Obtaining an Access Token

Suggest Edits

After a listing has added you as their integrator, your access token--even if requested before integration was set up--grants you access to their listing. You can request an access token by sending a POST to the following endpoint:

curl --globoff \
  --request POST \
  --url 'https://api-g.weedmaps.com/auth/token' \
  --header 'accept: application/json' \
  --header 'content-type: application/json' \
  --data '{
  	"client_id": "CLIENT_ID_HERE",
    "client_secret": "CLIENT_SECRET_HERE",
    "grant_type": "client_credentials",
    "scope": "taxonomy:read brands:read products:read menu_items menus:write"
  }'

{
    "access_token": "ACCESS_TOKEN_HERE",
    "token_type": "Bearer",
    "expires_in": 1209600,
    "scope": "taxonomy:read brands:read products:read menu_items",
    "created_at": 1544211465
}

πŸ“˜

Access tokens are valid for 2 weeks

Your access token by default is valid for 14 days and able to be renewed after 7 days. Requesting a new token with the same scopes before that initial 7-day window has passed will result in the existing token being returned.

🚧

Missing Scopes

You should request all of the above scopes when requesting the access token. Note that you are not guaranteed to receive all requested scopes, and it is possible for a token to be granted with only some, or none at all, of the requested scopes. Before making some of the API requests described later in this guide, you may want to confirm the level of access your token has by looking at the scope field in the response body.

Expiration

Weedmaps will issue fresh tokens after 50% of the expiration period has passed for a token. Example: If your authentication token is good for 14 days (default expiration), we'll return a new authentication token from a POST to the token create endpoint after 7 days have elapsed. We will otherwise continue to return the original authentication token until that time has passed or new scopes are provided.

Token Payload

Weedmaps authentication tokens are encoded JSON Web Tokens, or JWTs. Fields within a JWT are called "claims." Well-known claims are described in detail in the public claims registry. Weedmaps JWTs include a custom wm claim that may contain fields specific to Weedmaps. A sample decoded token payload is included below for reference.

{
  "jti": "647f69ab-8a98-491a-9406-f7961490dad5",
  "exp": 1591034943,
  "iss": "https://weedmaps.com",
  "wm": {
    "client_id": "BTx4_ILdajRuC0NOG1_2NhRDGmLBleZyYu8d5y6VwfM"
  }
}

Generally, you will not need to reference the fields within the token itself.

Updated 5 months ago

What’s Next