Skip to main content

Authentication for event callbacks

To enable event callbacks to be sent to your retailer site, OAuth v2.0 must be enabled on the callback endpoint. For information about OAuth 2.0, see the OAuth 2.0 Authorization Framework (RFC). Contact your Instacart Connect representative when you have OAuth 2.0 set up for callbacks.

OAuth 2.0 details required

Instacart requires the following configuration details to support callbacks:

  • An endpoint to use for Connect callbacks. The endpoint must be protected by OAuth 2.0.
  • An endpoint to use for OAuth 2.0 authentication, which accepts a form POST with content type application/x-www-form-urlencoded and the following query parameters:
client_idThe ID that Connect uses to authenticate with your site.
client_secretThe secret that Connect uses to authenticate with your site.
grant_typeThe grant type for the token. Always client_credentials.
scopeIf your OAuth 2.0 configuration includes a scope for Connect callbacks, the scope must be included as a parameter.

Response requirements

In response to requests for access, the retailer site must return a JSON response with the following properties:

access_tokenThe access token that Connect sends with callbacks.
expires_inWhen the token expires. Optionally, you can configure a fixed expiry time with Instacart.

For an example response and more information about OAuth 2.0 properties, see Access Token Response in the Okta OAuth documentation.


Connect requests an access token to begin sending callback events. When the access token expires, Connect requests a new token.

  1. Connect uses the OAuth 2.0 endpoint to send a request for an access token.
  2. The retailer site returns an access token.
  3. Connect uses the callback endpoint to send the callback along with the access token.
  4. The retailer site authenticates the request and permits the callback.