Skip to content
API Reference
/Authentication/
Create an access token

Tote Online Ordering API (1.0.0)

REST API for 3rd party developers building online ordering integrations with Tote POS convenience stores and fuel stations.

Overview

The Tote Online Ordering API enables partners to:

  • Authenticate via OAuth 2.0 client credentials
  • Browse store locations and business hours
  • Retrieve full menus with nested modifier groups
  • Create and manage shopping carts
  • Submit orders with split payment support
  • Track order fulfillment status
  • Subscribe to webhook events for real-time updates
  • Check item availability and inventory

Base URL

The server URLs below are placeholders. Your actual API base URL, client ID, and client secret are provided during partner onboarding. Contact developer@totepos.com to get started.

Path parameters use snake_case. JSON response fields use snake_case. Schema names use PascalCase. Enum values use SCREAMING_SNAKE_CASE.

Download OpenAPI description
openapi.json
openapi.yaml
Overview
Tote Developer Support
developer@totepos.com
Languages
Servers
Mock server
https://developers.tote.ai/_mock/online-ordering/spec/openapi
Production (placeholder -- use your assigned base URL)
https://api.tote.ai/v1/online-ordering
Sandbox (placeholder -- use your assigned base URL)
https://sandbox.api.tote.ai/v1/online-ordering

Authentication

OAuth 2.0 client credentials token management.

Operations

Create an access token

Request

Exchange your client credentials for an access token using the OAuth 2.0 client credentials flow.

How it works:

  1. Send your client_id and client_secret in the request body
  2. Receive a Bearer token valid for 24 hours
  3. Include the token in the Authorization header of all subsequent requests

Token caching: Cache your token and reuse it until it expires. Do not request a new token for every API call -- this will trigger rate limiting.

Token expiry: Tokens expire after 86400 seconds (24 hours). When your token expires, request a new one. There is no refresh token flow -- simply re-authenticate with your client credentials.

Bodyapplication/jsonrequired
grant_typestringrequired

Must be CLIENT_CREDENTIALS.

Value"CLIENT_CREDENTIALS"
client_idstring(uuid)required

Your application's client ID, provided during partner onboarding.

client_secretstringrequired

Your application's client secret. Treat this as a password -- never expose in client-side code or commit to version control.

curl -i -X POST \
  https://developers.tote.ai/_mock/online-ordering/spec/openapi/auth/token \
  -H 'Content-Type: application/json' \
  -d '{
    "grant_type": "CLIENT_CREDENTIALS",
    "client_id": "d7a8fbb3-07d4-4e3c-b5f2-9a6c8b1e0f23",
    "client_secret": "sk_live_a1b2c3d4e5f6..."
  }'

Responses

Token created successfully.

Bodyapplication/json
access_tokenstringrequired

Bearer token for authenticating API requests. Include in the Authorization header as: Authorization: Bearer {access_token}

token_typestringrequired

Token type. Always BEARER.

Value"BEARER"
expires_inintegerrequired

Token lifetime in seconds. Default is 86400 (24 hours). Cache your token and reuse it until expiry rather than requesting a new token for every API call.

Example: 86400
Response
application/json
{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "BEARER",
  "expires_in": 86400
}

Locations

Store locations, hours, and capabilities.

Operations

Carts

Shopping cart creation, item management, pricing, and checkout.

Operations

Orders

Order retrieval, fulfillment tracking, and cancellation.

Operations

Payments

Payment submission, split payments, and refunds.

Operations

Webhook Subscriptions

Webhook subscription management and event delivery.

Operations

Inventory

Item availability and stock status.

Operations

Events

Webhook event payloads delivered to your subscription URLs.

Webhooks