GoTab supports the following two flows from the OAuth 2.0 authorization standard

  • Client Credentials Grant
  • Authorization Code Grant

Both flows require sending the Integration's assigned API Credentials (api_access_id and api_access_secret) to the authorization endpoint in order to get an access token and refresh token.

Integrators provision and rotate API credentials in the Integration Dashboard through a GoTab Sandbox Account. If you are not already a GoTab API User or do not have a sandbox account please contact [email protected]. Review API Credential Creation for more information.

For all routes requiring authentication an access token must be passed as a Bearer token in the Authorization header of each request.



Neither the access token nor the refresh token are required to be base64 encoded when being passed to GoTab

Choosing a flow

Depending on the type of integration being made you may choose to use one or both of the client credentials flow and authorization code flow. Below are some common situations and recommendations

I want to periodically sync GoTab data to an application

If you are looking to periodically poll GoTab's data to sync it to your own system or an external system (ie UberEats/DoorDash) in most cases you will want to use the Client Credentials Grant

Data that you sync may include:

  • Catalog data (menus, products, modifiers, variants)
  • Users and Labor data (timekeeping & scheduling)
  • Sales data (ledger, tabs/orders)

I want my app to have access to a specific user's resources

Some use cases may require that your application show only what's available to a specific user. These cases require the Authorization Code Grant.

Examples use cases may include

  • Listing the locations a user has access to on a web form
  • Generating a PDF/print out of a user's menus
  • Performing actions as the specific user

For use cases like these it's either infeasible or risky to use the client credentials grant as in order to access all the locations a particular user has access, your credentials would have had to been given explicit permission by a user to those locations. With the authorization code grant you assume the role of the user and implicitly can access anything they can.

I am developing a web-only (no server) application

This flow is not yet supported. Please contact GoTab with your use case if you need this flow.