 39231,
"title_singular": "Laptop",
"title_plural": "Laptops",
"level": 5,
"url": "https://www.kaufland.de/laptops/",
"shipping_category": "D",
"variable_fee": "5.90",
"fixed_fee": 0,
"vat": "19.00"
}
],
"pagination": {
"offset": 0,
"limit": 2,
"total": 100
}
}
Collection Pagination
Some API requests may return very large Collection
s of values. For example, you may have thousands
of units for sale on the Kaufland marketplace, and a GET /units
request would attempt to return all of
them.
To make the responses more manageable, the results will be split into smaller groups or pages. Which page is
returned in the response and how many Object
s it contains are controlled by the limit
and offset
GET parameters. The default and maximum limit
are endpoint dependent and are
listed for each endpoint on the endpoint documentation page. The default offset
is always 0.
Examples:
GET /categories
will return 20 categories, since the default value oflimit
for the/categories
endpoint is 20.GET /categories?limit=15
will return 15 categories.GET /categories?limit=10&offset=7
will return 10 categories, starting at the 8th one.
Each response which returns a Collection
contains an additional object pagination
in the
body which provides information about offset
, limit
& total
.
For example, in response to the request GET /categories/?limit=25&offset=5
, the body will contain
the following pagination information (assuming the total number of categories is 5530):
{
"data": [
...
],
"pagination": {
"offset": 5,
"limit": 25,
"total": 5530
}
}
If you are familiar with SQL, the offset
and limit
query parameters behave just like the OFFSET
and
LIMIT
SQL keywords.
Embedded Values
By default the API returns a default group of fields for each Object
, but some endpoints allow
optionally requesting additional fields. For example, when getting information about a single product
(see code example below) it's possible to embed the product's
category and units in the Product object. These optional fields are controlled through the embedded
GET
parameter, which contains a comma-separated list of desired additional fields.
For example, the request GET /product/20574181?embedded=category,units
will return the product Object
with the "category" property set to the product's category Object
and the property "units" set to the
the product's Collection
of units.
Endpoints
All endpoints in the Marketplace Seller API require HTTPS encryption and start with
https://sellerapi.kaufland.com/v2/
. You can view documentation for the endpoints on
the endpoints documentation page. This page also allows you to execute API requests
directly from the documentation. Just fill in your Client Key
and Secret Key
in the
fields at the top of the page and click Explore
. Then you can expand any of the endpoint descriptions,
fill in the fields, and click the "Try it out!" button. This will perform an API request to the server
and display the results in the page.
Code Examples
For full code examples, see the Code Examples page.
Storefronts and Locales
Since Kaufland is expanding its Kaufland marketplace to other countries, many of the endpoints need either a storefront parameter or a locale parameter.
- -
storefront
parameter (e.g.de
) refers to a specific country (e.g. Germany) of the Kaufland marketplace. When doing a query e.g. for a certain product using/products/search
endpoint you must specify in which countries marketplace you are searching. The reason is that the products might look different in every country, due to blacklisting, specific country legal regulations, different naming conventions and translations. All allowed storefronts can be found using this endpoint/info/storefront
. - -
locale
parameter (e.g.de-DE
) enables providing product data for different languages (e.g. German). All allowed locales can be found using this endpoint/info/locale
.
IP Addresses
Marketplace Seller API by Kaufland is using the following IP addresses for Egress traffic (e.g. sending push notifications, downloading files):
- 35.234.86.109/32
- 34.107.121.244/32
- 34.141.72.142/32
- 34.159.54.64/32
- 34.141.104.142/32
- 35.234.120.175/32
- 34.89.165.188/32
- 34.159.150.215/32
- 34.159.155.87/32
- 34.159.78.247/32
- 34.89.252.217/32
- 35.198.94.0/32
- 35.246.147.218/32
- 34.89.153.171/32
- 34.107.96.82/32
- 34.89.168.105/32
- 34.159.137.130/32
- 35.198.148.202/32
- 34.159.211.19/32
- 34.159.98.126/32