OAuth Authentication (Machine to Machine Flow)

We recommend using OAuth Machine to Machine Flow (client_credentials). In that approach the request to our APIs must contain Authorization header with access_token.

Obtaining an Access Token

After creating an application in the Developer Portal you will get your credentials:

  • client_id
  • client_secret

You can exchange it for access token by requesting our authentication service.

Example cURL request to get access_token:

curl -X "POST" "https://AUTH_HOST/oauth2/token" \
     -H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
     --data 'client_id=<client_id>&client_secret=<client_secret>&grant_type=client_credentials'

Please note that in this cURL example you need to provide client_id, client_secret and proper AUTH_HOST.


Response should look like that:

    "access_token": "eyJraWQiOiJrR3U3WjM4K1R1Z05HdHVEZHFVdU94WTVIbXk4dmVldldjNGJ3dE05MnpNPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI1c2g5N3FwNmM0ZG9uaGIxYTY4cnBkOG44aCIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiaHR0cHM6XC9cL2FwaS5kZWxpdmVyb28ubmV0XC9hcGlfYWNjZXNzIiwiYXV0aF90aW1lIjoxNjU0NjcwODEyLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb21cL2V1LXdlc3QtMV9zZEVjR0J6RmoiLCJleHAiOjE2NTQ2NzExMTIsImlhdCI6MTY1NDY3MDgxMiwidmVyc2lvbiI6MiwianRpIjoiNTliZDk3OTctNWZkMy00MzhiLTgzZDUtNTlkMWMwYmE2NGQ0IiwiY2xpZW50X2lkIjoiNXNoOTdxcDZjNGRvbmhiMWE2OHJwZDhuOGgifQ.rfWdubNo1tX_wLcYoORIlzTJOTr4BFjCLEHVwMqSjEDB7OzRkZolvd2grcAGH1AZtoAFJJei6ROczmsDvjP9JX2Qr5AfQmLTY8YgwejYjAB2nwI8o7wlwd_DdAH2OxbrxiRIQiGyXp27y3eQONH8Xv9jDDeAteQ9yLbz8lP8ObgXc13t7Z0U8g-TMFJjn1pa6noxqeXnwM1816yRhSGrX-6yO9zXPaIQk5yDxb-1AQMgUJgvpwpI4d3f6vnG2zPawDvzcRGYrlpKniPhwDhsRQ6lGfqi423cWS8D8gRyASAHVE1RO1PUeEZx355O-kugeNsw5B-fJEvAQM5EHnaZTg",
    "expires_in": 300,
    "token_type": "Bearer"

Two important values you can see are:

  • access_token
  • expires_in

You must create a new access_token when the current one expires. You must add Authorization header to all your request with a value Bearer access_token

access_token has JWT format (JSON Web Token). If you're interested in what it contains, you can decode it, for example, using website



  1. client_id and client_secret are sensitive. Keep it safe, and if you suspect that it was compromised, you need to rotate it immediately through the Developer Portal. Do not share these credentials with anyone (including Deliveroo's employees)
  2. access_token is valid for the number of seconds you can find in the response (expires_in). If you suspect that access_token has leaked and can be used before expiring - it should be revoked immediately.