From e09f082420eb8890254210645db1d59f5fd137c7 Mon Sep 17 00:00:00 2001
From: dlawler489 <104159223@student.swin.edu.au>
Date: Sat, 13 Jun 2026 11:25:45 +1000
Subject: [PATCH] Format x-api-key header as keystring:sharedsecret

Etsy v3 expects both credentials joined by a colon in the x-api-key
header; sending the shared secret alone returns 403 'incorrect shared
secret for API key'.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 server/src/routes/etsy.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/src/routes/etsy.ts b/server/src/routes/etsy.ts
index 077b554..9a031d4 100644
--- a/server/src/routes/etsy.ts
+++ b/server/src/routes/etsy.ts
@@ -44,11 +44,11 @@ const loadConfig = async (userId: string): Promise<EtsyConfig | null> => {
   return { apiKey, sharedSecret, redirectUri };
 };
 
-// Keystring is the OAuth client id; Etsy wants the shared secret in the
-// x-api-key header for API resource calls
+// Keystring is the OAuth client id; API resource calls want the x-api-key
+// header formatted as "keystring:sharedsecret"
 const toCredentials = (config: EtsyConfig) => ({
   clientId: config.apiKey,
-  apiKeyHeader: config.sharedSecret || config.apiKey,
+  apiKeyHeader: config.sharedSecret ? `${config.apiKey}:${config.sharedSecret}` : config.apiKey,
 });
 
 // Where to send the browser after the OAuth callback: same origin as the