Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ivorpad/mercadona-cli/llms.txt

Use this file to discover all available pages before exploring further.

set-refresh writes a refresh token directly to [auth] refresh_token in ~/.mercadona/config.toml. Use it when you already have the token — copied from a DevTools network response or from browser local storage — and want to skip the full HAR export step. Once seeded, every authenticated command auto-refreshes the session on 401 token_not_valid with no browser interaction required.

How to get your refresh token

There are two ways to find the refresh token in a logged-in browser session: From the network response (most reliable):
  1. Open DevTools (F12 or Cmd+Option+I) → Network tab
  2. Log out and log back in on tienda.mercadona.es, or filter the Network panel for tokens
  3. Find the POST /api/auth/tokens/ request (email login) or POST /api/auth/social/google/ (Google login)
  4. Click the request → Response (or Preview) tab
  5. Copy the value of the refresh_token field from the JSON body
{
  "access_token": "eyJ...",
  "refresh_token": "eyJ...",
  "customer_id": "a1b2c3d4-..."
}
From browser local storage:
  1. In a logged-in tab, open DevTools → Application tab → Local Storagehttps://tienda.mercadona.es
  2. Look for a key that stores the auth session (the exact key name may vary) and find the refresh_token value

Seeding the token

Always prefer --stdin to keep the token out of your shell history and the process argument list:
# Preferred: pipe from stdin — never appears in shell history or ps output
printf '%s' '<your_refresh_token>' | mercadona set-refresh --stdin
If you need to pass it as a positional argument (note: this will appear in shell history):
# Less safe: appears in shell history
mercadona set-refresh <your_refresh_token>
After a successful seed, the CLI confirms:
refresh token saved to ~/.mercadona/config.toml (312 chars, 0600).
→ the CLI now auto-renews headlessly. test: mercadona whoami

Flag reference

FlagDescription
--stdinRead the refresh token from stdin. Keeps the token out of the process argument vector (argv) and shell history. Recommended whenever the token is available on stdin.

What happens after seeding

set-refresh writes the following section to ~/.mercadona/config.toml (creating the file at 0600 permissions if it does not exist):
[auth]
  refresh_token = "<your refresh token>"
On every subsequent authenticated command, the client loads this value. If no valid access token is found in ~/.mercadona/token.json, it calls POST /api/auth/tokens/ with {refresh_token}, stores the returned access_token (and any rotated refresh_token) back to token.json, and proceeds. The original request is retried transparently — no further action is needed.
Verify the token is working immediately after seeding:
mercadona whoami
Expected output:
ok — authenticated. customer id=<your-customer-id>
If whoami returns 401 token_not_valid, the token you copied may have already expired or been invalidated. Repeat the browser login and copy a fresh token.

When to re-seed

The refresh token is durable but not permanent. You will need to perform a fresh browser login and re-seed in these situations:
  • You explicitly logged out in the browser — Mercadona invalidates the refresh token server-side on logout.
  • Server-side rotation — Mercadona may rotate refresh tokens periodically. The CLI rotates its local copy on every use (writing the new value back to token.json), but if the stored token has been invalidated remotely, the refresh call returns 401 and the CLI cannot recover automatically.
  • whoami keeps failing after an auto-refresh attempt — this signals the refresh token itself is no longer valid.
In any of these cases, log in again in a local browser, copy the new refresh_token from the POST /api/auth/tokens/ response, and re-run:
printf '%s' '<new_refresh_token>' | mercadona set-refresh --stdin

Build docs developers (and LLMs) love