Plugin icon

Authentication & Authorization

Zip NZ uses OAuth 2.0 as a standardised means of securing API endpoints.


There is one OAuth flow currently supported:

  • Client Credentials

Flow which is used for the basis of server-to-server communication across the Online API & Instore API


There are 2 supported endpoints, which are reflective of either a sandbox or production environment

Client Credentials

This flow is used for server-to-server communication, and is relevant in our Online API and our Instore API.

To obtain a token, make a request to the token endpoint, with a number of properties you'll be given when starting your integration with Zip NZ


To obtain an access token:

POST https://

Content-Type: application/json
  "client_id":"[client id]",
  "client_secret":"[client secret]", 

Will return a response ie:

    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciO.....",
    "expires_in": 86400,
    "scope": "merchant",
    "token_type": "Bearer"


Scopes are not requested as part of this flow, instead they will be added to the returned access_token where the client access allows

Token Expiry

The expiry for the access_token will be defined in the response. Typically this will be 24 hours (86400 seconds) however the value in access_token should be respected as it’s subject to change