Skip to main content

Generate a linking token

POST /v2/oauth/token

Generates a linking token from a valid authorization code. The authorization code comes from Instacart and verifies that the customer has granted your site access to their Instacart account. For more information about the authorization code, see How to link an Instacart account.

You can use the generated linking token to link the user account.


client_idstringThe client ID.
client_secretstringThe client secret.
grant_typestringThe grant type.
scopestringThe APIs that this token can access. Default is all the APIs specified in the retailer application configuration.
codestringThe authorization code.
redirect_uristringThe redirect URI when the authorization code was generated.
assertionstringThe assertion.

For the linking token, the grant type must be set to authorization_code and the redirect URI must match the one you shared with Instacart.

Request examples

curl --request POST \
--url \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{
"client_id": "string",
"client_secret": "string",
"grant_type": "string",
"scope": "string",
"code": "string",
"redirect_uri": "string",
"assertion": "string"


access_tokenstringThe token to be used to authenticate requests.
token_typestringThe token type.
expires_innumberThe number of seconds the token will expire in.
created_atnumberThe epoch time of when the token was created.
scopestringThe scope of the token.

For a linking token, the scope is account_linking.

Response examples

200 Success

"access_token": "mhtEdMZYPypuW_I0fYken8cAqE7llDaoNefHSeVj9u4",
"token_type": "Bearer",
"expires_in": 86400,
"scope": "connect:fulfillment",
"created_at": 1603897760

Authentication Errors

HTTP CodeCauseErrorDescription
400Invalid authorization code or redirect URI"invalid_grant""Assertion is not provided or invalid assertion provided for the grant_type."
401Invalid client ID or secret"invalid_client""Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method."