The Cann Company logo

Authentication

The CannMenus API uses API tokens for authentication. Include your token in every request to access the API.

Getting Your API Token

  1. Log in to your CannMenus Pro account
  2. Navigate to the API section in your dashboard
  3. Click Generate Token to create a new token

You can have up to two active tokens at any time. This allows for seamless token rotation without downtime.

Using Your Token

Include your API token in the X-Token header of every request:

curl "https://api.cannmenus.com/v2/products?states=California&page=1" \
  -H "X-Token: YOUR_API_TOKEN"

Python

import requests

headers = {"X-Token": "YOUR_API_TOKEN"}

response = requests.get(
    "https://api.cannmenus.com/v2/products",
    headers=headers,
    params={"states": "California", "page": 1}
)

JavaScript

const response = await fetch(
  "https://api.cannmenus.com/v2/products?states=California&page=1",
  {
    headers: { "X-Token": "YOUR_API_TOKEN" }
  }
);

OAuth Authentication (MCP)

Claude.ai and other OAuth-compatible clients can authenticate with the CannMenus MCP server via OAuth 2.0 authorization code flow — no API token needed.

When using OAuth:

  • You are redirected to cannmenus.com to log in and approve access
  • Access is tied to your user's organization — no separate API token is required
  • Data access is scoped to the organization's configured permissions (states, brands, dispensaries)

This is the recommended authentication method for Claude.ai. See MCP Setup for configuration details.

OAuth is only available for the MCP server. The REST API continues to use token-based authentication via the X-Token header.

Token Management Best Practices

Use Separate Tokens for Each Environment

Keep development and production tokens separate. If a development token is compromised, your production integration remains secure.

Rotate Tokens Regularly

  1. Generate a new token in the dashboard
  2. Update your application to use the new token
  3. Verify the new token works
  4. Delete the old token

With two active tokens, you can rotate without any downtime.

Keep Tokens Secure

  • Never commit tokens to version control — Use environment variables
  • Never expose tokens in client-side code — Make API calls from your backend
  • Never share tokens — Each integration should use its own token
# Store in environment variable
export CANNMENUS_API_TOKEN="your_token_here"

import os
token = os.environ.get("CANNMENUS_API_TOKEN")

Authentication Errors

Status CodeDescription
404Missing or invalid API token

Example Error Response

When an invalid token is provided, the API returns a 404 status:

{
  "detail": "Not Found"
}

Troubleshooting

  1. Check the header name — Use X-Token, not Authorization or Bearer
  2. Verify the token value — Copy directly from the dashboard, no extra spaces
  3. Confirm the token is active — Check the dashboard to ensure it wasn't deleted
  4. Check your plan — Some endpoints may require specific subscription tiers

Need Help?

If you're having authentication issues, contact support with:

  • The error message you're receiving
  • The endpoint you're trying to access
  • When the issue started (especially if it was working before)