Authentication
OAuth Authentication (Machine to Machine Flow)
We recommend using OAuth Machine to Machine Flow (client_credentials
). In that approach the request to our APIs must contain Authorization
header with access_token
.
Obtaining an Access Token
After creating an application in the Developer Portal you will get your credentials:
client_id
client_secret
You can exchange it for access token
by requesting our authentication service.
Example cURL request to get access_token
:
curl -X "POST" "https://AUTH_HOST/oauth2/token" \
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
--data 'client_id=<client_id>&client_secret=<client_secret>&grant_type=client_credentials'
Please note that in this cURL example you need to provide client_id
, client_secret
and proper AUTH_HOST
.
Environment | AUTH_HOST |
---|---|
Sandbox | auth-sandbox.developers.deliveroo.com |
Production | auth.developers.deliveroo.com |
Response should look like that:
{
"access_token": "eyJraWQiOiJrR3U3WjM4K1R1Z05HdHVEZHFVdU94WTVIbXk4dmVldldjNGJ3dE05MnpNPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI1c2g5N3FwNmM0ZG9uaGIxYTY4cnBkOG44aCIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiaHR0cHM6XC9cL2FwaS5kZWxpdmVyb28ubmV0XC9hcGlfYWNjZXNzIiwiYXV0aF90aW1lIjoxNjU0NjcwODEyLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb21cL2V1LXdlc3QtMV9zZEVjR0J6RmoiLCJleHAiOjE2NTQ2NzExMTIsImlhdCI6MTY1NDY3MDgxMiwidmVyc2lvbiI6MiwianRpIjoiNTliZDk3OTctNWZkMy00MzhiLTgzZDUtNTlkMWMwYmE2NGQ0IiwiY2xpZW50X2lkIjoiNXNoOTdxcDZjNGRvbmhiMWE2OHJwZDhuOGgifQ.rfWdubNo1tX_wLcYoORIlzTJOTr4BFjCLEHVwMqSjEDB7OzRkZolvd2grcAGH1AZtoAFJJei6ROczmsDvjP9JX2Qr5AfQmLTY8YgwejYjAB2nwI8o7wlwd_DdAH2OxbrxiRIQiGyXp27y3eQONH8Xv9jDDeAteQ9yLbz8lP8ObgXc13t7Z0U8g-TMFJjn1pa6noxqeXnwM1816yRhSGrX-6yO9zXPaIQk5yDxb-1AQMgUJgvpwpI4d3f6vnG2zPawDvzcRGYrlpKniPhwDhsRQ6lGfqi423cWS8D8gRyASAHVE1RO1PUeEZx355O-kugeNsw5B-fJEvAQM5EHnaZTg",
"expires_in": 300,
"token_type": "Bearer"
}
Two important values you can see are:
access_token
expires_in
You must create a new access_token
when the current one expires. You must add Authorization header to all your request with a value Bearer access_token
access_token
has JWT format (JSON Web Token). If you're interested in what it contains, you can decode it, for example, using website https://jwt.io
Important
client_id
andclient_secret
are sensitive. Keep it safe, and if you suspect that it was compromised, you need to rotate it immediately through the Developer Portal. Do not share these credentials with anyone (including Deliveroo's employees)access_token
is valid for the number of seconds you can find in the response (expires_in
). If you suspect thataccess_token
has leaked and can be used before expiring - it should be revoked immediately.
Updated 5 months ago