API Credentials

Deliverect uses OAuth 2.0 for API authentication. When a partner is registered, a client_id and client_secret are issued for use in the staging environment. These credentials are used to obtain an access_token, which must be included as a Bearer token in the Authorization header of all API requests.

ⓘ Production credentials are issued only after an integration has been certified by Deliverect. Once certified, a separate set of credentials are provided, granting API access to each of your connected customer accounts in our production environment.

⚠️ Do not share your credentials. They allow access to all customer accounts connected to your partner integration.

Access Token Request

Use your credentials to obtain an access token via the following request:

{  
  "client_id": "your-client-id",  
  "client_secret": "your-client-secret",  
  "audience": "https://api.staging.deliverect.com",  
  "grant_type": "token"  
}

Response

{  
  "access_token": "your-access-token",  
  "token_type": "Bearer",  
  "expires_in": 8***0,  
  "expires_at": 17******52,  
  "scope": "{YOUR_GRANTED_SCOPES}"  
}

🔁 Token Expiry & Caching

Access tokens expire at the time specified in expires_at. Always cache and reuse tokens until expiry. Do not request a new token for every API call.

Use the access_token as a Bearer token in the Authorization header when making API requests:

Authorization: Bearer your-access-token

You can inspect the token structure using jwt.io

Scopes

Scopes define the permissions associated with your access token (e.g., POS, Channel, Store Dispatch).

For a complete list of available scopes, see link here

Webhooks & HMAC Authentication

Deliverect signs all outbound webhook requests using HMAC authentication.

Refer to the HMAC Authentication Guide for implementation details: https://developers.deliverect.com/reference/hmac-authentication