Is it safe to use MTG PowerTools?

May 29, 2020
a post by Simon Görtzen, who loves to receive your questions at [email protected]

You have a Commercial or a Powerseller account on Cardmarket, and your business depends on it. It's only natural (and smart!) to be cautious about granting access to a 3rd party app. In this post, I'll explain our design decisions and what happens behind the scenes when you use our app.

But first, a bit of background on our motivation. Lukas and I have many years of experience developing custom software for Cardmarket users. Our clients are professional traders that saw the business value in automation. MTG PowerTools provides the same automation in a more accessible way. Instead of intensive custom development, we offer our software as a service to everyone.

I'll be including a few technical details, but feel free to skip those if you don't find them as interesting as me 🤓. Oh, and by the way: if you have any follow-up questions on account security, shoot me a message at [email protected].

‍

Authentication flow: connecting to Cardmarket

Clicking on CONNECT opens a pop-up window

Clicking the Connect button will open a pop-up window asking for your Cardmarket credentials. You can see that the address of the pop-up starts with api.cardmarket.com. This means your browser will send your password only to Cardmarket, without sharing it with us. Your browser encrypts all communication and secures it with the HTTPS protocol, as you can tell from the đź”’ icon next to the address bar. I took this screenshot from Google Chrome, but you'll find such an icon in a similiar spot in all major browsers.

Once you log in, the Cardmarket server verifies your credentials. What follows is a token exchange between Cardmarket and MTG PowerTools, in which we receive the so-called Access Token and Access Token Secret. These two tokens authorize our app to act in the name of your account. You can invalidate these tokens in your Cardmarket Settings anytime, but you don't have to, as they auto-expire after 24 hours. This token exchange is based on OAuth 2.0, the industry standard for user authorization.

App permissions expire after 24h, but can be invalidated anytime

This method is the only Cardmarket-approved way to connect a 3rd party app. Furthermore, Cardmarket manually approves each 3rd party app developer. MTG PowerTools is tied to a Commercial account on Cardmarket, which went through this approval process.

‍

Access granted: what do we do on your behalf?

Once you've authorized MTG PowerTools, the app can act for you on Cardmarket. In short, all actions that a user can perform on Cardmarket, the app can perform programmatically through the Cardmarket API. We understand that's a lot of trust to put into a 3rd party app. In a perfect world, you could limit access to exactly the operations you wanted to allow. However, Cardmarket currently only supports full access or none at all. With great power comes great responsibility, and we work hard to ensure that you have the best possible experience using MTG PowerTools.

As of June 2020, MTG PowerTools offers two views: Add Articles and Stock Pricing. The app is in active development, and we are planning to offer more features as time goes on. Those features might require additional access, in which case we'll make sure to inform you about it. We are committing to full transparency about which account operations are performed and why, now and in the future.

‍

Here's what MTG PowerTools does:

- We read out your username to display which Cardmarket account is connected. [get account information from /account]

- We list new articles for you once you click Publish in the Add Articles view. [post articles to /stock]

- We load your stock the first time you open the Stock Pricing view, and everytime you click Refresh Stock. [get stock file from /stock/file]

- We modify the price of existing articles when you click Publish Changes in the Stock Pricing view. [put updated articles to /stock]

We are taking great care to ensure that only the intended prices end up on Cardmarket. If there are any irregularities, we default to not update a card rather than to risk a wrong pricing.

‍

Here are a few things that MTG PowerTools DOESN'T do:

- We won't do anything that affects your account balance under any circumstances.

- In particular, we do not buy cards for you, we don't even modify your shopping cart.

- We do not change the status of your orders, or send out messages to customers for any reason.

‍

I hope I managed to give you a glimpse of how the security and features of MTG PowerTools work under the hood. Reach out to me anytime if you have further questions. Until then, thank you for allowing us to improve your business on Cardmarket!

Cheers
Simon

More from our blog

Sign Up for Your Free Account Now

OR

Book a Demo

Want to know more? Join our Discord or check out our blog.