delivery.com APIs use the OAuth 2.0 protocol for authentication and authorization. We recommend using an OAuth 2.0 library to interact with the API. For more information, see recommended client libraries. We also use a similar flow to OAuth to handle user account creation and user payment information.

Access public resources

For public resources like search, you simply need to include your client_id as a GET parameter. You can obtain a client_id by signing up.

Accessing protected resources

API calls that provide access to user information require an access token. The sequence for obtaining an access token is described below.

Your application redirects a browser to a delivery.com URL with a set of parameters that indicate the requested access.
The user logs in and consents and their browser is redirected back to the redirect_uri with an authorization code.
Your application exchanges that code (along with your client_id and client_secret) for an access token.
Your application uses the access token to make API calls.
webflow

User Login

This is not an API endpoint, but a web address to open in the client’s browser.
Important for Laundry API developers: this page is only located at the Food and Liquor API URL.

Request

GET /third_party/authorize

Parameters

Parameters Values Description
client_id Your application’s Client Id.You receive this when you sign up. Identifies which client is making the request.
redirect_uri One of the redirect_uri values listed on your account page. Determines where the response is sent. The value of this parameter must exactly match one of the values registered for your app (including the http or https scheme, case, and trailing ‘/’).
response_type ‘code’ Specifies that you want an access code returned.
scope ‘global’ This specifies what permissions you’re requesting from the user. As of now, we only have one permission.
state Any string This is for any state that your app needs to keep track of. This will be returned to you as a parameter on your redirect uri.
guest_token String Optional. Passing the Guest-Token header value will copy a guest cart to the logged in user’s session cart. See the Customer Cart.

Handling the response

We redirect to {redirect_uri}.

Error Response:

{redirect_uri}?error=access_denied&state={state}

An authorization code:

{redirect_uri}?code={authorization_code}&state={state}

User Account Creation

This is not an API endpoint, but a web address to open in the client’s browser.
Important for Laundry API developers: this page is only located at the Food and Liquor API URL.
The delivery.com login page also allows the user to create an account, so you don’t need to give the user direct access to the create account page.

URL

GET /third_party/account/create

Parameters

Parameters Values Description
client_id Your application’s Client Id.You receive this when you sign up. Identifies which client is making the request.
redirect_uri One of the redirect_uri values listed on your account page. Determines where the response is sent. The value of this parameter must exactly match one of the values registered for your app (including the http or https scheme, case, and trailing ‘/’).
response_type ‘code’ Specifies that you want an access code returned.
scope ‘global’ This specifies what permissions you’re requesting from the user. As of now, we only have one permission.
state Any string This is for any state that your app needs to keep track of. This will be returned to you as a parameter on your redirect uri. Possible uses include redirecting the user to the proper page in your app.
guest_token String Optional. Passing the Guest-Token header value will copy a guest cart to the logged in user’s session cart. See the Customer Cart.

Handling the Response

The response is handled the same way as User Login.

Obtaining Access Tokens

Returns OAuth access token. Make sure to store the refresh token for later.
Important for Laundry API developers: this endpoint is only located at the Food and Liquor API URL.

HTTP Request

POST /third_party/access_token

Parameters

Parameters Values Description
Required
client_id Your application’s Client Id.You receive this when you sign up. Identifies which client is making the request.
redirect_uri One of the redirect_uri values listed on your account page. Determines where the response is sent. The value of this parameter must exactly match one of the values registered for your app (including the http or https scheme, case, and trailing ‘/’).
grant_type authorization_code|refresh_token If you’re using a refresh_token, use refresh_token. Otherwise select authorization_code.
client_secret Your application’s client secret The secret listed on your account page.
code String The code returned by GET /api/third_party/authorize
Optional
refresh_token String Your refresh token that you obtained from your original access token request.

Response

{
 "access_token": "xBUhbB1ESzhKLidYR4q98RmSitGu7tD9lhkw0EKA",
 "token_type": "bearer",
 "expires": 1391014905,
 "expires_in": 3600,
 "refresh_token": "a3Z55n5hP09hCVyLV6NlNwQzXl9RLuz1dXF4yQUv"
}
Property Name Type Description
access_token String This is the token you submit with any API requests that require it. You must include it in the Authorization HTTP header.
refresh_token String A token that may be used to obtain a new access token. Refresh tokens are valid until the user revokes access.
token_type Bearer The type of token, which will always be bearer at the moment.
expires_in Integer How long until this token expires, in seconds.
expires Long The point in time that this token expires, in Unix Epoch Time.

Refresh Access Tokens

Returns new OAuth access token. Refresh token keeps the same.
Important for Laundry API developers: this endpoint is only located at the Food and Liquor API URL.

HTTP Request

POST /third_party/refresh_token

Parameters

Parameters Values Description
Required
client_id String Your application’s client ID
client_secret String Your application’s client secret
grant_type String refresh_token
refresh_token String You will get refresh token from the last time you obtain an access token.

Request

{
 "client_id": "xBUhbB1ESzhKLidYR4q98RmSitGu7tD9lhkw0EKA",
 "client_secret": "aaUhbB1ESzhKLidYR4q98RmSitGu7tD9lhkw0EKA",
 "grant_type": "refresh_token",
 "refresh_token": "a3Z55n5hP09hCVyLV6NlNwQzXl9RLuz1dXF4yQUv"
}

Response

{
  "access_token": "XQ1evP0u4WpM763WQ8Zll5Z7h8oOOZAJDsJeDrfa",
  "token_type": "bearer",
  "expires": 1485382344,
  "expires_in": 7776000
}