Flow for centralized applications

Use this flow when the application:

Operates in internal/private environments
Is not directly accessible from the internet
Can securely store the secret key on the server

Example: Servers in private VPC consuming iFood APIs to expose their own services.

Tokens cannot exceed 8,000 characters. Ensure your integration provides adequate storage for these tokens.

Get credentials and tokens

Find your credentials

Open the Developer Portal
Go to My Apps > Application credentialsYou will see:
_clientId_: unique identifier of the application
_clientSecret_: key to obtain access tokens. Store securely and never expose.

Request the access tokenUse the clientId and clientSecret from your application to request an access token through the Authentication API.
Use the received tokenThe API returns the access token needed to consume iFood APIs.
Centralized applications do not receive refresh tokens. Check the FAQ for details.
Access the resourcesInclude the token in requests to iFood APIs using Bearer-type HTTP authentication.

API Reference

POST `/oauth/token`

DescriptionRequests a new access token to access API resources. By default, the token expires in 6 hours. For centralized applications, use the grant type client_credentials.cURL example

curl -X POST "https://merchant-api.ifood.com.br/authentication/v1.0/oauth/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grantType=client_credentials&clientId=YOUR_CLIENT_ID&clientSecret=YOUR_CLIENT_SECRET"

Request parameters

Parameter	Required	Description
`grantType`	Yes	OAuth grant type. For centralized applications: `client_credentials`
`clientId`	Yes	Client identifier
`clientSecret`	Yes	Client secret

Response fields — Success (200)

Field	Description	Example
`accessToken`	JWT representing the access token	eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzUxMiJ9.eyJzdWIiOiJlNjkwYjczZC01OTI4LTRkMTctODE2ZC01Y2Y5YjgyZTJhOWUiLCJhdWQiOiJvcmRlciIsInVzZXJfbmFtZSI6ImU2OTBiNzNkLTU5MjgtNGQxNy04MTZkLTVjZjliODJlMmE5ZSIsInNjb3BlIjpbIm9yZGVyIl0sInRlbmFudElkIjoiNmFjNjkxZDEtMjZjNi00ZmVkLWJmN2ItOTEwMzJkNTM4NWZkIiwiaXNzIjoiaUZvb2QiLCJtZXJjaGFudF9zY29wZSI6WyI2YjQ4N2EyNy1jNGZjLTRmMjYtYjA1ZS0zOTY3YzIzMzE4ODI6b3JkZXIiXSwiZXhwIjoxNjEyMjMwNDU5LCJpYXQiOjE2MTIyMDg4NTksIm1lcmNoYW50X3Njb3BlZCI6dHJ1ZSwiY2xpZW50X2lkIjoiZTY5MGI3M2QtNTkyOC00ZDE3LTgxNmQtNWNmOWI4MmUyYTllIiwiYXV0aG9yaXRpZXMiOlsiUk9MRV9DTElFTlQiXX0.lYqdxjHoOksq8COqJ-VZxzd524MhVzH7hkMfp5zGTpqzp26z5XJwOPHAy7L6oyagUgRfxntKeu0Up_JHgJ-Vr0h5Y9wY4XHcK1yxpFXFB5f5ilGDB0hVN3UGa4GBqeVpCbAPQUl4VhbF2byeL9PuO4TfTZmoWyuec9-xEH_nbHg
`type`	Token type. Currently, the only supported type is `bearer`	`bearer`
`expiresIn`	Token expiration time in seconds	`21600`

Response fields — Error Unauthorized (401)

Field	Description	Example
`error.code`	Error code for unauthorized requests	`Unauthorized`
`error.message`	Human-readable error description	`Bad credentials`

Response fields — Error Internal Server (500)

Field	Description	Example
`error.code`	Error code for internal errors	`InternalServerError`
`error.message`	Human-readable error description	`Unexpected error`

Practical implementation

The video below demonstrates the implementation of the application credential flow for centralized applications:

Was this page helpful?

Rate your experience in the new Developer portal:

On this page

Flow for centralized applications

Get credentials and tokens

API Reference

POST /oauth/token

Practical implementation

Content read0%