This page contains some general notes about the MyEdenred app. This is the app I use to pay for my lunches at work.

As expected, the application communicates with multiple tracking and analytics services.

Edenred API

The application sends the current app version, Android version and the device model. It gets back the following response.

    "Data": {
        "AppVersionUpgradeURl": null,
        "ForceVersionUpgrade": false,
        "Header": null,
        "Message": null,
        "OptionalVersionUpgrade": false
    "Status": false,
    "error": "",
    "success": true

The applications sends its refresh token and the device ID (why device ID? It’s not secure), gets back a new access token.

This endpoint is called CombinedLogin, but it’s not actually used for logging in. I suppose they used “login” as the home screen of the app you see after logging in.

You send it the device ID (again, why?), your current location (latitude and longitude), along with the access token you got from the /token endpoint.

The server responds with basically everything you see on the main screen. This includes.

Recent transactions

This is located in a key called card_transactions. It’s an array of objects. Each object looks like this.

  "rest_name": "Friendly Neighbourhood Burger",
  "tra_date": "03/07/2023", // Transaction date
  "tra_date_hour": "03/07/2023 19:00", // Transaction datetime
  "tra_amount": "150,8600", // Amount spent or added
  "tra_label": "HARCAMA", // HARCAMA (spend) or YÜKLEME (add)
  "tra_balance": "2500,9000", // The balance after the transaction
  "discount_amount": "0,0000",
  "loyalty_message": "",
  "campaign_code": "",
  "balance_type": ""

Send location, along with a search query. The server responds with a list of matching restaurants.

    "cat_code": "",
    "dep_code": "",
    "has_campaign": false,
    "is_market": false,
    "latitude": "41.01111",
    "limit": "100",
    "longitude": "29.01111",
    "rest_name": "",
    "twn_code": "",
    "usr_id": ""

Misc stuff

Grabs the client IP from

The app uses the tracking/analytics API. All the communication happens over HTTPS, and every request seems to be a POST request.



This header is sent with the value edenredprod. Does this imply the existence of a edenreddev or edenredtest app key?


Sent with the value 77MNEli8Vfzfl6T_eB8P_BqbkiCJ_vtMa7ILrkRJEV2oDx__GaSyiA.


Clearly the SDK version. Sent with the value 3.9.4.


Sent with the value google.


Sent with the value ANDROID.


Sent with the value application/json; charset=UTF-8.


On startup, the app sends a POST request to this endpoint. The request body is a JSON object. It contains the following fields.

    "cfgV": 112, // Configuration version?
    "ids": {
        "did": "123123123", // Device ID?
        "iid": "123123123", // Instance ID?
        "sid": "123123123",  // Session ID?
        "uid": "123123123", // User ID?
        "xid": "919bdd1c-b7ab-422a-a47d-e2d40ddf855f" // Some UUID
    "info": {},
    "ts": 1688580747020, // Unix timestamp in milliseconds
    "tz": 10800 // Timezone offset in seconds (3 hours)

The same ids object is sent with every request.


Seems to be a pretty simple logging endpoint.