Skip to main content


POST /v2/oauth/token

Returns an access token. The access token must be included in requests as a Bearer token.

Before you call the authentication endpoint, get your client ID and client Secret from Instacart. You need to pass these values in your request. The generated access token is valid for 24 hours. After this period, your site needs to authenticate again.

For a tutorial, see Get started.


client_idstringโœ…The client ID.
client_secretstringโœ…The client secret.
grant_typestringโœ…The grant type.
codestringThe authorization code.
redirect_uristringThe redirect URI when the authorization code was generated.

For client-level authentication, the grant type must be set to client_credentials. Authorization code and redirect URI must not be set.

Request Examples#

curl --request POST \  --url \  --header 'Accept: application/json' \  --header 'Content-Type: application/json' \  --data '{  "client_id": "string",  "client_secret": "string",  "grant_type": "client_credentials",  "code": "string",  "redirect_uri": "string"}'


access_tokenstringโœ…The token to be used to authenticate requests.
token_typestringโœ…The token type.
expires_innumberโœ…The number of seconds the token will expire in.
created_atnumberโœ…The epoch time of when the token was created.
scopestringThe scope of the token.

For client-level authentication, the scope is not set.

Response Examples#

{  "access_token": "mhtEdMZYPypuW_I0fYken8cAqE7llDaoNefHSeVj9u4",  "token_type": "Bearer",  "expires_in": 86400,  "created_at": 1603897760}