Saltar al contenido principal

Authentication with JSON Web Tokens (JWTs)

Limited access

Marketplace APIs are not yet generally available. Please record interest in early access here.

DoorDash requires JSON Web Tokens (JWTs) for authenticating Marketplace API requests. JWTs are a secure, efficient way to establish trust between your integration and DoorDash without sending sensitive secrets over the wire.

Why JWTs?

JWTs are widely used in API authentication because they provide:

  • Secure API access – Only verified partners with valid credentials can call the API.
  • Tamper-proof authentication – Tokens are cryptographically signed and cannot be altered without detection.
  • Lightweight and efficient – No server-side session storage required, making them scalable.
  • Time-limited access – Tokens expire after 30 minutes, reducing security risk.

Note: If your API URL is https://pointofsale.doordash.com, you are on Marketplace (legacy) and do not need JWTs. If your API URL is https://api.doordash.com, you are on Marketplace and must use JWTs.

Obtaining Credentials

Before you can generate JWTs, you must create credentials in the DoorDash Developer Portal:

  1. Go to Developer Portal → Marketplace → Get Started.
  2. In the left navigation, click Credentials.
  3. Click Create Credential.
  4. Enter a name for the credential.
  5. Select whether it is for Sandbox or Production.
  6. Select the APIs the credential can access (Marketplace, Drive).
  7. Click Create Credential.
  8. Save the developer ID, key ID, and signing secret. (The secret is shown only once — store it securely.)

Anatomy of a JWT

A JWT has three parts, separated by periods: Header.Payload.Signature

{
  "alg": "HS256",
  "typ": "JWT",
  "dd-ver": "DD-JWT-V1"
}

Payload

{
  "aud": "doordash",
  "iss": "DEVELOPER_ID",
  "kid": "KEY_ID",
  "iat": 1636463841,
  "exp": 1636465641
}

Payload Claims

ClaimDescriptionRules
audAudienceAlways "doordash"
issIssuerDeveloper ID (UUID)
kidKey IDKey ID (UUID)
iatIssued AtEpoch seconds, not in the future
expExpiration≤ 30 minutes (1800s) after iat

Signature

The signature is generated using HMAC SHA256 (HS256) with your signing secret.

Creating a JWT

Prerequisites:

  • developer_id
  • key_id
  • signing_secret

Install a JWT library

Most languages have libraries available. Example in Python:

pip3 install pyjwt

Generate a JWT

Set your Authorization header and required fields when making API requests:

Authorization: Bearer <JWT>
auth-version: v2
User-Agent: MerchantSandbox/1.0

(Replace MerchantSandbox/1.0 with your provider's name in CamelCase, e.g., MyPosSystem/1.0.)

Protecting Your Secret

Treat your signing secret like a password.

  • Store it securely in a vault or secrets manager.
  • Never hardcode it into source code or share it publicly.