Register an application on developer.kroger.com and obtain a client_id and client_secret; note the scopes granted to your app (e.g., product.compact:read, cart.basic:write)
Request a client-credentials token by POSTing to the Kroger authorization server's token endpoint with your encoded client credentials and the desired scope in the request body
Store the returned access_token and its expiry; cache the token and refresh it before expiry rather than requesting a new one on each call
For cart operations that require user context, redirect the user through the OAuth 2.0 authorization code flow; include profile.compact and cart.basic:write in the scope parameter
Exchange the authorization code for a user-scoped token, then include it as a Bearer token in the Authorization header on all subsequent cart API requests
Implement token refresh logic: when a request returns a 401, re-execute the appropriate flow (client credentials or authorization code refresh) and retry once
Known gotchas
Kroger assigns scopes per registered application during onboarding — you cannot request scopes not pre-approved for your app; verify your granted scopes in the developer portal before building
Cart operations require a user-authorized token (authorization code flow), not a client credentials token — using a client credentials token for cart writes will return an authorization error
The authorization and token endpoints differ between the public sandbox (developer-ce.kroger.com) and production (developer.kroger.com) — ensure you switch base URLs before going live
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp