Basic Authentication

Many of Deliveroo's APIs require the use of HTTP Basic Authentication. To make a successful request to an API that requires Basic Authentication, include the Authorization header as follows:

Authorization: Basic {Credential}

Where {Credential} is the base 64 encoding of the username and password separated by a colon.

base64(username + ":" + api_token)

Warning! When using Basic authentication, your API token is being sent to the server, and therefore this should be considered safe only over HTTPS.

Test Credentials

In order to use your test credentials, follow the same process outlined above, but use your test API key as the username and your test API secret as the password.

To verify you are using your test credentials correctly, you can send a request to the Credential Verification endpoint. In case of test credentials, it will respond with test_mode set to true.

OAuth Authentication (Machine to Machine Flow)

We recommend using OAuth Machine to Machine Flow (client_credentials). In that approach the request to our APIs must contain Authorization header with access_token.

Obtaining an Access Token

After creating an application in the Developer Portal you will get your credentials:

  • client_id
  • client_secret

You can exchange it for access token by requesting our authentication service.


Authorization header value

Exchange request should contain Basic authorization with value client_id:client_secret Base64 encoded. How to get this value?

echo -n 'client_id:client_secret' | openssl base64 -A

Example cURL request to get access_token:

curl -X "POST" "https://AUTH_HOST/oauth2/token" \
     -H 'Content-Type: application/x-www-form-urlencoded' \
     -H 'Authorization: base64(client_id:client_secret)' \
     --data-urlencode "grant_type=client_credentials"

Please note that in this cURL example you need to provide client_id, client_secret and proper AUTH_HOST.


Response should look like that:

    "access_token": "eyJraWQiOiJrR3U3WjM4K1R1Z05HdHVEZHFVdU94WTVIbXk4dmVldldjNGJ3dE05MnpNPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI1c2g5N3FwNmM0ZG9uaGIxYTY4cnBkOG44aCIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiaHR0cHM6XC9cL2FwaS5kZWxpdmVyb28ubmV0XC9hcGlfYWNjZXNzIiwiYXV0aF90aW1lIjoxNjU0NjcwODEyLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb21cL2V1LXdlc3QtMV9zZEVjR0J6RmoiLCJleHAiOjE2NTQ2NzExMTIsImlhdCI6MTY1NDY3MDgxMiwidmVyc2lvbiI6MiwianRpIjoiNTliZDk3OTctNWZkMy00MzhiLTgzZDUtNTlkMWMwYmE2NGQ0IiwiY2xpZW50X2lkIjoiNXNoOTdxcDZjNGRvbmhiMWE2OHJwZDhuOGgifQ.rfWdubNo1tX_wLcYoORIlzTJOTr4BFjCLEHVwMqSjEDB7OzRkZolvd2grcAGH1AZtoAFJJei6ROczmsDvjP9JX2Qr5AfQmLTY8YgwejYjAB2nwI8o7wlwd_DdAH2OxbrxiRIQiGyXp27y3eQONH8Xv9jDDeAteQ9yLbz8lP8ObgXc13t7Z0U8g-TMFJjn1pa6noxqeXnwM1816yRhSGrX-6yO9zXPaIQk5yDxb-1AQMgUJgvpwpI4d3f6vnG2zPawDvzcRGYrlpKniPhwDhsRQ6lGfqi423cWS8D8gRyASAHVE1RO1PUeEZx355O-kugeNsw5B-fJEvAQM5EHnaZTg",
    "expires_in": 300,
    "token_type": "Bearer"

Two important values you can see are:

  • access_token
  • expires_in

You must create a new access_token when the current one expires. You must add Authorization header to all your request with a value Bearer access_token

access_token has JWT format (JSON Web Token). If you're interested in what it contains, you can decode it, for example, using website



  1. client_id and client_secret are sensitive. Keep it safe, and if you suspect that it was compromised, you need to rotate it immediately through the Developer Portal.
  2. access_token is valid for the number of seconds you can find in the response (expires_in). If you suspect that access_token has leaked and can be used before expiring - it should be revoked immediately.

What’s Next