OAuth

The OAuth endpoints allow you to validate your client-side users with the Grubhub system, both if they are logged in to your system and not. These endpoints mostly comply with the OAuth 2.0 standard. The exception is /oauth2/direct/auth, which is OAuth2-like as it does not use a redirect so that it can be called via AJAX or by another server.

Our authorization system is bi-directional; that is, it authorizes your user in the Grubhub system and the associated Grubhub diner as a user in your system. This allows your diner to access our API functionality and our system to understand your diner's location and payment information.

There are a number of different processes that you can use to authorize diners. The simplest passes the OpenID token that identifies your user directly to us via your hosted proxy server. This is the only version that uses a single API call and requires no endpoints on your end.

Some of the endpoints are not hosted on api-gtm.grubhub.com; instead, they will need to be implented and hosted on your servers. In many of the authorization flows we accept, the Grubhub API will need to call these endpoints on your server in order to complete secure authorization.

Refer to the Authorization topic for more information on the different types of authorization flows that we allow.

Paths

Generates an access token.

POST /oauth2/direct/auth

Description

This endpoint can either take an OAuth2 authorization code or an OpenID token and convert it into a Grubhub access token that authorizes requests to the ordering API.

This endpoint is OAuth2-like, as it does not use a redirect so that it can be called via AJAX or by another server. Depending on whether you pass a code or an OpenID token, you may have to call the endpoint via proxy or implement a receiving endpoint on your servers.

The access token and openid connect token in the response complies with the Openid Connect Token Response specification., which extends the OAuth2 Token Response specification..

Body

grant_type

String

The type of access grant being requested. This value must be "authorization_code" or "token".

code

String

The authorization code generated by your servers, which will be used to verify the user's connection. Either this or the token field must be included in the request.

token

String

The OpenID token that identifies your current user. Either this or the code field must be included in the request.

client_id

String

The client ID that we have issued to you.

scope

String

The scope to grant to your user. This value must be "openid diner" if you want to link the diner to an order history. Use "anonymous" to authorize the user solely on your client ID. In this case, `code` will be ignored.

Responses

200

OpenidTokenResponse

Endpoint on your servers to authenticate diners.

POST /oauth2/token

Description

In some authorization flows, Grubhub calls this endpoint on your servers in order to generate an access code that authenticates your server and an Openid token that identifies your user. Both of these pieces of information are used to create the Grubhub API session, which then sends the Openid token and a Grubhub access token to the client.

You can can also use this endpoint on the Grubhub server to refresh an existing token.

This section should be taken as a specification for the endpoint that Grubhub expects to call. It should be able to accept the query parameters and return the payload specified.

Body

grant_type

String

The type of authorization to grant. This value must be "authorization_code" or "refresh_token".

code

String

The authorization code initially generated by your servers, which is verified as valid in this step.

client_id

String

The client ID that Grubhub has issued to you so you can access our API.

redirect_uri

String

The URI to redirect to after authorization. If you are implementing the simple direct flow, this should be an empty string.

Responses

200

OpenidTokenResponse

Standard OAuth2 authorization endpoint.

GET /oauth2/authorize

Description

This is a standard OAuth2 authoriation endpoint, fully compliant with the OAuth2 framework. We include documentation of it here for completeness sake. Depending on which authorization method you use, you may have to call and/or implement this endpoint.

Query Parameters

response_type

String

The response that you expect, either "code" if you expect and authorization code or "token" for a implicitly granted authorization token.

client_id

String

The client ID that Grubhub provided (or you provided to Grubhub) that grants access to our API resources.

redirect_uri

String

The absolute URI to redirect the client user after the authorization completes.

scope

String

The server-defined scope for this authorization request. For Grubhub authorization requests, the scope should always be "Openid diner".

state

String

An indicator - often randomly generated - passed between the server and client to verify that the response received came from the requested server. This prevents cross-site forgery attacks.

Responses

200

Response

400

UNKNOWN

Bad request - Possible invalid redirect URI.

Return session info

GET /session

Description

Returns information about the current session, including diner information, access token, and expiration information.

Responses

200

SessionResponse

Example

{
    "credential": {
        "email": "fakeuser@mail.com",
        "gh_login_id": "xxxxxxxxxx",
        "first_name": "Fake",
        "last_name": "Azheck",
        "brand": "GRUBHUB",
        "ud_id": "98155900-7d24-11e7-b965-41398ca65b4c",
        "created_date": 1502298178644,
        "disable_password": false
    },
    "claims": [
        {
            "ud_id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
            "claim_id": "75",
            "claim": "application_id",
            "claim_type": "temporary"
        },
        {
            "ud_id": "98155900-7d24-11e7-b965-41398ca65b4c",
            "claim_id": "Grubhub Angular Mobile",
            "claim": "application_name",
            "claim_type": "temporary"
        },
        {
            "ud_id": "98155900-7d24-11e7-b965-41398ca65b4c",
            "claim_id": "1.0",
            "claim": "application_version",
            "claim_type": "temporary"
        },
        {
            "ud_id": "98155900-7d24-11e7-b965-41398ca65b4c",
            "claim_id": "GRUBHUB",
            "claim": "brand",
            "claim_type": "temporary"
        },
        {
            "ud_id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
            "claim_id": "2",
            "claim": "channel_id",
            "claim_type": "temporary"
        },
        {
            "ud_id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
            "claim_id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
            "claim": "client_id",
            "claim_type": "temporary"
        },
        {
            "ud_id": "98155900-7d24-11e7-b965-41398ca65b4c",
            "claim_id": "98155900-7d24-11e7-b965-41398ca65b4c",
            "claim": "diner",
            "claim_type": "permanent"
        },
        {
            "ud_id": "9xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
            "claim_id": "xxxxxxx",
            "claim": "gh_login_id",
            "claim_type": "permanent"
        },
        {
            "ud_id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
            "claim_id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
            "claim": "gh_token",
            "claim_type": "temporary"
        }
    ],
    "session_handle": {
        "access_token": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
        "token_type": null,
        "expire_in": 30,
        "refresh_token": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
        "refresh_expire_in": 1440,
        "token_created": "2018-08-19T12:05:28.000Z",
        "refresh_token_created": "2018-12-30T20:13:15.000Z",
        "grubhub_token": null,
        "token_created_time": 1543612398000,
        "refresh_token_created_time": 1543612398000,
        "token_expire_time": 1543614198000,
        "refresh_token_expire_time": 1543698798000,
        "tracking_id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
        "last_login_time": "2018-10-30T15:14:17.998Z",
        "login_session_id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
        "disabled": false
    }
}

Models

ClaimResponse

Information about a security claim. This information is only relevant to internal Grubhub systems; you can ignore it freely.

Properties

ud_id

String

A universally unique identifier for this claim associated with this diner.

claim_id

String

A unique identifier for this claim as applied to all diners.

claim

String

The name of the claim.

claim_type

String

Whether this claim applies to the diner on a "permanent" or "temporary" per-session basis.

CredentialResponse

Information about the diner whose credentials are being used to log in.

Properties

String

The email address of the logged-in diner.

gh_login_id

String

An internal identifier for this user in the authorization framework.

first_name

String

The diner's first name.

last_name

String

The diner's last name.

brand

String

The brand identifier for this diner. The brand depends on the application that created the diner. For most integrations, this will be "GRUBHUB". Diners of one brand cannot order food using an application of another brand.

ud_id

String

The diner ID for this user, which can be used to retrieve previous orders and favorites.

created_date

String

The date that this diner account was created, encoded as Unix epoch time.

disable_password

boolean

Whether the diner needs a password to login.

OpenidTokenResponse

An Openid token and access token that can used to make requests against the Grubhub API.

Properties

access_token

String

An OAuth2-compliant token that grants access. If this token comes from the Grubhub API servers, then it must be passed in the headers of every Grubhub API request.

token_type

String

The type of token. This will always be "Bearer", which must be indicated in all API request headers.

expires_in

Integer

The number of seconds before the access token will no longer grant API access.

refresh_token

String

A token that you can use to refresh this access token. By default, this token remains valid for 43200 minutes.

id_token

String

The Openid token that identifies the individual user on your site to the Grubhub API.

SessionResponse

Information about the current logged in user's session.

Properties

credential

CredentialResponse

Information about the diner whose credentials are being used to log in.

claims

List<ClaimResponse>

Empowering Restaurants through Integration

OAuth

Paths

Generates an access token.

Endpoint on your servers to authenticate diners.

Standard OAuth2 authorization endpoint.

Return session info

Models

ClaimResponse

CredentialResponse

OpenidTokenResponse

SessionResponse