Generate an access token
POST /v2/oauth/token
Returns an access token. The access token must be included in all other requests as a Bearer token for authentication purposes. Before you begin, ensure you have a client ID and secret from Instacart. You need to pass these values in the request.
Specify the scope and grant type that is required for the API you intend to use. For a list of valid scopes and the associated grant type, see Permissions and scopes.
The token is valid for 24 hours. During this period, reuse the same token in your requests. After 24 hours, you must generate a new token.
For guidance about how to request an access token for different purposes, see:
- Get a client credentials access token for the Fulfillment API
- Get a client credentials access token for the Transaction API
- Get a user access token for the Post-checkout API
- Get a client credentials access token for the Sandbox API
- How to link an Instacart account
To reduce the risk of your client credentials being compromised, always send them in the request body. If you pass your credentials as query parameters, Instacart returns an error with a 403 status code.
Security
None.
Parameters
None.Request
| Field | Type | Required | Description |
|---|---|---|---|
client_id | string |  | The client ID. |
client_secret | string | | The client secret. |
grant_type | string | | The grant type. |
scope | string |  | The APIs that this token can access. Default is all the APIs specified in the retailer application configuration. |
code | string | | The authorization code. |
redirect_uri | string | | The redirect URI when the authorization code was generated. |
assertion | string | | The assertion. |
Limit the scope of the access token to the API required for the tasks your site needs to perform. You can specify more than one scope if the grant type is the same. Separate the scope values with a comma.
Request examples
- cURL
- Java
- Python
- Go
curl --request POST \
--url https://connect.instacart.com/v2/oauth/token \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{
"client_id": "string",
"client_secret": "string",
"grant_type": "string",
"scope": "string",
"code": "string",
"redirect_uri": "string",
"assertion": "string"
}'
HttpResponse<String> response = Unirest.post("https://connect.instacart.com/v2/oauth/token")
.header("Accept", "application/json")
.header("Content-Type", "application/json")
.body("{\n \"client_id\": \"string\",\n \"client_secret\": \"string\",\n \"grant_type\": \"string\",\n \"scope\": \"string\",\n \"code\": \"string\",\n \"redirect_uri\": \"string\",\n \"assertion\": \"string\"\n}")
.asString();
import http.client
conn = http.client.HTTPSConnection("connect.instacart.com")
payload = "{\n \"client_id\": \"string\",\n \"client_secret\": \"string\",\n \"grant_type\": \"string\",\n \"scope\": \"string\",\n \"code\": \"string\",\n \"redirect_uri\": \"string\",\n \"assertion\": \"string\"\n}"
headers = {
'Accept': "application/json",
'Content-Type': "application/json"
}
conn.request("POST", "/v2/oauth/token", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
package main
import (
"fmt"
"strings"
"net/http"
"io"
)
func main() {
url := "https://connect.instacart.com/v2/oauth/token"
payload := strings.NewReader("{\n \"client_id\": \"string\",\n \"client_secret\": \"string\",\n \"grant_type\": \"string\",\n \"scope\": \"string\",\n \"code\": \"string\",\n \"redirect_uri\": \"string\",\n \"assertion\": \"string\"\n}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("Accept", "application/json")
req.Header.Add("Content-Type", "application/json")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := io.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}
Response
| Field | Type | Required | Description |
|---|---|---|---|
access_token | string | | The token to be used to authenticate requests. |
token_type | string | | The token type. |
expires_in | number | | The number of seconds the token will expire in. |
created_at | number | | The epoch time of when the token was created. |
scope | string | | The scope of the token. |
Response examples
200 Success
200Access token generated
{
"access_token": "mhtEdMZYPypuW_I0fYken8cAqE7llDaoNefHSeVj9u4",
"token_type": "Bearer",
"expires_in": 86400,
"scope": "connect:fulfillment",
"created_at": 1603897760
}
Authentication Errors
| HTTP Code | Cause | Error | Description |
|---|---|---|---|
400 | Invalid authorization code or redirect URI | "invalid_grant" | "Assertion is not provided or invalid assertion provided for the grant_type." |
401 | Invalid client ID or secret | "invalid_client" | "Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method." |
403 | Query Params Forbidden | "query_params_forbidden" | "Providing OAuth credentials as query parameters may cause them to be compromised. Please ensure the credentials are rotated." |