Permissions and scopes
Your retailer configuration includes the list of APIs and capabilities (collectively called APIs) that your organization has permission to use. When your site generates an access token to authenticate with the Connect platform, you specify which API you want to access by setting the scope. The generated access token is limited to that API. For more information, see Generate an access token.
When your site requests an access token, limit the scope to the APIs that are required for the tasks that you need to perform with that token.
The following table describes the APIs and capabilities, the scope value, and the grant_type value.
| Permission | Description | scope | grant_type |
|---|---|---|---|
| Fulfillment API | Access stores, service options, reservations, order creation, and order management. | connect:fulfillment | client_credentials |
| Order Feedback API (backend implementation) | Create or update order feedback in a backend implementation. | Connect::Orders::RatingService | client_credentials |
| Order Feedback API (frontend implementation) | Create or update order feedback in a frontend implementation. | Connect::Orders::RatingService | fulfillment_user_assertion or urn:ietf:params:oauth:grant-type:retailer-json-bearer |
| Recommendations API (backend implementation) | Find replacement items or complementary items in a backend implementation. | connect:recommendations | client_credentials |
| Recommendations API (frontend implementation) | Find replacement items or complementary items in a frontend implementation. | connect:recommendations | fulfillment_user_assertion or urn:ietf:params:oauth:grant-type:retailer-json-bearer |
| Transaction API | Send point of sale transaction information to Instacart. | None | client_credentials |
| Post-checkout API | Access order detail and order status for a customer's order. | connect:post_checkout | fulfillment_user_assertion |
| Account linking | Link a customer's Connect user account to their Instacart account. | account_linking | authorization_code |
Partner retailers may have access to private APIs. In the authentication request, you can specify multiple values for the scope parameter as long as the grant_type is the same for all the specified APIs. Separate values with a comma. If you omit the scope and the grant type is client_credentials, the generated access token provides access to all permitted APIs for that grant type. For a list of scope values, see your partner documentation.