Skip to main content

Client Credentials

Client Credentials is suitable for machine to machine (M2M) authorization.

client-credentials-flow

To complete the authentication process, the client must authorize itself to Gojek OAuth2 server using client credentials. Client credentials contains two parameters client_id and client_secret. This identification of the client is done through client credentials issued by Gojek.

The steps to access protected resources/APIs on GoBiz are given below.

  1. Get token from token endpoint.
  2. Use Access Token to access GoBiz API.

Get Token from Token Endpoint

You need to send a request to GoBiz to acquire the access token.

Endpoint = OAUTH_URL/oauth2/token

Header Parameters

ParameterDescriptionTypeRequiredExample
client_idUnique identifier issued to the client by Gojek.StringRequiredabc
client_secretSecret issued to client by Gojek.StringRequiredmy_secret
grant_typeMethod to gain the access token. It must be client_credentials.StringRequiredclient_credentials
scopeScope of access to be associated with the resulting access token.StringRequiredpartner:outlet:write
note

The available scopes are described in the table given below.

ScopeScope Description
partner:outlet:readTo read outlet data.
partner:outlet:writeTo edit or update outlet data.
gofood:catalog:readTo read GoFood menu.
gofood:catalog:writeTo modify GoFood menu.
gofood:order:readTo read GoFood order data.
gofood:order:writeTo mark an order is ready.
promo:food_promo:readTo retrieve GoFood promotions.
promo:food_promo:writeTo modify GoFood promotions.
payment:transaction:readTo read payment transaction.
payment:transaction:writeTo modify payment transaction.
payment:pop:readTo read payment PoP data.
mokapos:library:readTo read mokapos libray data.
mokapos:transaction:readTo read mokapos transaction data.
mokapos:reporting:readTo read mokapos reporting data.
mokapos:customer:readTo read mokapos libray data.
mokapos:checkout:writeTo update mokapos checkout data.
mokapos:salestype:readTo read mokapos sales type data.

Response Parameters

ParameterDescriptionType
access_tokenA token that can be used to access the GoBiz API.String
expires_inApproximate remaining lifetime of the token in seconds.Integer
token_typeType of the token returned. Value: Bearer.String
scopeScope granted to the token.String

Sample Request

Sample Request
curl -X POST https://integration-goauth.gojekapi.com/oauth2/token \
-u "my_client_id:my_client_secret" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "scope=partner:outlet:read"

Sample Response

Sample Response - 200 Success
{
"access_token": "this_is_the_access_token",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "partner:outlet:read"
}
Points to Remember
  • Any fields not understood by the client should be ignored.
  • It is the responsibility of the client to trigger the above described flow to get a new access token just before expires_in window ends or when a 401 - Unauthorized is received from the resource server. :::

Use Access Token to Access GoBiz API

Access token received in the Get Token from Token Endpoint step can be used to access GoBiz APIs by sending the token in the Authorization header.

For Authorization header example, see Get All Outlets API.

Identify API accessible with Client Credential access token

To identify which API that's accessible with Client Credential access token, you can check on the API page and find if it contains go_auth_client_credentials information.

go_auth_client_credentials(partner:outlet:read) means the API is accessible using Client Credentials access token and partner:outlet:read scope.

:::

Prerequisite access outlet-specific API

The majority of outlet-specific APIs can be accessed using a client credential access token. To do so, it is necessary to complete the outlet linking process. See Link Outlet by Merchant ID for details.