# AliExpress API

- Tool: FlutterFlow
- Difficulty: Intermediate
- Time required: 60 minutes
- Last updated: July 2026

## TL;DR

Connect FlutterFlow to the AliExpress Open Platform using a Firebase Cloud Function that HMAC-SHA256 signs every request with your App Secret. FlutterFlow sends search params to the function; the function adds app_key, timestamp, and the signature before forwarding to https://api-sg.aliexpress.com/sync. Your App Secret never reaches the Flutter client — it stays server-side only.

## Building a Dropshipping Product Browser with AliExpress and FlutterFlow

The AliExpress Open Platform is the programmatic backbone for affiliate marketers and dropshippers who want to surface AliExpress products in their own apps. Its product search endpoint returns titles, prices, images, shipping details, and affiliate commission rates — everything a founder building a dropshipping app needs. Access is free through the affiliate/dropship program, though you'll need to apply and be approved before generating credentials. New applications start with 500 requests per day; that limit rises after review.

The catch is authentication. Unlike REST APIs that accept a static Bearer token in a header, AliExpress Open Platform requires every request to carry a dynamically computed HMAC-SHA256 signature. You sort all request parameters alphabetically, concatenate them into a string, prepend and append your App Secret, then hash the result with SHA256 and convert to uppercase hex. Doing this in Dart inside a FlutterFlow Custom Action is technically possible, but it would require shipping your App Secret inside the compiled Flutter app — meaning every user who installs your app on Android or iOS could extract it. That's an account-takeover risk you cannot accept.

The solution is a Firebase Cloud Function that lives entirely on Google's servers. FlutterFlow sends only the user-visible search parameters (keyword, price range, page number) to your function URL. The function loads the App Secret from its environment, computes the signature, adds app_key and timestamp, and forwards the signed request to AliExpress. FlutterFlow never sees the secret. This tutorial walks you through deploying that function, wiring up the FlutterFlow API Group, parsing the nested product JSON, and protecting yourself against the daily rate cap.

## Before you start

- A FlutterFlow project (free tier is fine for this setup)
- An AliExpress Open Platform account — register at open.aliexpress.com and apply for affiliate/dropship API access (approval may take a few days)
- App Key and App Secret from the AliExpress Open Platform developer dashboard
- A Firebase project with Cloud Functions enabled (Blaze pay-as-you-go plan required for outbound HTTP calls from functions)
- Node.js familiarity helpful but not required — the function code is copy-paste ready

## Step-by-step guide

### 1. Register on AliExpress Open Platform and obtain credentials

Before writing a single line of code or clicking anything in FlutterFlow, you need your App Key and App Secret from AliExpress. Open your browser and go to open.aliexpress.com. Log in with your AliExpress account, then navigate to the 'My Apps' section and click 'Create App'. Fill in your app name, select the dropshipping or affiliate category, and submit for review. Approval can take anywhere from a few hours to a few days depending on your account history.

Once approved, open your app's detail page. You will see two values: App Key (a numeric ID, safe to use in URLs) and App Secret (a long alphanumeric string — this is the signing secret that must never leave your server). Copy both values to a secure password manager or note immediately. You will also see your current API quota — new applications start at 500 requests per day. This matters for FlutterFlow design: every ListView scroll that auto-fetches the next page counts against this quota, so you'll need to implement caching or manual pagination to stay under the limit.

Do not paste the App Secret anywhere in FlutterFlow at this stage. The next step deploys the server-side function that will hold it.

**Expected result:** You have an App Key (numeric) and App Secret (alphanumeric string) saved securely, and your app status shows 'Approved' or 'Active' on the AliExpress Open Platform dashboard.

### 2. Deploy a Firebase Cloud Function that HMAC-signs AliExpress requests

This is the most important step. The AliExpress HMAC-SHA256 signature algorithm works as follows: collect all request parameters (method, app_key, timestamp, and any query params like keyword or target_currency), sort them alphabetically by key name, concatenate them into one string with no separator (e.g. app_key12345keywordrunning shoesmethodaliexpress.affiliate.product.query), prepend and append your App Secret to that string, then compute SHA256 over the whole thing and convert the digest to uppercase hexadecimal. That hex string becomes your 'sign' parameter. Missing even one parameter from the sort, using the wrong timestamp format (must be 'YYYY-MM-DD HH:mm:ss' in UTC), or using the wrong encoding will give you a 50 error code from AliExpress.

In the Firebase console, open your project and go to Functions. Click 'Get started' if you haven't enabled it yet — you'll need to upgrade to the Blaze plan because Cloud Functions require an outbound HTTP call to api-sg.aliexpress.com. Once functions are enabled, click 'Create function'. Name it 'aliexpressProxy'. In the code editor, replace the default with the Node.js implementation shown in the code block below. Before deploying, click 'Runtime, build and connections settings' → 'Runtime environment variables' and add two entries: ALIEXPRESS_APP_KEY (your numeric key) and ALIEXPRESS_APP_SECRET (your secret string). Deploy the function. Once deployed, copy the trigger URL shown in the Firebase console — it will look like https://us-central1-yourproject.cloudfunctions.net/aliexpressProxy. Keep this URL handy for the next step.

```
const functions = require('firebase-functions');
const crypto = require('crypto');
const https = require('https');
const querystring = require('querystring');

exports.aliexpressProxy = functions.https.onRequest(async (req, res) => {
  // Allow CORS for FlutterFlow web builds
  res.set('Access-Control-Allow-Origin', '*');
  if (req.method === 'OPTIONS') {
    res.set('Access-Control-Allow-Methods', 'GET, POST');
    res.set('Access-Control-Allow-Headers', 'Content-Type');
    return res.status(204).send('');
  }

  const APP_KEY = process.env.ALIEXPRESS_APP_KEY;
  const APP_SECRET = process.env.ALIEXPRESS_APP_SECRET;
  const BASE_URL = 'https://api-sg.aliexpress.com/sync';
  const METHOD = 'aliexpress.affiliate.product.query';

  const keyword = req.query.keyword || '';
  const page = req.query.page || '1';
  const pageSize = req.query.page_size || '20';

  // Timestamp must be UTC in this exact format
  const timestamp = new Date().toISOString()
    .replace('T', ' ')
    .substring(0, 19);

  const params = {
    app_key: APP_KEY,
    method: METHOD,
    timestamp: timestamp,
    sign_method: 'hmac-sha256',
    keywords: keyword,
    page_no: page,
    page_size: pageSize,
    fields: 'product_id,product_title,target_sale_price,product_main_image_url,product_detail_url'
  };

  // Sort params alphabetically and concatenate
  const sortedKeys = Object.keys(params).sort();
  let signStr = APP_SECRET;
  for (const key of sortedKeys) {
    signStr += key + params[key];
  }
  signStr += APP_SECRET;

  const sign = crypto
    .createHmac('sha256', APP_SECRET)
    .update(signStr)
    .digest('hex')
    .toUpperCase();

  params.sign = sign;

  const fullUrl = `${BASE_URL}?${querystring.stringify(params)}`;

  try {
    const response = await fetch(fullUrl);
    const data = await response.json();
    return res.status(200).json(data);
  } catch (err) {
    console.error('AliExpress proxy error:', err);
    return res.status(500).json({ error: 'Proxy request failed' });
  }
});
```

**Expected result:** The Cloud Function is deployed and its trigger URL is accessible. Testing it with a keyword parameter returns a JSON response from AliExpress containing product results rather than an error.

### 3. Create a FlutterFlow API Group pointing at the Cloud Function

Now that the signing proxy is deployed and tested, you can wire FlutterFlow to it. Open your FlutterFlow project and click 'API Calls' in the left navigation panel. Click '+ Add' and select 'Create API Group'. Name it 'AliExpressProxy'. In the 'Base URL' field paste your Cloud Function trigger URL — the full URL including the https:// and the function path, for example https://us-central1-yourproject.cloudfunctions.net/aliexpressProxy. Leave the 'Headers' section empty for this group: since the Cloud Function is your own endpoint and returns CORS headers, no special headers are required at the group level.

Next, click '+ Add API Call' inside the AliExpressProxy group. Name it 'SearchProducts'. Set the method to GET. Leave the endpoint suffix blank (the base URL IS the full endpoint). Now click the 'Variables' tab. Add three variables: 'keyword' (type String, test value 'wireless earbuds'), 'page' (type String, test value '1'), and 'page_size' (type String, test value '20'). Switch back to the 'Settings' tab and in the URL field append: ?keyword={{keyword}}&page={{page}}&page_size={{page_size}}. FlutterFlow will substitute the double-curly variable placeholders at runtime.

Click the 'Response & Test' tab. Enter your test variable values and click 'Test API Call'. If the proxy is working you will see the raw JSON response from AliExpress appear in the response panel. The top-level key is aliexpress_affiliate_product_query_response, which contains a resp_result, which contains a result, which contains products. Click 'Generate JSON Paths from Response'. FlutterFlow will parse the structure and let you pick paths. The paths you need are:
- $.aliexpress_affiliate_product_query_response.resp_result.result.products.product[*].product_id
- $.aliexpress_affiliate_product_query_response.resp_result.result.products.product[*].product_title
- $.aliexpress_affiliate_product_query_response.resp_result.result.products.product[*].target_sale_price
- $.aliexpress_affiliate_product_query_response.resp_result.result.products.product[*].product_main_image_url
- $.aliexpress_affiliate_product_query_response.resp_result.result.products.product[*].product_detail_url

Click 'Save' to confirm the API Call configuration.

**Expected result:** The SearchProducts API Call shows a successful test response in FlutterFlow's Response & Test panel, and JSON Paths are generated for product_id, product_title, target_sale_price, product_main_image_url, and product_detail_url.

### 4. Create a Data Type and map JSON paths to bind to widgets

Before building your UI, create a FlutterFlow Data Type to represent a single AliExpress product. Go to the left nav, click on the Data Types section (or reach it via Settings → Data Types depending on your FlutterFlow version). Click '+ Add Data Type' and name it 'AliExpressProduct'. Add five fields: productId (String), productTitle (String), salePrice (String), imageUrl (String), and detailUrl (String). Save the Data Type.

Return to your API Calls panel, open the AliExpressProxy → SearchProducts call, and in the Response section find the JSON Path mappings. Map each path to the corresponding AliExpressProduct field. FlutterFlow will now know how to deserialize the API response into a list of AliExpressProduct objects that your widgets can consume.

Now build your search screen. Add a TextField widget for the search keyword and an ElevatedButton labeled 'Search'. Below them, add a ListView widget. In the ListView's data source, select 'Backend Query' → 'API Call' → 'AliExpressProxy SearchProducts'. Pass the TextField's value as the keyword variable. Set page to '1' and page_size to '20' for the initial load.

Inside the ListView, add a Card widget. Inside the Card, place an Image widget (bind its network URL to the imageUrl field), a Text widget for productTitle, a Text widget for salePrice, and a Button labeled 'View on AliExpress'. In the button's Action Flow, add a 'Launch URL' action bound to the detailUrl field. This opens the AliExpress product page in the device's browser, where your affiliate tracking is applied.

For caching, consider storing the last successful response in an AppState variable (type List of AliExpressProduct) so that returning to the screen doesn't consume another API request from the daily quota.

**Expected result:** The search screen shows a ListView of product cards with images, titles, and prices populated from AliExpress data. Tapping 'View on AliExpress' opens the correct product page in the device browser.

### 5. Handle the 500 requests/day cap with caching and a 429 retry

New AliExpress Open Platform applications receive 500 requests per day. That sounds like a lot until you realize a ListView with automatic pagination can exhaust it in a single testing session — scrolling through three pages of 20 results each is 3 requests; 10 users doing the same is 30 requests. Without protection, your app will silently return errors once the quota is gone.

The first defense is manual pagination. Instead of infinite scroll, give users an explicit 'Load More' button. This puts the request trigger in the user's hands. Each tap of 'Load More' increments a page counter in your AppState and calls the API with the new page number. Add the returned products to the existing list (AppState variable, List of AliExpressProduct) rather than replacing it.

The second defense is a session-level keyword cache. Store the last keyword and its results in AppState. When the user searches again, compare the new keyword against the stored one. If it's the same, show cached results without making an API call. Only fetch fresh data when the keyword changes.

The third defense is retry-with-backoff for 429 responses. In your FlutterFlow Action Flow, after the API Call action, add a Conditional Action checking if the response status code is 429. If true, add a Wait action (FlutterFlow allows delays in action flows) of 2,000ms, then repeat the API call once. Log the retry in Firestore so you can monitor quota burn rate in the Firebase console.

If you need the team to help design a quota-management strategy for a production app with real users, RapidDev builds FlutterFlow integrations like this every week — you can book a free scoping call at rapidevelopers.com/contact.

**Expected result:** The app does not auto-paginate on scroll. Users see a 'Load More' button. Cached results display instantly on repeated searches with the same keyword. A 429 response triggers one automatic retry after a 2-second pause.

### 6. Test on a real device and validate the affiliate link flow

FlutterFlow's web preview in the builder is useful for layout work, but CORS headers from external APIs (even via your proxy) can behave inconsistently in the browser-based preview. For this integration, testing on a real device or in FlutterFlow's Run mode gives you the most reliable results.

Click the 'Run' button in FlutterFlow's top bar to launch the compiled web app in your browser. This is different from the canvas preview and runs the actual compiled Dart code. Test a product search: type a keyword, tap Search, and verify the ListView populates with real AliExpress products. Tap 'View on AliExpress' on one product and confirm it opens the correct product page with your affiliate tracking parameters in the URL.

For mobile testing, click the mobile device icon in FlutterFlow and use the QR code to open the running app on your iOS or Android device. Verify that product images load (they are hotlinked from AliExpress CDN and may occasionally return 403 errors on specific products — add an error placeholder to your Image widget in FlutterFlow's widget settings). Also verify that tapping affiliate links opens them in the native browser rather than a WebView, which is important for some affiliate tracking systems.

Finally, check the Firebase Functions log in the Firebase console to confirm that each search generates exactly one function invocation and that no App Secret value appears in the logs (it shouldn't, but verify). A clean log entry looks like: 'AliExpress proxy called with keyword: wireless earbuds'.

**Expected result:** Product searches work in both Run mode and on a physical device. Affiliate link buttons open correct AliExpress product pages in the native browser. Firebase logs show clean function invocations with no secrets visible.

## Best practices

- Never put the AliExpress App Secret in a FlutterFlow API Call header, an AppState variable, or a Custom Action — it ships inside the compiled app and can be extracted by any user
- Keep the HMAC signing logic in a single, tested Cloud Function rather than duplicating it across multiple functions; a mismatch in any one implementation will cause sporadic 50 errors
- Cache search results in AppState keyed by keyword to drastically reduce daily API request consumption, especially during development and testing
- Use manual 'Load More' pagination instead of infinite scroll so each network request is user-initiated rather than automatic
- Add a fallback image to every Image widget bound to AliExpress product images — supplier CDN links can expire or return 403 errors unexpectedly
- Log each Cloud Function invocation to Firestore with a timestamp so you can monitor daily quota burn without checking the AliExpress portal
- Test on a real iOS or Android device before sharing with users — the FlutterFlow web canvas preview may handle CORS differently than the compiled native app
- Apply for a higher request quota through the AliExpress developer portal before launching to real users; 500/day will not support even a small active user base

## Use cases

### Dropshipping product discovery app

A mobile app that lets a store owner search AliExpress for products matching a niche keyword, see prices and shipping times, and tap to open the AliExpress affiliate link. The app shows a ListView of product cards with images, titles, and estimated delivery ranges.

Prompt example:

```
Build a FlutterFlow screen with a search TextField at the top and a ListView below. When the user types a keyword and taps Search, call my Cloud Function with the keyword as a query parameter, parse the response into a list of products, and display each product as a Card with an image, title, price, and an affiliate link button.
```

### Price comparison and watchlist

A Flutter app that lets users save AliExpress product IDs, then periodically refreshes pricing data via the Cloud Function to show price changes over time. Users can set price alerts for products they are watching.

Prompt example:

```
Create a FlutterFlow screen that shows a saved products list. Each item stores an AliExpress product ID in Firestore. When the user opens the screen, call my proxy function for each saved product ID, retrieve the current price, and highlight items where the price dropped more than 10% since last check.
```

### Affiliate link generator for content creators

A tool for social-media creators who recommend products. They search by keyword, pick matching AliExpress items from the results, and the app generates ready-to-share affiliate URLs. The app also tracks how many times each link was copied.

Prompt example:

```
Build a FlutterFlow page where a creator enters a product keyword, sees a grid of AliExpress results with product images and affiliate URLs, and can tap a copy button to copy a formatted affiliate link to the clipboard. Store copied link counts in Firestore.
```

## Troubleshooting

### AliExpress returns error code 50 or 'Invalid signature' on every request

Cause: The HMAC-SHA256 signature is being computed incorrectly — most commonly due to wrong parameter sorting, incorrect timestamp format, or the App Secret being applied only once instead of prepended and appended to the concatenated string.

Solution: In your Cloud Function, add a console.log line that prints the full signStr before hashing it. Check: (1) all parameters are sorted alphabetically by key, (2) the timestamp is in 'YYYY-MM-DD HH:mm:ss' format in UTC (not ISO 8601 with T and Z), (3) the App Secret appears at both the beginning and end of the concatenated string, not just once. Compare the logged signStr against the AliExpress signature verification tool in the developer portal.

### FlutterFlow API Call test returns 'XMLHttpRequest error' in the web preview

Cause: CORS — the browser's same-origin policy blocks the request from the FlutterFlow canvas domain. This only affects the web-based FlutterFlow editor and web builds, not native iOS/Android apps.

Solution: Verify that your Cloud Function sends the CORS headers: 'Access-Control-Allow-Origin: *' on every response, including preflight OPTIONS requests. The example index.js in Step 2 includes this. If you deployed an earlier version without CORS headers, redeploy with the updated code. The API test inside FlutterFlow's builder will work once the function returns correct CORS headers.

```
res.set('Access-Control-Allow-Origin', '*');
res.set('Access-Control-Allow-Methods', 'GET, POST');
res.set('Access-Control-Allow-Headers', 'Content-Type');
```

### The ListView is empty even though the API Call test shows products in the response panel

Cause: JSON Path mapping is pointing at the wrong level of the response. AliExpress wraps results in multiple nested keys: aliexpress_affiliate_product_query_response → resp_result → result → products → product (array). Missing any level of nesting means the path resolves to null.

Solution: In FlutterFlow API Calls → SearchProducts → Response, verify each JSON Path starts with $.aliexpress_affiliate_product_query_response.resp_result.result.products.product[*]. Click 'Generate JSON Paths from Response' again if needed, using the actual test response as the source. After updating paths, delete and re-add the Backend Query on your ListView widget to force a refresh of the field bindings.

### Requests succeed for a while then all return 429 errors

Cause: The 500 requests/day quota for new AliExpress Open Platform apps has been exhausted. Each API call to the proxy counts as one AliExpress API request regardless of whether it's from testing or real users.

Solution: Implement the caching strategy from Step 5: store the last search results in AppState and skip the API call when the same keyword is searched again. Switch to manual 'Load More' pagination rather than infinite scroll. In the Cloud Function, add a Firestore write per invocation so you can monitor daily consumption in real time. If your app requires more than 500 requests/day, apply for a higher quota through the AliExpress developer portal.

## Frequently asked questions

### Can I put the HMAC signing code directly in a FlutterFlow Custom Action instead of a Cloud Function?

Technically yes — Dart has crypto libraries on pub.dev that can compute HMAC-SHA256. However, doing so requires embedding the App Secret in the Custom Action code, which compiles into the Flutter app binary. Anyone who reverse-engineers the APK or IPA can extract the secret, giving them full access to your AliExpress API account. A Firebase Cloud Function keeps the secret server-side where it cannot be extracted.

### Does the AliExpress integration work for web builds in FlutterFlow, or only for mobile?

It works for both, but the requirement differs slightly. Mobile apps (iOS/Android) make HTTP requests natively with no CORS restrictions, so they can call your Cloud Function without any special handling. Web builds run in a browser, which enforces CORS — your Cloud Function must return 'Access-Control-Allow-Origin: *' (or your specific origin) in its response headers. The example index.js in Step 2 includes the CORS headers for both cases.

### How do I increase the 500 requests/day limit on my AliExpress API account?

Log in to open.aliexpress.com, open your app's detail page, and look for the 'Upgrade Quota' or 'Apply for Higher Limits' option. AliExpress typically grants higher limits after reviewing your integration plan and expected traffic. The review may take several business days. In the meantime, implement the caching and manual pagination strategies from Step 5 to stay within the current limit.

### The test response in FlutterFlow shows the right products, but the ListView on screen is empty. What's wrong?

This is almost always a JSON Path mismatch. The AliExpress response is deeply nested inside several wrapper keys. Open the API Call's Response tab, click 'Generate JSON Paths from Response', and make sure each path starts with $.aliexpress_affiliate_product_query_response.resp_result.result.products.product[*] before the field name. After updating the paths, delete and re-add the Backend Query binding on the ListView to reset the field mappings.

### Do I need to handle affiliate tracking separately, or does AliExpress add it automatically?

When you call the product search endpoint with your App Key, AliExpress returns product_detail_url values that already include your affiliate tracking parameters. You simply bind those URLs to your 'View on AliExpress' button's Launch URL action — no extra tracking setup is needed. Make sure the app_key in each request matches your registered affiliate account's key so commissions are attributed correctly.

---

Source: https://www.rapidevelopers.com/flutterflow-integrations/aliexpress-api
© RapidDev — https://www.rapidevelopers.com/flutterflow-integrations/aliexpress-api
