Authentication
All GoTab API requests require a Bearer token in the Authorization header. This page covers the fastest path to getting a token — the Client Credentials flow, which is the right choice for most server-to-server integrations.
Get a Bearer token
Section titled “Get a Bearer token”Exchange your api_access_id and api_access_secret for an access token:
curl -X POST https://gotab.io/oauth/token \ -H "Content-Type: application/json" \ -d '{ "grant_type": "client_credentials", "api_access_id": "YOUR_API_ACCESS_ID", "api_access_secret": "YOUR_API_ACCESS_SECRET" }'Response:
{ "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "Bearer", "expires_in": 86400}| Field | Description |
|---|---|
access_token | The token to include in every API request |
token_type | Always "Bearer" |
expires_in | Seconds until the token expires (86400 = 24 hours) |
Use the token
Section titled “Use the token”Pass the token as a Bearer in the Authorization header on every request:
curl https://gotab.io/api/loc \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN"Refreshing tokens
Section titled “Refreshing tokens”Tokens expire after 24 hours. Request a new token using the same client_credentials flow — there is no separate refresh token step for the Client Credentials flow.
For long-running integrations, cache the token and re-request it when you receive a 401 Unauthorized response.
Common errors
Section titled “Common errors”| Status | Cause | Fix |
|---|---|---|
401 Unauthorized | Invalid or expired token | Request a new token |
400 Bad Request | Missing or malformed credentials in request body | Check api_access_id and api_access_secret are correct |
403 Forbidden | Token valid but lacks permission for this resource | Verify the location is authorized for your application |
Choosing an OAuth flow
Section titled “Choosing an OAuth flow”The Client Credentials flow works when your server is acting on its own behalf — syncing catalog data, processing orders, or reading sales for locations that have authorized your app.
If you need to act on behalf of a specific GoTab user — for example, listing only the locations a user has access to — you need the Authorization Code flow instead.
See OAuth Flows in Concepts for a full comparison and implementation guide.
Next steps
Section titled “Next steps”- Your First API Call — Use your token to fetch locations and a menu
- REST API Reference — Full endpoint reference with try-it-now