Skip to main content

Authentication

All requests to the Scoffable API must be authenticated using a Bearer Token.

Bearer Tokens

Bearer tokens are credentials that grant access to the Scoffable API. Each token identifies your account and determines which vendor locations you can access.

Include your token in the Authorization header of every API request:

GET https://partners-api.scoffable.com/v1/orderUpdates
Authorization: Bearer YOUR_TOKEN

Example token (for illustration only):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InNpZ25pbmdLZXkxIn0.eyJpc3MiOiJTY29mZmFibGUiLCJzdWIiOiI1NjhmYzVkMS0yZjAxLTRmNDctODUwYS1jMjg2NDQxZjFjYTYiLCJpYXQiOjE1MTYyMzkwMjJ9.jxU--JQ0pxNZIKJxpTZrelyG-DuNderZeIzPgXsY7WU

Note: This example token will not work with the API.

Security Considerations

Treat tokens like passwords - store them securely, never share them publicly, and rotate them regularly.

Managing Tokens

Generating a New Token

  1. Log in to the Scoffable Partner Centre
  2. Navigate to the Developers section
  3. Click Create New Token
  4. Select which vendor locations this token should access
  5. Provide a description to identify the token's purpose

If you do not see the Developers section, please contact Scoffable for assistance.

Revoking a Token

  1. Log in to the Scoffable Partner Centre
  2. Navigate to the Developers section
  3. Locate the API token you wish to revoke
  4. Click Edit, then click Revoke token

Token Scoping and Best Practices

Vendor-Specific Tokens

Tokens can be restricted to specific vendor locations for enhanced security. When creating a token, you select which vendor locations it can access. The API automatically filters results based on your token's permissions, so you typically don't need to specify vendor IDs in your requests.

Recommended approach:

  • In-store systems: Create tokens that only access their specific location
  • Central systems: Use tokens with access to all required locations

This minimises risk if a token is compromised and follows the principle of least privilege.

Token Rotation

No Automatic Expiry

Tokens issued by Scoffable do not expire automatically. This gives you full control over when to rotate tokens, but also means you must actively manage token lifecycle.

Zero-Downtime Rotation

Multiple tokens (up to 50) can be active simultaneously. This enables secure token rotation without service interruption:

  1. Generate a new token with the same vendor restrictions
  2. Update your systems to use the new token
  3. Verify the new token is working correctly
  4. Revoke the old token

This approach ensures continuous service during token rotation and provides a rollback option if issues occur.