Skip to main content

OAuth Applications

Instacart Connect uses OAuth 2.0 to authenticate requests and authorize access to resources. Each OAuth application has a set of credentials that are similar to a username and password. These credentials, which consist of a client ID and secret, authenticate users and define the permissions granted to them. You exchange these credentials for a bearer token and then present that token in Connect API requests to get access to Instacart capabilities, along with sensitive business and user data.

The OAuth Applications tool in the Developer Dashboard allows you to view and manage these applications.

During onboarding, Instacart creates an OAuth application for each environment, typically development and production, that you want to run in. After you deploy, you need to periodically rotate their credentials.

The following image shows an example of the OAuth Applications tool:

Shows OAuth applications list with two entries. "RGTest IPP" is enabled, and "RGTest IPP - Clone" is disabled. Dropdown menu shows options to clone, enable, or delete.

View applications

Users with either the Developer or Developer Admin role can view an OAuth application’s name, status, client ID, creation date, renew-by date, and the Instacart environment it is configured for.

The Status of an application can be one of the following:

  • Enabled. Capable of issuing access tokens.
  • Disabled. Incapable of issuing new access tokens. Any tokens the application has issued that have yet to expire remain valid until the end of their lifespan.
  • Deleting. The application is disabled but Instacart is determining whether any tokens issued by it are still valid.
  • Delete Failed. The application could not be deleted, most likely because one or more tokens issued by it have yet to expire.

Manage applications

Users assigned the Developer Admin role can perform the following actions on each listed OAuth application:

  • Clone. Makes an exact copy of an application’s scopes and generates new client credentials.

    note

    Be sure you save the secret. After you close the modal, you won’t be able to view it again.

  • Enable. Allows the application to issue access tokens.

  • Disable. Prevents the application from issuing any new access tokens. If you disable an application and it has issued tokens which have yet to expire, then they remain valid until the end of their lifespan.

  • Delete. Attempts to delete the application. To make this option available, you must first disable the application. You should then wait at least 48 hours for all of its active tokens to expire.

    After you request to delete an application, Instacart initiates a background job that looks for any unexpired tokens it has issued. If none are found, the application is removed from the list. Otherwise, if it is determined that valid tokens still exist, the removal process fails. In this case, you need to attempt to delete the application again.

Last updated on