Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ivorpad/mercadona-cli/llms.txt

Use this file to discover all available pages before exploring further.

import-har is the preferred authentication method for Mercadona CLI. It parses a browser HAR export (an archive of all network activity captured by DevTools), extracts the refresh token from the POST /api/auth/tokens/ or POST /api/auth/social/google/ response, seeds it into ~/.mercadona/config.toml, and caches the full session — access token, cookie, and customer ID — to ~/.mercadona/token.json. From that point on, every 401 token_not_valid response triggers an automatic headless refresh and retry. You never need to open a browser again.

Steps

1

Sign in at tienda.mercadona.es in your browser

Open tienda.mercadona.es in your local browser on a residential IP — not from a cloud VM, serverless environment, or VPN exit node. Either authentication method works:
  • Email + password — standard login form, resolves to POST /api/auth/tokens/
  • Google Sign-In — “Continuar con Google” button, resolves to POST /api/auth/social/google/
Both flows return a durable refresh_token that import-har can extract. You only need to complete this step once.
2

Export a HAR file from DevTools

While still on the site (stay on the logged-in page — do not close the tab):
  1. Open DevTools (F12 or Cmd+Option+I on macOS)
  2. Switch to the Network tab
  3. Click the download icon (⤓) in the Network toolbar — the tooltip reads “Export HAR…”
  4. Save the file; the default name is usually tienda.mercadona.es.har
The HAR must include the login response. If you opened DevTools after logging in, the login request may not be captured — in that case, log out, start recording, and log in again before exporting.
3

Run import-har

Pass the saved HAR file to the CLI:
mercadona import-har --file tienda.mercadona.es.har
You can also pipe it from stdin:
mercadona import-har --file - < tienda.mercadona.es.har
4

Verify authentication

Confirm the session is active:
mercadona whoami
A successful import prints:
ok — authenticated. customer id=<your-customer-id>

What import-har does

import-har reads the HAR entirely in memory and scans it for Mercadona auth material:
  • Auth responses — entries matching /api/auth/ with HTTP 200: extracts access_token, refresh_token, customer_id (email login) or customer_uuid (Google login). The request body — which contains the password — is deliberately never read.
  • Authenticated request headers — entries matching mercadona.es/api/: extracts the Authorization: Bearer … header (freshest access token) and the Cookie: header (Akamai clearance). Also reads ?wh= and ?lang= query parameters to detect your warehouse and language.
After parsing, the CLI:
  1. Writes access_token, refresh_token, cookie, and customer_id to ~/.mercadona/token.json (0600) — the cached session, usable immediately.
  2. If --save is true (the default), writes [auth] refresh_token to ~/.mercadona/config.toml (0600) so the CLI can refresh headlessly on every future run.
  3. If a warehouse was detected in the HAR, saves it as [defaults] warehouse in config.toml — authoritative for your delivery address, overridable with --wh.
  4. If a language was detected and none was already set, saves it as [defaults] lang.

Flag reference

FlagDefaultDescription
--file <path>"" (stdin)Path to the .har file. Use - or omit the flag to read from stdin. Can also be passed as a positional argument.
--savetrueSeed the extracted refresh token into ~/.mercadona/config.toml for headless auto-renewal. Set --save=false to cache the session only without touching config.toml.

Example output

A successful import prints to stderr (secrets are never echoed — only lengths):
imported HAR session (password login): access=312 chars, refresh=294 chars, cookie=841 chars, customer=a1b2c3d4-...
→ refresh token seeded into ~/.mercadona/config.toml (0600): the CLI now auto-renews headlessly — always authenticated.
→ warehouse mad1 detected from the HAR and saved as your default (override with --wh).
→ verify with: mercadona whoami
For a Google login the first line reads (google/social login) instead of (password login).
If the HAR does not contain a login response — only authenticated API requests were captured — import-har falls back to extracting the Bearer token and cookie from request headers. In this case the output reads refresh=(none) and the CLI prints:
⚠ no refresh token in this HAR — cached the access token only (expires ~6 wk, no auto-renew).
  Re-export a HAR that includes the login response, or use `set-refresh`.
The session works immediately but cannot auto-renew. To get a refresh token, either re-export a HAR that includes the login request (log out, start recording, log in again), or copy the token from DevTools and seed it with set-refresh.
The initial browser login must be performed on a residential IP. Datacenter, serverless, and many VPN exit IPs are flagged by reCAPTCHA Enterprise and will trigger challenges or hard failures during login. Once the refresh token is seeded, this restriction no longer applies — headless token refresh works from any IP.

Build docs developers (and LLMs) love