Documentation · Getting Started
API Credentials Setup
This guide explains how to configure the API connection settings of the ADP Car Market Hub plugin so that it can authenticate against the AutoScout24 API and import vehicles for your dealer account.
It covers each settings field exposed by the plugin, where the values come from, how to handle them safely, and the most common configuration mistakes.
When to use this document
Use this document if you are:
- Configuring API credentials for the first time on a new installation.
- Rotating API credentials (for example because a Client Secret was changed by the API provider).
- Migrating credentials between staging and production environments.
- Troubleshooting an authentication failure reported by the Connection Test.
The audience is a WordPress administrator working together with whoever is responsible for the AutoScout24 API access (this is normally the dealership owner, the dealership's IT contact, or the integration partner that provisions the access).
Before you start
Confirm the following before opening the Settings page:
- The plugin is installed and activated as described in the Installation Guide.
- You have a working set of API access values for the dealer account. You will normally receive these from one of:
- The dealer's own AutoScout24 account / partner portal.
- The integration partner or agency that operates the API access on behalf of the dealer.
- An internal IT contact at the dealership that manages credentials centrally. AD Promotion does not issue AutoScout24 credentials.
- You have a secure channel for receiving credentials (for example a password manager, an encrypted message, or a secure file transfer). Credentials should not be sent in plain email or chat messages.
- You have administrator access to the WordPress site.
- For background on obtaining and managing credentials outside the plugin, see AutoScout24 API Setup and External API Credentials.
Step by step instructions
- Sign in to WordPress as an administrator.
- Open Car Market Hub → Settings. The License Activation card sits at the top of the page; the API Connection & General Settings card is directly below it. (If the license is not yet active, activate it first — see First Setup.)
- Fill in the fields described in Configuration notes below: - API Base URL - Seller ID - Client ID - Client Secret - Default currency (this is not a credential, but it is part of the same card and is required for correct price formatting on import).
- Double-check the values against the source you received them from. Pay particular attention to leading/trailing whitespace, smart quotes from copy-and-paste, and confused characters (for example
0vsO,1vsl). - Click Save Settings at the bottom of the card.
- Open Car Market Hub → Tools and run the API Connection Test as described in Connection Test. Do not proceed to imports until the test succeeds.
Configuration notes
The following fields are part of the API Connection & General Settings card on Car Market Hub → Settings (located directly below the License Activation card). The labels below match the labels used in the plugin UI.
API Base URL
The full HTTPS URL of the AutoScout24 environment or integration endpoint that the plugin should call. Include the scheme (https://).
- The value depends on which AutoScout24 environment your dealer account uses, or on the URL of an integration proxy/gateway provided by your integration partner. The plugin uses exactly the URL you configure — there is no hard-coded host.
- The plugin validates that the value is a syntactically correct URL. An invalid value is rejected with an error notice.
- The token endpoint used to obtain access tokens is automatically derived from the API Base URL by appending the standard token path. If your provider requires a custom token endpoint, contact AD Promotion or your integration partner before changing this behaviour — the plugin's UI does not expose a separate field for it.
- The token audience is also derived automatically from the scheme and host of the API Base URL, so you do not need to configure it manually.
Where it comes from: provided by AutoScout24 (or by your integration partner) together with the rest of the API access details. If you do not know which URL to use, contact the party that provisioned the access.
Seller ID
One or more Seller IDs that identify the dealer account(s) whose listings should be imported.
- Enter a single Seller ID, or multiple Seller IDs separated by commas when the WordPress site should aggregate listings from several seller accounts.
- The Seller ID must match exactly what AutoScout24 (or your integration partner) provided. The plugin uses each Seller ID as-is in API requests.
- The first configured Seller ID is also used by the Connection Test to validate API connectivity.
Where it comes from: provisioned together with the API credentials. The Seller ID is not the dealer's display name on the AutoScout24 website — it is a stable account identifier used by the API.
Client ID
The OAuth client identifier issued for the dealer's API access.
- Plain text value (not a secret). Even so, it should be treated as confidential because it is part of the credential pair.
- Must match the Client Secret it was issued with. Mixing a Client ID from one environment with a Client Secret from another will result in an authentication failure.
Where it comes from: issued by AutoScout24 (or by your integration partner) when API access is provisioned.
Client Secret
The OAuth client secret that pairs with the Client ID.
- This is a sensitive credential. The plugin stores it in the WordPress options table; treat the database, backups and any export of the WordPress options as confidential.
- The field is rendered as a password input and is not pre-filled with the existing value when the page is reloaded — this is expected behaviour and prevents the secret from being visible in the page source. Re-entering the value is only required when you actually want to change it.
- Never post the Client Secret in screenshots, support tickets or chat messages. If it has to be shared for support, use the customer's secure channel.
Where it comes from: issued together with the Client ID. If the secret is lost, it normally has to be re-issued by the API provider — it cannot be recovered.
Default currency
The currency used when an imported listing does not provide a currency value.
- This is not an API credential, but it lives in the same card and influences how prices are formatted on the frontend.
- Existing posts keep their stored currency. The default currency only affects new or updated imports without an explicit currency value.
Token endpoint and audience (derived automatically)
The plugin requests an OAuth access token before each API call (and caches it). Both the token endpoint and the token audience are derived automatically from the configured API Base URL. There is no separate UI field to configure them.
If your integration partner requires a non-standard token endpoint, do not invent a workaround on your own — contact AD Promotion or your partner so that the correct value can be applied without breaking other parts of the integration.
Environment selection
ADP Car Market Hub does not provide a separate "environment" toggle (no "production / sandbox" switch in the UI). The environment is determined entirely by the API Base URL and the credentials you configure. To switch environments, change the API Base URL, Seller ID, Client ID and Client Secret to the values for the desired environment and run the Connection Test again.
When operating both a staging and a production WordPress site, configure each site with its own credentials. Do not point a staging site at production credentials unless you have explicitly agreed this with the dealer.
Operational notes
- Where credentials are stored. Credentials are stored as WordPress options. They are read by the plugin's HTTP client when it requests an access token from the configured API host.
- Token caching. The plugin caches access tokens in a transient and refreshes them automatically when they expire. After changing credentials, the cached token can be cleared from Car Market Hub → Tools to force a fresh token request.
- Logging. API calls and token requests are logged to the plugin log files in
wp-content/uploads/as24ci-logs/. Logs include enough information to diagnose authentication problems but should not include the Client Secret in plain text. Treat the log directory itself as confidential and protect it through normal hosting security. - Backups and exports. Database backups, WordPress export files and copies of the
wp_optionstable contain the configured credentials. Apply the same handling rules as for any other secret your organisation manages. - Rotation. When credentials are rotated by the API provider, update both fields (Client ID and Client Secret) in the same save action, then run the connection test. Do not leave a half-updated credential pair in place.
- Multi-seller dealerships. When several Seller IDs are configured, all configured sellers are queried with the same Client ID / Client Secret. Make sure the credentials you configure are authorised for every Seller ID in the list — otherwise some sellers will fail with an authorisation error during import.
Safe credential handling
- Receive credentials only through a secure channel (password manager, encrypted message, secure file transfer).
- Restrict who has WordPress administrator access on the site that holds the credentials.
- Limit access to database backups and to the server file system to the smallest possible group.
- When revoking access for a user (employee, agency contact), rotate the API credentials with the API provider; revoking WordPress access alone does not invalidate already-extracted credentials.
- Do not paste credentials into public chat tools, ticketing systems, screenshots or AI assistants.
Common mistakes
| Mistake | Effect | How to avoid |
|---|---|---|
Entering the API Base URL without https:// or with a trailing slash that the provider does not expect. | Save fails with a URL validation error, or token requests target an unexpected host. | Copy the URL exactly as provided. The plugin requires a full URL including scheme. |
| Pasting credentials with invisible whitespace (a leading or trailing space, a non-breaking space, or a smart quote). | Token requests fail with an authentication error even though the value "looks correct". | Paste into a plain-text editor first, trim whitespace, then paste into the field. |
| Mixing a Client ID from one environment with a Client Secret from another. | Token requests fail with an authentication error. | Always update both values together and re-run the connection test. |
| Configuring credentials for a Seller ID that the credentials are not authorised for. | Token requests succeed but listing requests fail with an authorisation error for that seller. | Confirm with the API provider that the Client ID/Secret is authorised for every configured Seller ID. |
| Using the dealer's AutoScout24 website login as Client ID / Client Secret. | Token requests fail. The plugin requires API credentials, not a portal login. | Request dedicated API credentials. The website login cannot be used by the plugin. |
| Storing credentials only in the WordPress site. | If the WordPress installation is lost, the credentials have to be re-issued. | Keep a master copy in the dealer's central password manager, separate from the WordPress site. |
| Configuring production credentials on staging without coordination. | Staging activity may pollute analytics or trigger lead emails to real customers if other features are also enabled. | Use separate credentials per environment, or at minimum disable lead emails and analytics on staging. |
Troubleshooting
| Symptom | Likely cause | What to check |
|---|---|---|
| Settings page shows "The API Base URL is not a valid URL." | The URL is missing https://, contains a typo, or includes invalid characters. | Re-enter the URL with full scheme; copy directly from the source you received. |
| Connection test reports "Not connected – no Seller ID configured in Settings." | The Seller ID field is empty after saving. | Open Settings and confirm the Seller ID was saved; check for trailing comma or whitespace issues. |
| Connection test reports an authentication-related error. | Wrong Client ID, wrong Client Secret, or the credentials are not authorised for the configured environment. | Re-enter both Client ID and Client Secret; verify the API Base URL matches the environment those credentials were issued for. |
| Connection test reports a network or SSL error. | Outbound HTTPS is blocked, the server's CA bundle is outdated, or DNS does not resolve the API host. | See API, Network and SSL Requirements and API Connection Errors. |
| Imports work for one Seller ID but not for others. | The credentials are not authorised for the failing Seller ID. | Contact the API provider to confirm authorisation for every configured Seller ID. |
| After rotating credentials, old credentials still appear to be used. | The cached access token has not yet expired. | Clear the token cache from Car Market Hub → Tools and re-run the connection test. |
| Settings appear to "lose" the Client Secret after saving. | Expected display behaviour: the password field is not pre-filled with the existing secret. | Re-enter the secret only when you actually intend to change it. |
If a problem persists after these checks, collect the diagnostic information described in Support Information Checklist — but redact the Client Secret before sharing.