This endpoint allows you to exchange client credentials for a Bearer access token, required when authenticating API requests made to Deliverect.
API Credentials
Deliverect uses OAuth 2.0 for API authentication. When a partner is registered, a client_id and client_secret are issued for use in the staging environment. These credentials are used to obtain an access_token, which must be included as a Bearer token in the Authorization header of all API requests.
ⓘ Production credentials are issued only after an integration has been certified by Deliverect. Once certified, a separate set of credentials is provided, granting API access to all connected customer accounts in the production environment.
⚠️ Do not share your credentials. They allow access to all customer accounts connected to your partner integration.
Access Token Request
Use your credentials to obtain an access token via the following request:
{
"client_id": "your-client-id",
"client_secret": "your-client-secret",
"audience": "https://api.staging.deliverect.com",
"grant_type": "token"
}
Response
{
"access_token": "your-access-token",
"token_type": "Bearer",
"expires_in": 8***0,
"expires_at": 17******52,
"scope": "{YOUR_GRANTED_SCOPES}"
}
🔁 Token Expiry & Caching
Access tokens expire at the time specified in expires_at. Always cache and reuse tokens until expiry. Do not request a new token for every API call.
Use the access_token as a Bearer token in the Authorization header when making API requests:
Authorization: Bearer your-access-token
You can inspect the token structure using jwt.io
Scopes
Scopes define the permissions associated with your access token (e.g., POS, Channel, Store Dispatch).
For a complete list of available scopes, see link here
Webhooks & HMAC Authentication
Deliverect signs all outbound webhook requests using HMAC authentication.
Refer to the HMAC Authentication Guide for implementation details:
https://developers.deliverect.com/reference/hmac-authentication