Log inSign up
bgschiller
bgschillerpersonalShopper
Remix of geoffreylitt/stevensDemo
Public
Like
1
personalShopper
Code
12
Val Town is a collaborative website to build and scale JavaScript apps.
Deploy APIs, crons, & store data ā€“ all from the browser, and deployed in milliseconds.
Sign up now
Code
/
docs
/
kroger-authorize.md
Search
5/29/2025
Viewing readonly version of main branch: v189
View latest version
kroger-authorize.md

Kroger Authorize

Authorization Code

GET /v1/connect/oauth2/authorize

This endpoint is used when the end user must approve access to a protected resource (such as a cart) before a service can act on the user's behalf. Here's how it works:

Your service or application calls this endpoint and includes the redirect URL (what the end user should see after this service executes) and scopes (defines the actions your application or service can take on behalf of the user). This endpoint displays a login screen, where the end user enters their email address and password. The end user is then asked to give the application permission to access the resource on their behalf. When the user agrees, this service returns the redirect URL with an authorization code as a parameter. After this endpoint returns, your service or application must call the /token endpoint with the authorization_code grant type and code value to get an access token. The access token is then sent to the endpoint being called to prove that your service or application is authorized to act on a user's behalf.

Parameters

  • scope *

    • string
    • (query) The level of access your application is requesting.

  • client_id *

    • string
    • (query) Your application's client ID.

  • redirect_uri *

    • string
    • (query) Your registered redirect URL. The redirect URL tells this endpoint which URL to display after the user approves access to the protected resource.

  • response_type *

    • string
    • (query) Is always code.

  • state

    • string
    • (query) A random string to verify that the response belongs to the initiated request. The server should always return the same state value as the one specified in the request to protect against forgery attacks.

  • banner

    • string
    • (query)
    • Sets the chain specific branding displayed on the authorization consent screen presented to the end user for shopper logins. When this parameter is not supplied the default chain branding (Kroger) will be used. Only one option may be used at a time and the available options are the following:

  • bakers - Bakers' Plus

  • citymarket - City Market

  • dillons - Dillons

  • fredmeyer - Fred Meyer

  • frys - Fry's Food

  • gerbes - Gerbes

  • kingsoopers - King Soopers

  • kroger - Kroger (default if no banner provided)

  • metromarket - Metro Market

  • picknsave - Pick 'n Save

  • qfc - QFC

  • ralphs - Ralphs

  • smiths - Smiths Food and Drug

  • food4less - Food 4 Less

  • foodsco - Foods Co.

  • harristeeter - Harris Teeter

  • vons - Vons

  • fredmeyerjewelers - Fred Meyer

  • jaycfoods - Jay C

  • marianos - Marianos

  • payless - Pay Less

  • ppsrx - Postal Prescription Services (PPSRX)

  • rulerfoods - Ruler Foods

  • copps - Copps

Access Token

POST /v1/connect/oauth2/token

All Oauth2 applications are issued "client credentials" in the form of a unique client_id and client_secret after registration. The credentials are used to authorize the application.

There are 3 grant type flows that the token endpoint offers:

authorization_code - Uses the code returned from the /authorize endpoint to get a token, allowing your service or application to make API requests on an end user's behalf, including accessing personal data. The service is only able to perform the actions specified in the approved scopes. client_credentials - Uses the client credentials to provide a token that allows your service or application to call endpoints that do not require user approval. refresh_token - Allows the application to "refresh" an access token that has expired. Refresh tokens are only granted when using the Authorization Code grant type. Using the refresh token eliminates the need to re-authenticate the customer when the access token expires. The access_token received from this step is sent to the endpoint being called to prove that your service or application is authorized to call the API. The token_type field indicates what type of token it is so that you can correctly pass it to the API.

Parameters

  • Authorization *

    • string
    • (header) Your client_id:client_secret base64 encoded.

  • Request body

    • application/x-www-form-urlencoded

Example Request Body

{
  "grant_type": "code",
  "code": "zWrT1GkdshSadIowJW0Rm4w2kKhOzv1W",
  "redirect_uri": "https://example.com/callback"
}

Example Response

{
  "expires_in": 1800,
  "access_token": "eyJh5GciOiJSUzI1NiGsImtpZCI6Ilo0RnQzbXNrSUj4OGlydDdMQjVjNmc2PSIsInR5cCI6IkpXVmJ9.eqJzY29wZSI6InByb2T1Y3QuY29tcGFjdCBjb3Vwb24uYmFzaWMiLCJhdXRoQXQiOjE1NjUwOTk0OTUzMzIzOTIxMTIsImF1ZCI6InBlcmsvcm1hbmNlLWFnZW50LXB1YmxpYyIsImV4cCI6MTU2NTEwMTI5NSwiaWF0IjoxNTY1MDk5BDkwLCJpc3MiOiJhcGkua3JvZ2VyLmNvbSIsInN1YiI6IjBmZjdkMGIwLWVkOGItNDJmOS1hNTExLWEzMGQyYTAyZDljNSJ9.ej0mov6SGV4n4HiAvduTdYCceMlSo3T06M4Nfh3MfpIjSKzKaLWgd5S0W1EKDXrWz8IE7NTg8EIrL-WKhwdZPt-TWaS7LLjRXLJ0w5rKc44DStgBdvDiCcnKeMsnimjhBlHOiiKUV5y3GbVqJzaDVZwg0j8lP9qtwZP9EIIQ7k409nkskY1pz7l1lZrGotYRJKmnteN5vVQeZ3R8jywIwOOSEbKSgQALVA3Oj02964P7lI6h1GsZ66V5FLA9KU8QXm4ejrFHf1beAIA2zi_fQI3dmW7yj57pWoCECZIjq7Sfo3nGR5rkjEwfyXEK7aTn8oj4_14YHgKRTY-28L96cw",
  "token_type": "bearer",
  "refresh_token": "FN20LbaF2EWC6MPMWdemBwwnP4ZmX8"
}