generated: '2026-07-11' method: derived source: openapi/otter-public-api-openapi.yml schemes: - name: OAuth2.0 source: openapi/otter-public-api-openapi.yml flows: - flow: clientCredentials tokenUrl: /v1/auth/token - flow: authorizationCode authorizationUrl: /v1/auth/oauth2/authorize tokenUrl: /v1/auth/token description: |- The **Authorization API** is based on the [OAuth2.0 protocol](https://tools.ietf.org/html/rfc6749), supporting the (Client Credentials)[https://datatracker.ietf.org/doc/html/rfc6749#section-4.4] and the (Authorization Code)[https://datatracker.ietf.org/doc/html/rfc6749#section-4.1] flows. Resources expect a valid token sent as a `Bearer` token in the HTTP `Authorization` header. ### Scopes Scopes must be configured by our internal team to be enabled for an app. Once the scopes are configured they can be enabled on the Application Settings Page in Developer Portal. Each endpoint requires a given scope that can be verified on each endpoint documentation. When generating an OAuth2.0 token multiple scopes can be requested. ### Authorization Code Flow To perform this flow, the authorization code flow must be enabled in the Application Settings Page in Developer Portal. When enabling the flow it is mandatory to provide a redirect URI pointing to your application. Once the flow is complete we will redirect the user to this URI passing the 'code' and 'state' parameters. The Authorization Code flow provides a temporary code that the client application can exchange for an access token. To start the flow the application must request the user authorization. This is done by sending a request to https://{{public-api-url}}/v1/auth/oauth2/authorize. Example ``` curl --location 'https://{{public-api-url}}/v1/auth/oauth2/authorize?client_id=[CLIENT_ID]&redirect_uri=[REDIRECT_URI]&response_type=code&scope=organization.read&state=8A9D16B4C3E25F6A' ``` This call will return a 302 redirecting the user to our authorization page. If the user approves the application, we will redirect to configured URI passing the authorization code in the query parameter 'code'. The 'state' parameter is also sent to ensure the source of the data. With the authorization code, the client application can generate the token. ### Client Credentials Flow The client_credentials flow does not require any steps before generating the token. Once your application is ready, and the client_id and client_secret are available, the token can be generated by following the instructions in the next section. ### Generate Token To generate the token, use the `Client ID` and `Client Secret` (provided during onboarding), and optionally the authorization code obtained after performing the Authorization Code flow, to the [Token Auth endpoint](#operation/requestToken) endpoint. The result of this invocation is a token that is valid for a pre-determined time or until it is manually revoked. The access token obtained will be sent as a `Bearer` value of the `Authorization` HTTP header. Client credentials in the request-body and HTTP Basic Auth are supported. #### Request Example for client_credentials ``` curl --location --request POST 'https://{{public-api-url}}/v1/auth/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'scope=ping' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'client_id=[APPLICATION_ID]' \ --data-urlencode 'client_secret=[CLIENT_SECRET]' ``` #### Request Example for authorization_code ``` curl --location --request POST 'https://{{public-api-url}}/v1/auth/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'scope=ping' \ --data-urlencode 'grant_type=authorization_code' \ --data-urlencode 'client_id=[APPLICATION_ID]' \ --data-urlencode 'client_secret=[CLIENT_SECRET]' \ --data-urlencode 'code=[code]' \ --data-urlencode 'redirect_uri=[redirect_uri]' ``` #### Response Example ``` { "access_token": "oMahtBwBbnZeh4Q66mSuLFmk2V0_CLCKVt0aYcNJlcg.yditzjwCP7yp0PgR6AzQR3wQ1rTdCjkcPeAMuyfK-NU", "expires_in": 2627999, "scope": "ping orders.create", "token_type": "bearer" } ``` ### Token Usage The token provided in field `access_token` is used to authenticate when consuming the API endpoints. Send the token value in the `Authorization` header of every request. The token expiration time is represented in the field `expired_in`, in seconds. Currently, all tokens are valid for 30 days and should be stored and re-used while still valid. Note that occasionally, a 401 error may be returned for a valid token due to an internal service issue. Such occurrences should be rare. To prevent exposing potential vulnerabilities to attackers, the Public API does not disclose other types of errors in the authentication flow if for any reason the token can't be validated (when it's a valid token then it's ok to return 5XX or other 4XX though - such as 403). In such scenarios, although the internal auth flow avoids retries to prevent attacks, if the token is known to be valid and not expired, a retry with a backoff interval by the client is advised. Another option is to request a new token. #### Example ``` curl --location --request GET 'https://{{public-api-url}}/v1/ping' \ --header 'Authorization: Bearer ' \ --header 'X-Store-Id: ' ``` scopes: - scope: callback.error.write description: Token has permission to send failed webhook event results. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: catalog description: Permission to interact with product inventory for existing stores. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: delivery.provider description: Permission to provide delivery services for existing orders. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: direct.orders description: Permission to interact with direct order services. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: finance description: Permission to provide financial data for orders/stores. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: manager.loyalty description: Permission to interact with loyalty services. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: manager.menus description: Permission to manage menus. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: manager.orders description: Permission to manage orders. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: manager.storefront description: Permission to manage storefront. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: marketintel.service_integration sources: - openapi/otter-public-api-openapi.yml - scope: menus.async_job.read description: Permission to read the status of a menu upsert job. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: menus.entity_suspension description: Permission to notify the result of a menu entity availability update, after being requested by a webhook event. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: menus.get_current description: Permission to send the current state of a menu, after being requested by a webhook event. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: menus.publish description: Permission to notify the result of a publish menus operation for a given store. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: menus.read description: Permission to read the current menus for a given store. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: menus.sync sources: - openapi/otter-public-api-openapi.yml - scope: menus.upsert description: Permission to create/update menus for a given store. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: menus.upsert_hours description: Permission to notify the receiving of the upsert hours menu event, after being requested by a webhook event. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: orders.create description: Permission to create new order for a given store. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: orders.read description: Permission to read orders and connected data. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: orders.update description: Permission to create and update new orders for a given store. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: organization.read description: Permission to read data for organization/brands/stores on behalf of a user. flows: - authorizationCode sources: - openapi/otter-public-api-openapi.yml - scope: organization.service_integration description: Permission to manage the your integration with a given store on behalf of a user. flows: - authorizationCode sources: - openapi/otter-public-api-openapi.yml - scope: ping description: Permission to ping the system. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: reports.generate_report description: Permission to request reports for given store(s) and period of time. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: reviews.reply description: Permission to reply to reviews. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: store.read description: Permission to query store information. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: storefront.store_availability description: Permission to send the current state of store. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: storefront.store_hours_configuration description: Permission to send the current store hours configuration. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: storefront.store_pause_unpause description: Permission to notify the result of a pause/unpause operation, after being requested by a webhook event. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml - scope: stores.manage description: Permission to onboard stores and update the identifier. flows: - clientCredentials sources: - openapi/otter-public-api-openapi.yml