Skip to main content

Generate an access token

POST /v2/oauth/token

Returns an access token. The access token must be included in all other requests as a Bearer token for authentication purposes. Before you begin, ensure you have a client ID and secret from Instacart. You need to pass these values in the request.

Specify the scope and grant type that is required for the API you intend to use. For a list of valid scopes and the associated grant type, see Permissions and scopes.


The token is valid for 24 hours. During this period, reuse the same token in your requests. After 24 hours, you must generate a new token.

For guidance about how to request an access token for different purposes, see:

Best Practice

For security purposes, ensure that you send credentials only in the request body. Avoid sending credentials as query parameters because this might result in compromised credentials.


client_idstringThe client ID.
client_secretstringThe client secret.
grant_typestringThe grant type.
scopestringThe APIs that this token can access. Default is all the APIs specified in the retailer application configuration.
codestringThe authorization code.
redirect_uristringThe redirect URI when the authorization code was generated.
assertionstringThe assertion.
Best practice

Limit the scope of the access token to the API required for the tasks your site needs to perform. You can specify more than one scope if the grant type is the same. Separate the scope values with a comma.

Request examples

curl --request POST \
--url \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{
"client_id": "string",
"client_secret": "string",
"grant_type": "string",
"scope": "string",
"code": "string",
"redirect_uri": "string",
"assertion": "string"


access_tokenstringThe token to be used to authenticate requests.
token_typestringThe token type.
expires_innumberThe number of seconds the token will expire in.
created_atnumberThe epoch time of when the token was created.
scopestringThe scope of the token.

Response examples

200 Success

"access_token": "mhtEdMZYPypuW_I0fYken8cAqE7llDaoNefHSeVj9u4",
"token_type": "Bearer",
"expires_in": 86400,
"scope": "connect:fulfillment",
"created_at": 1603897760

Authentication Errors

HTTP CodeCauseErrorDescription
400Invalid authorization code or redirect URI"invalid_grant""Assertion is not provided or invalid assertion provided for the grant_type."
401Invalid client ID or secret"invalid_client""Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method."
403Query Params Forbidden"query_params_forbidden""Providing OAuth credentials as query parameters may cause them to be compromised. Please reach out to Instacart's security team and have the credentials rotated."