Skip to main content
The xMenu API supports three authentication methods, each designed for different use cases and security requirements.

API Key

Authentication method that provides access to core API functionalities.

How to obtain

You can find your API Key in the restaurant panel under Tools > API Access.

Usage

Include the API Key in the HTTP header of your requests: 
X-Api-Key: your-api-key

API Client

Advanced authentication that enables full access to all API functionalities, including Menu Import and Order Insertion.

How to obtain

Contact our support staff to request your API Client credentials (Client ID and Client Secret).

Usage

Include both credentials in the HTTP headers of your requests: 
X-Client-Id: your-client-id
X-Client-Secret: your-client-secret

API Client + OAuth 2.0

Advanced authentication using API Client credentials with the OAuth 2.0 security standard (RFC 6749). This method implements the Client Credentials grant type, which is designed for server-to-server authentication where the client acts on its own behalf.

Authentication flow

1. Request an access token Make a POST request to the token endpoint with your API Client credentials: 
POST /api/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=your-client-id
&client_secret=your-client-secret
2. Receive the access token The server responds with an access token: 
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600
}
3. Use the token in API requests Include the access token in the Authorization header of all subsequent requests: 
Authorization: Bearer your-access-token
Access tokens have a limited validity period (indicated by expires_in in seconds). Implement token refresh logic to request a new token before expiration.

Error responses with OAuth

When using OAuth 2.0 Bearer token authentication, all error responses with HTTP status 400, 401, or 403 are returned in OAuth-compliant format according to RFC 6749 (OAuth 2.0) and RFC 6750 (Bearer Token Usage).
The OAuth error format is used for all API errors (not just authentication errors) when the request uses OAuth Bearer token authentication and returns a 400, 401, or 403 status code.

OAuth error response format

OAuth errors use a standardized structure: 
{
  "error": "error_code",
  "error_description": "Human-readable description of the error"
}

Standard OAuth error codes

invalid_token
error
HTTP 401 - The access token is invalid, expired, or has been revoked
insufficient_scope
error
HTTP 403 - The access token does not have the required permissions. The WWW-Authenticate header includes the missing scopes
invalid_request
error
HTTP 400 - The request is missing required parameters, contains invalid values, or is malformed
invalid_grant
error
HTTP 400 - The authorization code or refresh token is invalid or expired (used in OAuth token endpoint)
invalid_client
error
HTTP 401 - Client authentication failed (invalid credentials in OAuth token endpoint)
unsupported_grant_type
error
HTTP 400 - The grant type is not supported by the authorization server (used in OAuth token endpoint)