Authentication for event callbacks
To enable event callbacks to be sent to your retailer site, OAuth v2.0 must be enabled on the callback endpoint. For information about OAuth 2.0, see the OAuth 2.0 Authorization Framework (RFC). Contact your Instacart Connect representative when you have OAuth 2.0 set up for callbacks.
OAuth 2.0 details required
Instacart requires the following configuration details to support callbacks:
- An endpoint to use for Connect callbacks. The endpoint must be protected by OAuth 2.0.
- An endpoint to use for OAuth 2.0 authentication, which accepts a form
POSTwith content typeapplication/x-www-form-urlencodedand the following query parameters:
| Parameter | Description |
|---|---|
client_id | The ID that Connect uses to authenticate with your site. |
client_secret | The secret that Connect uses to authenticate with your site. |
grant_type | The grant type for the token. Always client_credentials. |
scope | If your OAuth 2.0 configuration includes a scope for Connect callbacks, the scope must be included as a parameter. |
Response requirements
In response to requests for access, the retailer site must return a JSON response with the following properties:
| Properties | Description |
|---|---|
access_token | The access token that Connect sends with callbacks. |
expires_in | When the token expires. Optionally, you can configure a fixed expiry time with Instacart. |
For an example response and more information about OAuth 2.0 properties, see Access Token Response in the Okta OAuth documentation.
Process
Connect requests an access token to begin sending callback events. When the access token expires, Connect requests a new token.
- Connect uses the OAuth 2.0 endpoint to send a request for an access token.
- The retailer site returns an access token.
- Connect uses the callback endpoint to send the callback along with the access token.
- The retailer site authenticates the request and permits the callback.