Read commands —Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ivorpad/mercadona-cli/llms.txt
Use this file to discover all available pages before exploring further.
search, batch, product, and categories — require no login and work anonymously from any IP. Cart and checkout commands require a Bearer token (SimpleJWT) issued by Mercadona’s API. The very first login must happen in a real browser because the POST /api/auth/tokens/ endpoint requires a Google reCAPTCHA Enterprise token that can only be minted by a browser, and Google-account users have no password at all. Once you have authenticated once, however, the refresh token renews your session completely headlessly: POST /api/auth/tokens/ {refresh_token} needs no CAPTCHA, rotates the token, and works from any IP indefinitely — one browser login, then unattended forever.
Auth methods
| Method | Command | Refresh token? | Headless renewal? | When to use |
|---|---|---|---|---|
| HAR import | import-har | ✅ Yes | ✅ Forever | Recommended — works for email and Google logins |
| cURL import | import-curl | ❌ No | ❌ ~6 weeks | Quick one-off, no ongoing use |
| Manual seed | set-refresh | ✅ Yes | ✅ Forever | Advanced: copy token manually from DevTools |
| Password login | login | ❌ | ❌ Fails headless | Last resort, requires browser reCAPTCHA |
How token renewal works
Every authenticated command loads the cached session from~/.mercadona/token.json. When a request returns 401 token_not_valid, the client automatically calls POST /api/auth/tokens/ with the stored refresh_token to obtain a fresh access_token. The response may also rotate the refresh token itself — the new value is written back to token.json immediately. The original request is then retried transparently, so a token expiry is invisible to the caller.
The access token is a SimpleJWT and lasts approximately six weeks. The refresh token is durable: it remains valid until you explicitly log out in the browser or Mercadona rotates it server-side. As long as config.toml holds a valid refresh token, the CLI is always authenticated.
Credential precedence
The client resolves credentials in the following order, stopping at the first source that provides a usable token:- Flags —
--wh,--lang, and similar per-command flags (no direct token flag; tokens come from the sources below) - Environment variables —
MERCADONA_TOKEN,MERCADONA_COOKIE,MERCADONA_CUSTOMER,MERCADONA_USER,MERCADONA_PASS ~/.mercadona/config.toml—[auth] refresh_token,username,password- Cached session —
~/.mercadona/token.json(written byimport-har,import-curl, andlogin)
config.toml triggers an automatic headless refresh if no access token is found. Credentials stored under [auth] username / password in config.toml can also trigger a full login, but that call requires a reCAPTCHA token the CLI cannot supply — so in practice only the refresh_token path yields a working headless session.
Next steps
HAR Import
Export a HAR from DevTools and extract your refresh token for headless-forever auth. Recommended for all new setups.
cURL Import
Copy a browser request as cURL to import a Bearer token for a quick one-off authenticated session.
set-refresh
Seed a refresh token directly from DevTools into config.toml without a full HAR export.