Obtaining an Access Token

After a Listing has added you as their Integrator, you can obtain an access token for that Listing. This can be done by sending a POST to the following endpoint:

curl --globoff \
  --request POST \
  --url 'https://api-g.weedmaps.com/auth/token' \
  --header 'accept: application/json' \
  --header 'content-type: application/json' \
  --data '{
  	"client_id": "CLIENT_ID_HERE",
    "client_secret": "CLIENT_SECRET_HERE",
    "grant_type": "client_credentials",
    "scope": "taxonomy:read brands:read products:read menu_items menus:write"
    "access_token": "ACCESS_TOKEN_HERE",
    "token_type": "Bearer",
    "expires_in": 1209600,
    "scope": "taxonomy:read brands:read products:read menu_items",
    "created_at": 1544211465


Missing Scopes

You should request all of the above scopes when requesting the access token. Note that you are not guaranteed to receive all requested scopes, and it is possible for a token to be granted with only some, or none at all, of the requested scopes. Before making some of the API requests described later in this guide, you may want to confirm the level of access your token has by looking at the scope field in the response body.

Token Payload

Weedmaps authentication tokens are encoded JSON Web Tokens, or JWTs. Fields within a JWT are called "claims." Well-known claims are described in detail in the public claims registry. Weedmaps JWTs include a custom wm claim that may contain fields specific to Weedmaps. A sample decoded token payload is included below for reference.

  "jti": "647f69ab-8a98-491a-9406-f7961490dad5",
  "exp": 1591034943,
  "iss": "https://weedmaps.com",
  "wm": {
    "client_id": "BTx4_ILdajRuC0NOG1_2NhRDGmLBleZyYu8d5y6VwfM"

Generally, you will not need to reference the fields within the token itself.


Weedmaps will issue fresh tokens after 50% of the expiration period has passed for a token. Example: If your authentication token is good for 14 days (default expiration), we'll return a new authentication token from a POST to the token create endpoint after 7 days have elapsed. We will otherwise continue to return the original authentication token until then.