Authorization

Your retailer configuration includes the list of APIs and capabilities (collectively called APIs) that your organization has permission to use. When your site generates an access token to authenticate with Foodin platform, you specify which API you want to access by setting the scope. The generated access token is limited to that API.

Permission	Description	scope	grant_type
Fullfillment API	Access stores, service options, reservations, order creation, and order management.	connect:fulfillment	client_credentials
Recommendations API	Find replacement items or complementary items in a backend implementation.	connect:recommendations	client_credentials
Pantry API	Access and manage products in User pantry	connect:pantry	client_credentials
Account links	Link a customer's Partner user account to their Foodin account.	account_linking	authorization_code
Elements API	Implement Foodins Elements in your app or website	elements.mount	authorization_code

Generate an access token

POST api.foodin.ai/oauth/token;

Returns an access token. The access token must be included in all other requests as a Bearer token for authentication purposes. Before you begin, ensure you have a client ID and secret from Foodin. You need to pass these values in the request.

Specify the scope and grant type that is required for the API you intend to use.

Request

Field	Parameter	Description
client_id	string	The client ID.
client_secret	string	The client secret.
grant_type	string	The grant type.
scope	string	The APIs that this token can access. Default is all the APIs specified in the retailer application configuration.
code	string	The authorization code.
redirect_uri	string	The redirect URI when the authorization code was generated.
assertion	string	The assertion.

Request examples

Field	Parameter	Description
client_id	string	The client ID.
client_secret	string	The client secret.
grant_type	string	The grant type.
scope	string	The APIs that this token can access. Default is all the APIs specified in the retailer application configuration.
code	string	The authorization code.
redirect_uri	string	The redirect URI when the authorization code was generated.
assertion	string	The assertion.

const axios = require("axios");
 
async function getToken() {
  try {
    const response = await axios({
      method: "post",
      url: "https://api.foodin.ai/oauth/token",
      headers: {
        Accept: "application/json",
        "Content-Type": "application/json",
      },
      data: {
        client_id: "string",
        client_secret: "string",
        grant_type: "string",
        scope: "string",
        code: "string",
        redirect_uri: "string",
        assertion: "string",
      },
    });
    console.log(response.data);
  } catch (error) {
    console.error(error);
  }
}
 
getToken();

Response

Field	Parameter	Description
access_token	string	The token to be used to authenticate requests.
token_type	string	The token type.
expires_in	number	The number of seconds the token will expire in.
created_at	number	The epoch time of when the token was created.
scope	string	The scope of the token.

Response example

{
  "access_token": "mhtEdMZYPypuW_I0fYken8cAqE7llDaoNefHSeVj9u4",
  "token_type": "Bearer",
  "expires_in": 86400,
  "scope": "connect:fulfillment",
  "created_at": 1603897760
}

Authentication errors

HTTP Code	Cause	Description
400	Invalid authorization code or redirect URI	"Assertion is not provided or invalid assertion provided for the grant_type."
401	Invalid client ID or secret	"Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method."

Revoke an access token

POST api.foodin.ai/oauth/token/revoke

Revokes any access token. You need to include your client ID and secret and the access token in the request body.

Field	Type	Description
client_id	string	The client ID.
client_secret	string	The client secret.

const axios = require("axios");
 
async function revokeToken() {
  try {
    const response = await axios({
      method: "post",
      url: "https://api.foodin.ai/oauth/token/revoke",
      headers: {
        Accept: "application/json",
        "Content-Type": "application/json",
      },
      data: {
        client_id: "string",
        client_secret: "string",
        token: "string",
      },
    });
    console.log(response.data);
  } catch (error) {
    console.error(error);
  }
}
 
revokeToken();

Response examples

200 success

{
  // Empty
}

HTTP Code	Cause	Description
403	Unauthorized client.	"You are not authorized to revoke this token"

Authentication for event callbacks

To enable event callbacks to be sent to your retailer site, OAuth v2.0 must be enabled on the callback endpoint. For information about OAuth 2.0, see the OAuth 2.0 Authorization Framework (RFC).

OAuth 2.0 details required Foodin requires the following configuration details to support callbacks:

An endpoint to use for Connect callbacks. The endpoint must be protected by OAuth 2.0.
An endpoint to use for OAuth 2.0 authentication, which accepts a form POST with content type application/x-www-form-urlencoded and the following query parameters:

Parameter	Description
client_id	The ID that Connect uses to authenticate with your site.
client_secret	The secret that Connect uses to authenticate with your site.
grant_type	The grant type for the token. Always client_credentials.
scope	If your OAuth 2.0 configuration includes a scope for Connect callbacks, the scope must be included as a parameter.

Response requirements

Parameter	Description
access_token	The access token that Connect sends with callbacks.
expires_in	When the token expires. Optionally, you can configure a fixed expiry time with Foodin.

Process

Foodin Connect requests an access token to begin sending callback events. When the access token expires, Connect requests a new token.

Connect uses the OAuth 2.0 endpoint to send a request for an access token.
The retailer site returns an access token.
Connect uses the callback endpoint to send the callback along with the access token.
The retailer site authenticates the request and permits the callback.

Element Methods Error Codes