Authentication
Basic Authentication
Many of Deliveroo's APIs require the use of HTTP Basic Authentication. To make a successful request to an API that requires Basic Authentication, include the Authorization
header as follows:
Authorization: Basic {Credential}
Where {Credential}
is the base 64 encoding of the username and password separated by a colon.
base64(username + ":" + api_token)
Warning! When using Basic authentication, your API token is being sent to the server, and therefore this should be considered safe only over HTTPS.
Test Credentials
In order to use your test credentials, follow the same process outlined above, but use your test API key as the username and your test API secret as the password.
To verify you are using your test credentials correctly, you can send a request to the Credential Verification endpoint. In case of test credentials, it will respond with test_mode
set to true.
OAuth Authentication (Machine to Machine Flow)
We recommend using OAuth Machine to Machine Flow (client_credentials
). In that approach the request to our APIs must contain Authorization
header with access_token
.
Obtaining an Access Token
After creating an application in the Developer Portal you will get your credentials:
client_id
client_secret
You can exchange it for access token
by requesting our authentication service.
Authorization header value
Exchange request should contain
Basic
authorization with valueclient_id:client_secret
Base64 encoded. How to get this value?echo -n 'client_id:client_secret' | openssl base64 -A
Example cURL request to get access_token
:
curl -X "POST" "https://AUTH_HOST/oauth2/token" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: base64(client_id:client_secret)' \
--data-urlencode "grant_type=client_credentials"
Please note that in this cURL example you need to provide client_id
, client_secret
and proper AUTH_HOST
.
Environment | AUTH_HOST |
---|---|
Sandbox | deliveroo-api-dp.auth.eu-west-1.amazoncognito.com |
Production | deliveroo-api.auth.eu-west-1.amazoncognito.com |
Response should look like that:
{
"access_token": "eyJraWQiOiJrR3U3WjM4K1R1Z05HdHVEZHFVdU94WTVIbXk4dmVldldjNGJ3dE05MnpNPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI1c2g5N3FwNmM0ZG9uaGIxYTY4cnBkOG44aCIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiaHR0cHM6XC9cL2FwaS5kZWxpdmVyb28ubmV0XC9hcGlfYWNjZXNzIiwiYXV0aF90aW1lIjoxNjU0NjcwODEyLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb21cL2V1LXdlc3QtMV9zZEVjR0J6RmoiLCJleHAiOjE2NTQ2NzExMTIsImlhdCI6MTY1NDY3MDgxMiwidmVyc2lvbiI6MiwianRpIjoiNTliZDk3OTctNWZkMy00MzhiLTgzZDUtNTlkMWMwYmE2NGQ0IiwiY2xpZW50X2lkIjoiNXNoOTdxcDZjNGRvbmhiMWE2OHJwZDhuOGgifQ.rfWdubNo1tX_wLcYoORIlzTJOTr4BFjCLEHVwMqSjEDB7OzRkZolvd2grcAGH1AZtoAFJJei6ROczmsDvjP9JX2Qr5AfQmLTY8YgwejYjAB2nwI8o7wlwd_DdAH2OxbrxiRIQiGyXp27y3eQONH8Xv9jDDeAteQ9yLbz8lP8ObgXc13t7Z0U8g-TMFJjn1pa6noxqeXnwM1816yRhSGrX-6yO9zXPaIQk5yDxb-1AQMgUJgvpwpI4d3f6vnG2zPawDvzcRGYrlpKniPhwDhsRQ6lGfqi423cWS8D8gRyASAHVE1RO1PUeEZx355O-kugeNsw5B-fJEvAQM5EHnaZTg",
"expires_in": 300,
"token_type": "Bearer"
}
Two important values you can see are:
access_token
expires_in
You must create a new access_token
when the current one expires. You must add Authorization header to all your request with a value Bearer access_token
access_token
has JWT format (JSON Web Token). If you're interested in what it contains, you can decode it, for example, using website https://jwt.io
Important
client_id
andclient_secret
are sensitive. Keep it safe, and if you suspect that it was compromised, you need to rotate it immediately through the Developer Portal.access_token
is valid for the number of seconds you can find in the response (expires_in
). If you suspect thataccess_token
has leaked and can be used before expiring - it should be revoked immediately.
Updated 1 day ago