To integrate Replit with the AliExpress API, register on the AliExpress Open Platform to get an App Key and App Secret, store them in Replit Secrets (lock icon 🔒), and call the product search and affiliate link endpoints from a Node.js or Python server. AliExpress uses HMAC-MD5 signed requests for authentication. Use an Autoscale deployment for dropshipping lookup services and affiliate link generators.
AliExpress API Integration for Dropshipping and Affiliate Apps
AliExpress is the world's largest wholesale marketplace, offering hundreds of millions of products from suppliers across Asia at wholesale prices. For developers building dropshipping stores, product comparison tools, or affiliate link generators, the AliExpress Open Platform API provides programmatic access to product search, pricing, inventory data, and affiliate link generation. Integrating from Replit lets you build and deploy these tools without managing server infrastructure.
The AliExpress Open Platform uses a signature-based authentication scheme. Every API request must include your App Key and a HMAC-MD5 signature computed from the request parameters and your App Secret. This ensures requests cannot be tampered with in transit and prevents unauthorized use of your API credentials. The signature computation is a few lines of code, but it must be done server-side — your App Secret must never be exposed to browser clients.
For dropshipping workflows, the most valuable API endpoints are the product search API (find products by keyword, category, or minimum order quantity), the product detail API (get full specifications, images, and shipping options for a specific item), and the affiliate link API (convert product URLs into tracked affiliate links for commission-based revenue). Order placement via the API requires additional business verification with AliExpress and is typically limited to established dropshipping partners.
Integration method
AliExpress integrates with Replit through the AliExpress Open Platform REST API, using HMAC-MD5 signed requests authenticated by your App Key and App Secret. Your Replit server constructs signed API calls to search products, retrieve product details, generate affiliate links, and manage dropshipping orders. Credentials are stored in Replit Secrets and never exposed to clients.
Prerequisites
- A Replit account with a Node.js or Python Repl ready
- An AliExpress Open Platform developer account (register at portals.aliexpress.com)
- An approved AliExpress application with App Key and App Secret
- Basic understanding of HMAC signing and REST API authentication
- For affiliate links: AliExpress Affiliate Program approval (separate from Open Platform registration)
Step-by-step guide
Register on AliExpress Open Platform and Get API Credentials
Register on AliExpress Open Platform and Get API Credentials
The AliExpress Open Platform requires developer registration before you can access the API. Go to portals.aliexpress.com and sign in with an AliExpress account. Navigate to 'My Apps' and click 'Create App'. Fill in your application name, description, and intended use case — for product search and affiliate links, select 'Affiliate' or 'Dropshipping' as your business type. After creating the app, AliExpress provides an App Key (a numeric string) and an App Secret (a longer alphanumeric string). These are the two credentials you need for all API calls. The App Key is a public identifier included in every request. The App Secret is used only to compute HMAC-MD5 signatures and must never appear in client-side code or be committed to version control. Note that some AliExpress API categories — particularly order management and fulfillment APIs — require additional business verification and approval. Product search, product detail, and affiliate link generation typically have lower access requirements and are available to most approved developer accounts. If you need the Affiliate API specifically, also enroll in the AliExpress Affiliate Program at portals.aliexpress.com/affiPortal. Your affiliate tracking ID is separate from your App Key — you will need both for affiliate link generation endpoints.
Pro tip: Save your App Key and App Secret to a secure password manager immediately after creation. The App Secret is shown once in full — if you lose it, you must generate a new one in the portal.
Expected result: Your AliExpress Open Platform app is created and approved. You have your App Key and App Secret ready to store in Replit Secrets.
Store Credentials in Replit Secrets
Store Credentials in Replit Secrets
API credentials for AliExpress must never appear in your source code. Click the lock icon (🔒) in the left Replit sidebar to open the Secrets panel. Add each credential as a separate secret so your server code can read them via environment variables at runtime. Add the following secrets: ALIEXPRESS_APP_KEY: your numeric App Key from the Open Platform portal. ALIEXPRESS_APP_SECRET: your App Secret used to compute HMAC-MD5 signatures. ALIEXPRESS_TRACKING_ID: your affiliate tracking ID if you are using the Affiliate API (leave blank if not needed). Replit's Secret Scanner monitors project files for exposed API keys and will flag any credentials that accidentally end up in code. Keep all secrets in the Secrets panel and reference them via process.env.ALIEXPRESS_APP_SECRET in Node.js or os.environ['ALIEXPRESS_APP_SECRET'] in Python. For team Repls, secrets are shared across the team — any collaborator with write access can see secret values. If you are working with a team, use descriptive names and document which secrets belong to which service.
1// Verify AliExpress secrets are present at startup2const required = ['ALIEXPRESS_APP_KEY', 'ALIEXPRESS_APP_SECRET'];3for (const key of required) {4 if (!process.env[key]) {5 throw new Error(`Missing secret: ${key}. Add it in Replit Secrets (lock icon 🔒).`);6 }7}8console.log('AliExpress credentials loaded. App Key:', process.env.ALIEXPRESS_APP_KEY);Pro tip: Store ALIEXPRESS_APP_KEY and ALIEXPRESS_APP_SECRET as separate secrets even though you use them together. This makes it easy to rotate one without touching the other.
Expected result: ALIEXPRESS_APP_KEY and ALIEXPRESS_APP_SECRET appear in the Replit Secrets panel. The startup check prints the App Key and confirms credentials are present.
Implement HMAC-MD5 Request Signing in Node.js
Implement HMAC-MD5 Request Signing in Node.js
AliExpress Open Platform uses a signature scheme where all request parameters are sorted alphabetically, concatenated with the App Secret, and hashed with HMAC-MD5. The resulting signature is included as a parameter in every API call. This prevents request tampering and ensures only your application can make calls with your App Key. The signing algorithm works as follows: collect all request parameters (including the App Key, timestamp, and API method name), sort them by parameter name alphabetically, concatenate each name and value without separators, wrap the resulting string with your App Secret on both sides, then compute the HMAC-MD5 hash in uppercase hexadecimal. The AliExpress API endpoint is https://api-sg.aliexpress.com/sync for most methods. Install the required packages in the Replit Shell: npm install axios crypto-js. The crypto module built into Node.js works for HMAC-MD5 computation. The code below implements a complete AliExpress API client with request signing and demonstrates calling the product search endpoint (aliexpress.affiliate.product.query). Adjust the method name and parameters for other API methods — the signing logic stays the same regardless of which endpoint you call.
1// aliexpress.js — AliExpress API client with HMAC-MD5 signing for Replit2const axios = require('axios');3const crypto = require('crypto');4const express = require('express');56const APP_KEY = process.env.ALIEXPRESS_APP_KEY;7const APP_SECRET = process.env.ALIEXPRESS_APP_SECRET;8const API_URL = 'https://api-sg.aliexpress.com/sync';910/**11 * Compute AliExpress HMAC-MD5 signature.12 * @param {Object} params - All request parameters (including method, app_key, timestamp)13 * @param {string} secret - App Secret14 */15function computeSignature(params, secret) {16 // Sort parameters alphabetically by key17 const sortedKeys = Object.keys(params).sort();18 // Concatenate key+value pairs (no separator between key/value or pairs)19 const paramString = sortedKeys.map(k => `${k}${params[k]}`).join('');20 // Wrap with secret on both sides21 const stringToSign = `${secret}${paramString}${secret}`;22 // HMAC-MD5, uppercase hex23 return crypto.createHmac('md5', secret)24 .update(stringToSign)25 .digest('hex')26 .toUpperCase();27}2829/**30 * Call any AliExpress Open Platform API method.31 */32async function callAliexpressAPI(method, extraParams = {}) {33 const timestamp = new Date().toISOString().replace('T', ' ').slice(0, 19);34 35 const params = {36 method,37 app_key: APP_KEY,38 timestamp,39 sign_method: 'md5',40 ...extraParams41 };42 43 params.sign = computeSignature(params, APP_SECRET);44 45 const response = await axios.post(API_URL, null, { params });46 return response.data;47}4849// Express server50const app = express();51app.use(express.json());5253// Search AliExpress products54app.get('/api/products/search', async (req, res) => {55 const { keyword, page = 1 } = req.query;56 if (!keyword) return res.status(400).json({ error: 'keyword is required' });57 58 try {59 const data = await callAliexpressAPI('aliexpress.affiliate.product.query', {60 keywords: keyword,61 page_no: page,62 page_size: 20,63 target_currency: 'USD',64 target_language: 'EN',65 tracking_id: process.env.ALIEXPRESS_TRACKING_ID || ''66 });67 res.json(data);68 } catch (err) {69 res.status(500).json({ error: err.message });70 }71});7273// Get product details74app.get('/api/products/:productId', async (req, res) => {75 try {76 const data = await callAliexpressAPI('aliexpress.affiliate.productdetail.get', {77 product_ids: req.params.productId,78 target_currency: 'USD',79 target_language: 'EN',80 tracking_id: process.env.ALIEXPRESS_TRACKING_ID || ''81 });82 res.json(data);83 } catch (err) {84 res.status(500).json({ error: err.message });85 }86});8788app.listen(3000, '0.0.0.0', () => console.log('AliExpress API server running on port 3000'));Pro tip: The timestamp must be in 'YYYY-MM-DD HH:MM:SS' format in UTC. A timestamp that is too old or in the wrong format will cause a signature validation error even if the HMAC is computed correctly.
Expected result: GET /api/products/search?keyword=wireless+earbuds returns a JSON array of AliExpress products with titles, prices, and images. GET /api/products/{productId} returns detailed product information.
Implement AliExpress API Client in Python
Implement AliExpress API Client in Python
For Python Replit projects, the AliExpress HMAC-MD5 signing logic translates directly using the built-in hashlib and hmac modules. Install the requests library in the Shell if not already present: pip install requests flask. The Python implementation follows the same signing logic: sort parameters alphabetically, concatenate key-value pairs without separators, wrap with the App Secret, and compute HMAC-MD5 in uppercase hex. One important difference from the Node.js version is that Python's hmac module computes HMAC differently from a plain MD5 hash — use hmac.new(key, msg, digestmod=hashlib.md5).hexdigest().upper() to match AliExpress's expected format. The Flask server below exposes the same product search and detail endpoints as the Node.js version. Both can be used interchangeably depending on your preferred stack. For Python production deployments on Replit, use gunicorn as the WSGI server for better request handling: pip install gunicorn, then configure your .replit file to run gunicorn app:app. Pay attention to parameter encoding: AliExpress expects UTF-8 encoded strings. Python 3 handles this natively, but ensure your keyword parameters are properly URL-encoded when constructing the query string.
1# aliexpress.py — AliExpress API client with HMAC-MD5 signing for Replit2import os3import hmac4import hashlib5import time6from datetime import datetime, timezone7from flask import Flask, request, jsonify8import requests910APP_KEY = os.environ['ALIEXPRESS_APP_KEY']11APP_SECRET = os.environ['ALIEXPRESS_APP_SECRET']12TRACKING_ID = os.environ.get('ALIEXPRESS_TRACKING_ID', '')13API_URL = 'https://api-sg.aliexpress.com/sync'1415def compute_signature(params: dict, secret: str) -> str:16 """Compute AliExpress HMAC-MD5 signature."""17 sorted_keys = sorted(params.keys())18 param_string = ''.join(f'{k}{params[k]}' for k in sorted_keys)19 string_to_sign = f'{secret}{param_string}{secret}'20 return hmac.new(21 secret.encode('utf-8'),22 string_to_sign.encode('utf-8'),23 digestmod=hashlib.md524 ).hexdigest().upper()2526def call_aliexpress_api(method: str, extra_params: dict = {}) -> dict:27 """Call any AliExpress Open Platform API method."""28 timestamp = datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M:%S')29 30 params = {31 'method': method,32 'app_key': APP_KEY,33 'timestamp': timestamp,34 'sign_method': 'md5',35 **extra_params36 }37 38 params['sign'] = compute_signature(params, APP_SECRET)39 40 response = requests.post(API_URL, params=params)41 response.raise_for_status()42 return response.json()4344app = Flask(__name__)4546@app.route('/api/products/search')47def search_products():48 keyword = request.args.get('keyword')49 if not keyword:50 return jsonify({'error': 'keyword is required'}), 40051 52 page = request.args.get('page', 1)53 54 try:55 data = call_aliexpress_api('aliexpress.affiliate.product.query', {56 'keywords': keyword,57 'page_no': page,58 'page_size': 20,59 'target_currency': 'USD',60 'target_language': 'EN',61 'tracking_id': TRACKING_ID62 })63 return jsonify(data)64 except Exception as e:65 return jsonify({'error': str(e)}), 5006667@app.route('/api/products/<product_id>')68def get_product(product_id):69 try:70 data = call_aliexpress_api('aliexpress.affiliate.productdetail.get', {71 'product_ids': product_id,72 'target_currency': 'USD',73 'target_language': 'EN',74 'tracking_id': TRACKING_ID75 })76 return jsonify(data)77 except Exception as e:78 return jsonify({'error': str(e)}), 5007980if __name__ == '__main__':81 app.run(host='0.0.0.0', port=3000)Pro tip: AliExpress API rate limits vary by access level. The free tier allows roughly 1,000 calls per day. Add simple in-memory caching with functools.lru_cache or a Redis store to avoid hitting rate limits for repeated searches.
Expected result: GET /api/products/search?keyword=phone+case returns AliExpress product results with affiliate tracking applied. The HMAC-MD5 signature is computed correctly and the API returns a 200 response.
Common use cases
Dropshipping Product Search Tool
Build a product lookup service where users search AliExpress by keyword and see results with pricing, images, and shipping estimates. Your Replit server handles the signed API requests and returns structured product data to your frontend or a connected store.
Build an Express API server that accepts a search keyword and returns AliExpress product results including title, price, image URL, and product page link, using signed requests to the AliExpress Open Platform API.
Copy this prompt to try it in Replit
Affiliate Link Generator
Create a tool that converts AliExpress product URLs into affiliate tracking links. Users paste a product URL, your Replit server calls the AliExpress Affiliate API to generate a tracked link, and the app returns the affiliate URL with your tracking ID embedded.
Create a Flask web app that takes an AliExpress product URL, calls the AliExpress Affiliate Link Generation API with HMAC-MD5 signing, and returns a tracked affiliate link the user can share for commission.
Copy this prompt to try it in Replit
Price Monitoring Dashboard
Build a scheduled price tracker that monitors AliExpress product prices over time. Your Replit server fetches product details on a schedule, stores prices in a database, and alerts users when prices drop below a threshold.
Build a price tracker that queries AliExpress product details on a schedule, stores price history in a database, and sends an alert when the price drops more than 10% from the historical average.
Copy this prompt to try it in Replit
Troubleshooting
Error: 'Invalid signature' or error code 27 in AliExpress API response
Cause: The HMAC-MD5 signature does not match AliExpress's computation. Common causes: parameters in the signature include the 'sign' field itself (it should be excluded), the timestamp format is wrong, or the App Secret has extra whitespace in Replit Secrets.
Solution: Verify the signature computation excludes the 'sign' parameter itself. Confirm the timestamp format is 'YYYY-MM-DD HH:MM:SS' in UTC (not ISO 8601 with 'T'). Check ALIEXPRESS_APP_SECRET in Replit Secrets for leading/trailing spaces by editing the field and re-pasting the value.
1// Debug: print the string being signed2const sortedKeys = Object.keys(params).filter(k => k !== 'sign').sort();3const paramString = sortedKeys.map(k => `${k}${params[k]}`).join('');4const stringToSign = `${APP_SECRET}${paramString}${APP_SECRET}`;5console.log('String to sign:', stringToSign.substring(0, 100) + '...');Error code 'access-denied' or 'ISP_PERMISSION_NO_RIGHT'
Cause: Your AliExpress app does not have permission to call the requested API method. Some methods (order management, logistics) require additional approval from AliExpress beyond basic developer registration.
Solution: In the AliExpress Open Platform portal, go to your app settings and check which API categories are approved. Apply for additional permissions if needed. For product search and affiliate links, ensure your app type matches the API category you are calling.
API returns empty product list even for common search terms
Cause: The Affiliate API requires a valid tracking_id from the AliExpress Affiliate Program. Without it, product queries may return empty results or require a different API method.
Solution: If you need product data without affiliate tracking, use the AliExpress DS (Dropshipping) API methods instead of the Affiliate API methods. For affiliate links, ensure ALIEXPRESS_TRACKING_ID is set in Replit Secrets with your approved affiliate tracking ID.
1// Check if tracking ID is set and log the API method being called2console.log('Method:', method);3console.log('Tracking ID set:', !!process.env.ALIEXPRESS_TRACKING_ID);4console.log('Tracking ID value:', process.env.ALIEXPRESS_TRACKING_ID || '(empty)');TypeError or connection errors when calling the API from Replit
Cause: Replit free-tier Repls can have intermittent network issues. Additionally, AliExpress blocks requests from certain IP ranges, and Replit's dynamic IPs may occasionally fall into restricted ranges.
Solution: Deploy your Replit app using Autoscale or Reserved VM deployment, which provides more stable network connectivity than the development environment. If problems persist, try the Singapore API endpoint (api-sg.aliexpress.com) which is the closest to AliExpress's servers.
Best practices
- Always compute HMAC-MD5 signatures server-side — never expose your ALIEXPRESS_APP_SECRET to the browser or include it in client-side JavaScript
- Store ALIEXPRESS_APP_KEY, ALIEXPRESS_APP_SECRET, and ALIEXPRESS_TRACKING_ID in Replit Secrets (lock icon 🔒) and access via process.env or os.environ
- Cache product search results for at least 5-10 minutes to reduce API call volume and stay within your daily quota
- Use the Singapore API endpoint (api-sg.aliexpress.com) for the lowest latency from Replit servers, which are hosted in the US and Europe
- Validate all product data before presenting to users — AliExpress product listings can change price, availability, and shipping times without notice
- Generate fresh affiliate links at request time rather than storing them, as affiliate URLs can expire
- Deploy as Autoscale for product search tools to handle bursty traffic from marketing campaigns or deal promotions
- Include descriptive error handling that distinguishes between signature errors (check your implementation), permission errors (check app approval), and rate limit errors (add caching)
Alternatives
eBay's Browse and Sell APIs target consumer marketplace listings with auction support, while AliExpress is focused on wholesale sourcing and dropshipping from Asian suppliers.
Etsy's Open API is better for handmade and vintage niche products with a Western customer base, whereas AliExpress specializes in high-volume, low-cost wholesale goods.
Printful provides print-on-demand fulfillment with no minimum orders and a simpler API, making it a better choice if you want custom-branded products rather than sourcing from AliExpress suppliers.
Frequently asked questions
How do I connect Replit to the AliExpress API?
Register an app on the AliExpress Open Platform (portals.aliexpress.com), copy your App Key and App Secret into Replit Secrets (lock icon 🔒), and use the HMAC-MD5 signing algorithm to authenticate each API request. Your Replit server computes the signature and calls https://api-sg.aliexpress.com/sync with the signed parameters.
Does AliExpress have a free API tier?
Yes. The AliExpress Open Platform has a free tier that grants access to product search and affiliate APIs with up to 1,000 API calls per day. For higher limits or access to order management and logistics APIs, you may need to apply for partner status, which requires demonstrating traffic volume or business use.
How do I store my AliExpress App Secret securely in Replit?
Click the lock icon (🔒) in the Replit sidebar to open the Secrets panel and add ALIEXPRESS_APP_SECRET as a secret. Access it in Node.js via process.env.ALIEXPRESS_APP_SECRET and in Python via os.environ['ALIEXPRESS_APP_SECRET']. Never paste the secret directly into source code — Replit's Secret Scanner will flag it and it would be visible in version history.
Can I place AliExpress orders programmatically from Replit?
Order placement via the AliExpress API is restricted to approved dropshipping partners with a verified business account. Standard developer accounts can access product search and affiliate link generation, but order management APIs require additional approval from AliExpress, typically requiring proof of transaction volume.
What is the difference between the AliExpress Affiliate API and the Dropshipping API?
The Affiliate API generates commission-bearing links and is designed for content creators who earn money when users click through and buy. The Dropshipping API (DS API) is for businesses that fulfill customer orders by purchasing from AliExpress suppliers, providing access to order placement and logistics tracking. Both require separate approvals and use different API method names.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation