Authorization API Reference

Try our Beta API Technical Reference >
New!

Try our newly redesigned Technical Reference

Try new design

Authorization Basics

Before other Square accounts can use your application, they need to grant it permission to make API calls on their behalf.

Your application can use the Square Permission Request form to start the OAuth access token workflow for this purpose. OAuth access tokens are ASCII strings no greater than 64 bytes in length. OAuth access tokens are scoped to specific permissions explicitly granted by the account holder.

alt text

Authorize endpoint

To send users to the Permission Request form and start the OAuth flow, configure a link with the desired permissions that directs users to the OAuth Authorization endpoint. See the OAuth Setup Guide for more information.

GET /oauth2/authorize

Request parameters

Name Type Description
client_id string The Square-issued ID of the application requesting permissions.
scope string Optional. A space-separated list of the permissions the application is requesting.

Default: MERCHANT_PROFILE_READ PAYMENTS_READ SETTLEMENTS_READ BANK_ACCOUNTS_READ
locale string Optional. The locale to present the permission request form in. Square detects the appropriate locale automatically. Only provide this value if the application can definitively determine the preferred locale. Currently supported values: en-US, en-CA, es-US, fr-CA, ja-JP.
session boolean If false, the user must log in to their Square account to view the Permission Request form, even if they already have a valid user session.

Default: true
state string Optional. When provided, state is passed along to the configured Redirect URL after the Permission Request form is submitted. You can include state and verify its value to help protect against cross-site request forgery.

Authorization response

When users submit the Permissions form, the Square OAuth server calls back to the configured redirect URL. The parameters included in the URL depend on whether authorization succeeded.

Success response

If authorization succeedes, the Authorize response includes the following:

Name Type Description
code string A valid authorization code. Authorization codes are exchanged for OAuth access tokens with the ObtainToken endpoint.
state string The same value specified in the request.

Failure response

If authorization fails (e.g., the user denied access, an error occurred), the Authorize response includes the following:

Name Type Description
error string The type of error that occurred. If the user denied access, this value is access_denied.
error_description string The reason the error occurred. If the user denied access, this value is user_denied.

Authorization APIs

If Square API endpoints receive too many requests associated with the same application ID or access token in a short time window, they might respond with a 429 Too Many Requests error, indicating that the application may try the request again at a later time.

CreateMobileAuthorizationCode

POST /mobile/authorization-code

Generates code to authorize a mobile application to connect to a Square card reader

Authorization codes are one-time-use and expire 60 minutes after being issued.

Important: The Authorization header you provide to this endpoint must have the following format:

Authorization: Bearer ACCESS_TOKEN

Replace ACCESS_TOKEN with a valid production authorization credential.

Required permissions: PAYMENTS_WRITE_IN_PERSON

Body Parameters

Name Type Description
location_id string

The Square location ID the authorization code should be tied to.

Response fields

Name Type Description
authorization_code string

Generated authorization code that connects a mobile application instance to a Square account.

expires_at string

The timestamp when authorization_code expires in RFC 3339 format, e.g., "2016-09-04T23:59:33.123Z".

error Error

An error object that provides details about how creation of authorization code failed.

Example Request

POST /mobile/authorization-code

{
  "location_id": "YOUR_LOCATION_ID"
}

Example Response

{
  "authorization_code": "YOUR_MOBILE_AUTHZ_CODE",
  "expires_at": "2019-01-10T19:42:08Z"
}

ObtainToken

POST /oauth2/token

Returns an OAuth access token.

The endpoint supports distinct methods of obtaining OAuth access tokens. Applications specify a method by adding the grant_type parameter in the request and also provide relevant information. For more information, see OAuth access token management.

Note: Regardless of the method application specified, the endpoint always returns two items; an OAuth access token and a refresh token in the response.

OAuth tokens should only live on secure servers. Application clients should never interact directly with OAuth tokens.

Body Parameters

Name Type Description
client_id string

The Square-issued ID of your application, available from the application dashboard.

client_secret string

The Square-issued application secret for your application, available from the application dashboard.

code string

The authorization code to exchange. This is required if grant_type is set to authorization_code, to indicate that the application wants to exchange an authorization code for an OAuth access token.

redirect_uri string

The redirect URL assigned in the application dashboard.

grant_type string

Specifies the method to request an OAuth access token. Valid values are: authorization_code, refresh_token, and migration_token

refresh_token string

A valid refresh token for generating a new OAuth access token. A valid refresh token is required if grant_type is set to refresh_token , to indicate the application wants a replacement for an expired OAuth access token.

migration_token string

Legacy OAuth access token obtained using a Connect API version prior to 2019-03-13. This parameter is required if grant_type is set to migration_token to indicate that the application wants to get a replacement OAuth access token. The response also returns a refresh token. For more information, see Migrate to Using Refresh Tokens.

Response fields

Name Type Description
access_token string

A valid OAuth access token. OAuth access tokens are 64 bytes long. Provide the access token in a header with every request to Connect API endpoints. See the Build with OAuth guide for more information.

token_type string

This value is always bearer.

expires_at string

The date when access_token expires, in ISO 8601 format.

merchant_id string

The ID of the authorizing merchant's business.

subscription_id string

LEGACY FIELD. The ID of a subscription plan the merchant signed up for. Only present if the merchant signed up for a subscription during authorization.

plan_id string

LEGACY FIELD. The ID of the subscription plan the merchant signed up for. Only present if the merchant signed up for a subscription during authorization.

id_token string

Then OpenID token belonging to this this person. Only present if the OPENID scope is included in the authorize request.

refresh_token string

A refresh token. For more information, see OAuth access token management.

Example Request

POST /oauth2/token

{
  "client_id": "APPLICATION_ID",
  "client_secret": "APPLICATION_SECRET",
  "code": "CODE_FROM_AUTHORIZE"
}

Example Response

{
  "access_token": "ACCESS_TOKEN",
  "token_type": "bearer",
  "expires_at": "2006-01-02T15:04:05Z",
  "merchant_id": "MERCHANT_ID"
}

RenewToken DEPRECATED

POST /oauth2/clients/{client_id}/access-token/renew

RenewToken is deprecated. For information about refreshing OAuth access tokens, see Renew OAuth Token.

Renews an OAuth access token before it expires.

OAuth access tokens besides your application's personal access token expire after 30 days. You can also renew expired tokens within 15 days of their expiration. You cannot renew an access token that has been expired for more than 15 days. Instead, the associated user must re-complete the OAuth flow from the beginning.

Important: The Authorization header for this endpoint must have the following format:

Authorization: Client APPLICATION_SECRET

Replace APPLICATION_SECRET with the application secret on the Credentials page in the application dashboard.

Path Parameters

Name Type Description
client_id
(required)
string

Your application's ID, available from the application dashboard.

Body Parameters

Name Type Description
access_token string

The token you want to renew.

Response fields

Name Type Description
access_token string

The renewed access token. This value might be different from the access_token you provided in your request. You provide this token in a header with every request to Connect API endpoints. See Request and response headers for the format of this header.

token_type string

This value is always bearer.

expires_at string

The date when access_token expires, in ISO 8601 format.

merchant_id string

The ID of the authorizing merchant's business.

subscription_id string

LEGACY FIELD. The ID of the merchant subscription associated with the authorization. Only present if the merchant signed up for a subscription during authorization.

plan_id string

LEGACY FIELD. The ID of the subscription plan the merchant signed up for. Only present if the merchant signed up for a subscription during authorization.

Example Request

POST /oauth2/clients/{client_id}/access-token/renew

{
  "access_token": "ACCESS_TOKEN"
}

Example Response

{
  "access_token": "ACCESS_TOKEN",
  "token_type": "bearer",
  "expires_at": "2006-01-02T15:04:05Z",
  "merchant_id": "MERCHANT_ID"
}

RevokeToken

POST /oauth2/revoke

Revokes an access token generated with the OAuth flow.

If an account has more than one OAuth access token for your application, this endpoint revokes all of them, regardless of which token you specify. When an OAuth access token is revoked, all of the active subscriptions associated with that OAuth token are canceled immediately.

Important: The Authorization header for this endpoint must have the following format:

Authorization: Client APPLICATION_SECRET

Replace APPLICATION_SECRET with the application secret on the Credentials page in the application dashboard.

Body Parameters

Name Type Description
client_id string

Your application's ID, available from the application dashboard.

access_token string

The access token of the merchant whose token you want to revoke. Do not provide a value for merchant_id if you provide this parameter.

merchant_id string

The ID of the merchant whose token you want to revoke. Do not provide a value for access_token if you provide this parameter.

Response fields

Name Type Description
success boolean

If the request is successful, this is true.

Example Request

POST /oauth2/revoke

{
  "access_token": "ACCESS_TOKEN",
  "client_id": "CLIENT_ID"
}

Example Response

{
  "success": true
}

API Data Types

Error

Represents an error encountered during a request to the Connect API.

Fields

Name Type Description
category string

The high-level category for the error. See ErrorCategory See ErrorCategory for possible values

code string

The specific code of the error. See ErrorCode for possible See ErrorCode for possible values

detail string

A human-readable description of the error for debugging purposes.

field string

The name of the field provided in the original request (if any) that the error pertains to.

API Static Values

Some static string collections include the value OTHER. Responses that currently include the value OTHER might have a different value at a later date, when an appropriate value has been added to the enum. Static strings besides OTHER never change retroactively.

ErrorCategory

Indicates which high-level category of error has occurred during a request to the Connect API.

Fields

Name Description
API_ERROR

An error occurred with the Connect API itself.

AUTHENTICATION_ERROR

An authentication error occurred. Most commonly, the request had a missing, malformed, or otherwise invalid Authorization header.

INVALID_REQUEST_ERROR

The request was invalid. Most commonly, a required parameter was missing, or a provided parameter had an invalid value.

RATE_LIMIT_ERROR

Your application reached the Connect API rate limit. Retry your request after a while.

PAYMENT_METHOD_ERROR

An error occurred while processing a payment method. Most commonly, the details of the payment method were invalid (such as a card's CVV or expiration date).

REFUND_ERROR

An error occurred while attempting to process a refund.

ErrorCode

Indicates the specific error that occurred during a request to a Square API.

Fields

Name Description
INTERNAL_SERVER_ERROR

500 Internal Server Error - a general server error occurred.

UNAUTHORIZED

401 Unauthorized - a general authorization error occurred.

ACCESS_TOKEN_EXPIRED

401 Unauthorized - the provided access token has expired.

ACCESS_TOKEN_REVOKED

401 Unauthorized - the provided access token has been revoked.

FORBIDDEN

403 Forbidden - a general access error occurred.

INSUFFICIENT_SCOPES

403 Forbidden - the provided access token does not have permission to execute the requested action.

APPLICATION_DISABLED

403 Forbidden - the calling application was disabled.

V1_APPLICATION

403 Forbidden - the calling application was created prior to 2016-03-30 and is not compatible with v2 Square API calls.

V1_ACCESS_TOKEN

403 Forbidden - the calling application is using an access token created prior to 2016-03-30 and is not compatible with v2 Square API calls.

CARD_PROCESSING_NOT_ENABLED

403 Forbidden - the location provided in the API call is not enabled for credit card processing.

BAD_REQUEST

400 Bad Request - a general error occurred.

MISSING_REQUIRED_PARAMETER

400 Bad Request - the request is missing a required path, query, or body parameter.

INCORRECT_TYPE

400 Bad Request - the value provided in the request is the wrong type. For example, a string instead of an integer.

INVALID_TIME

400 Bad Request - formatting for the provided time value is incorrect.

INVALID_TIME_RANGE

400 Bad Request - the time range provided in the request is invalid. For example, the end time is before the start time.

INVALID_VALUE

400 Bad Request - the provided value is invalid. For example, including % in a phone number.

INVALID_CURSOR

400 Bad Request - the pagination cursor included in the request is invalid.

UNKNOWN_QUERY_PARAMETER

400 Bad Request - the query parameters provided is invalid for the requested endpoint.

CONFLICTING_PARAMETERS

400 Bad Request - 1 or more of the request parameters conflict with each other.

EXPECTED_JSON_BODY

400 Bad Request - the request body is not a JSON object.

INVALID_SORT_ORDER

400 Bad Request - the provided sort order is not a valid key. Currently, sort order must be ASC or DESC.

VALUE_REGEX_MISMATCH

400 Bad Request - the provided value does not match an expected regular expression.

VALUE_TOO_SHORT

400 Bad Request - the provided string value is shorter than the minimum length allowed.

VALUE_TOO_LONG

400 Bad Request - the provided string value is longer than the maximum length allowed.

VALUE_TOO_LOW

400 Bad Request - the provided value is less than the supported minimum.

VALUE_TOO_HIGH

400 Bad Request - the provided value is greater than the supported maximum.

VALUE_EMPTY

400 Bad Request - the provided value has a default (empty) value such as a blank string.

ARRAY_LENGTH_TOO_LONG

400 Bad Request - the provided array has too many elements.

ARRAY_LENGTH_TOO_SHORT

400 Bad Request - the provided array has too few elements.

ARRAY_EMPTY

400 Bad Request - the provided array is empty.

EXPECTED_BOOLEAN

400 Bad Request - the endpoint expected the provided value to be a boolean.

EXPECTED_INTEGER

400 Bad Request - the endpoint expected the provided value to be an integer.

EXPECTED_FLOAT

400 Bad Request - the endpoint expected the provided value to be a float.

EXPECTED_STRING

400 Bad Request - the endpoint expected the provided value to be a string.

EXPECTED_OBJECT

400 Bad Request - the endpoint expected the provided value to be a JSON object.

EXPECTED_ARRAY

400 Bad Request - the endpoint expected the provided value to be an array or list.

EXPECTED_MAP

400 Bad Request - the endpoint expected the provided value to be a map or associative array.

EXPECTED_BASE64_ENCODED_BYTE_ARRAY

400 Bad Request - the endpoint expected the provided value to be an array encoded in base64.

INVALID_ARRAY_VALUE

400 Bad Request - 1 or more object in the array does not match the array type.

INVALID_ENUM_VALUE

400 Bad Request - the provided static string is not valid for the field.

INVALID_CONTENT_TYPE

400 Bad Request - invalid content type header.

INVALID_FORM_VALUE

400 Bad Request - Only relevant for applications created prior to 2016-03-30. Indicates there was an error while parsing form values.

ONE_INSTRUMENT_EXPECTED

400 Bad Request - a general error occurred.

NO_FIELDS_SET

400 Bad Request - a general error occurred.

CARD_EXPIRED

The card issuer declined the request because the card is expired.

INVALID_EXPIRATION

The expiration date for the payment card is invalid. For example, it indicates a date in the past.

INVALID_EXPIRATION_YEAR

The expiration year for the payment card is invalid. For example, it indicates a year in the past or contains invalid characters.

INVALID_EXPIRATION_DATE

The expiration date for the payment card is invalid. For example, it contains invalid characters.

UNSUPPORTED_CARD_BRAND

The credit card provided is not from a supported issuer.

UNSUPPORTED_ENTRY_METHOD

The entry method for the credit card (swipe, dip, tap) is not supported.

INVALID_ENCRYPTED_CARD

The encrypted card information is invalid.

INVALID_CARD

The credit card cannot be validated based on the provided details.

GENERIC_DECLINE

The credit card was decline by the issuer for an unspecified reason.

CVV_FAILURE

The card issuer declined the request because the CVV value is invalid.

ADDRESS_VERIFICATION_FAILURE

The card issuer declined the request because the postal code is invalid.

INVALID_ACCOUNT

The card issuer was not able to locate account on record.

CURRENCY_MISMATCH

The currency associated with the payment is not valid for the provided funding source. For example, a gift card funded in USD cannot be used to process payments in GBP.

INSUFFICIENT_FUNDS

The funding source has insufficient funds to cover the payment.

INSUFFICIENT_PERMISSIONS

The Square account associated with the payment does not have the permissions necessary to accept the payment. For example, Square may limit which merchants are allowed to process gift card payments.

CARDHOLDER_INSUFFICIENT_PERMISSIONS

The funding source associated with the payment has limitations on how it can be used. For example, it is only valid for specific merchants or transaction types.

INVALID_LOCATION

The associated Square account is not allowed to take payments in this region.

TRANSACTION_LIMIT

The payment amount violates an associated transaction limit, i.e., it is too low or too high. For example, the card used is a prepaid credit card.

VOICE_FAILURE

The transaction was declined because the card issuer requires voice authorization from the cardholder.

PAN_FAILURE

The specified card number is invalid. For example, it is of incorrect length or is incorrectly formatted.

EXPIRATION_FAILURE

The card expiration date is either invalid or indicates that the card is expired.

CARD_NOT_SUPPORTED

The card is not supported in the geographic region associated with the Square account. For example, the card is accepted in the US but not in Japan.

INVALID_PIN

The card issuer declined the request because the PIN is invalid.

INVALID_POSTAL_CODE

The postal code is improperly formatted.

INVALID_FEES

The total fee amount associated with the payment is too high.

MANUALLY_ENTERED_PAYMENT_NOT_SUPPORTED

The payment was declined because manually keying-in the card information is disallowed. The card must be swiped, tapped, or dipped.

PAYMENT_LIMIT_EXCEEDED

Square declined the request because the payment amount exceeds the processing limit for the associated Square account.

GIFT_CARD_AVAILABLE_AMOUNT

Square declined the request because the payment amount exceeds the processing limit for the associated Square account.

DELAYED_TRANSACTION_EXPIRED

The application tried to update a delayed-capture payment that has expired.

DELAYED_TRANSACTION_CANCELED

The application tried to cancel a delayed-capture payment that was already cancelled.

DELAYED_TRANSACTION_CAPTURED

The application tried to capture a delayed-capture payment that was already captured.

DELAYED_TRANSACTION_FAILED

The application tried to update a delayed-capture payment that failed.

CARD_TOKEN_EXPIRED

The provided card token (nonce) has expired.

CARD_TOKEN_USED

The provided card token (nonce) was already used to process payment.

AMOUNT_TOO_HIGH

The requested payment amount is too high for the provided payment source.

UNSUPPORTED_INSTRUMENT_TYPE

The API request references an unsupported instrument type/

REFUND_AMOUNT_INVALID

The requested refund amount exceeds the amount available to refund.

REFUND_ALREADY_PENDING

The payment already has a pending refund.

PAYMENT_NOT_REFUNDABLE

The payment is not refundable. For example, a previous refund has already been rejected and no new refunds can be accepted.

INVALID_CARD_DATA

Generic error - the provided card data is invalid.

LOCATION_MISMATCH

Generic error - the given location does not matching what is expected.

IDEMPOTENCY_KEY_REUSED

The provided idempotency key has already been used.

UNEXPECTED_VALUE

General error - the value provided was unexpected.

SANDBOX_NOT_SUPPORTED

The API request is not supported in sandbox.

INVALID_EMAIL_ADDRESS

The provided email address is invalid.

INVALID_PHONE_NUMBER

The provided phone number is invalid.

CHECKOUT_EXPIRED

The provided checkout URL has expired.

BAD_CERTIFICATE

Bad certificate.

INVALID_SQUARE_VERSION_FORMAT

The provided Square-Version is incorrectly formatted.

API_VERSION_INCOMPATIBLE

The provided Square-Version is incompatibile with the requested action.

INVALID_URL

The provided API URL is invalid.

HTTPS_ONLY

HTTPS only.

CARD_DECLINED

402 Request failed - the card was declined.

VERIFY_CVV_FAILURE

402 Request failed - the CVV could not be verified.

VERIFY_AVS_FAILURE

402 Request failed - the AVS could not be verified.

CARD_DECLINED_CALL_ISSUER

402 Request failed - the payment card was declined with a request for the card holder to call the issuer.

CARD_DECLINED_VERIFICATION_REQUIRED

402 Request failed - the payment card was declined with a request for additional verification.

BAD_EXPIRATION

402 Request failed - the card expiration date is either missing or incorrectly formatted.

CHIP_INSERTION_REQUIRED

402 Request failed - the card issuer requires that the card be read using a chip reader.

ALLOWABLE_PIN_TRIES_EXCEEDED

402 Request failed - the card has exhausted its available pin entry retries set by the card issuer. Resolving the error typically requires the card holder to contact the card issuer.

RESERVATION_DECLINED

402 Request failed - The card issuer declined the refund.

NOT_FOUND

404 Not Found - a general error occurred.

APPLE_PAYMENT_PROCESSING_CERTIFICATE_HASH_NOT_FOUND

404 Not Found - Square could not find the associated Apple Pay certificate.

METHOD_NOT_ALLOWED

405 Method Not Allowed - a general error occurred.

NOT_ACCEPTABLE

406 Not Acceptable - a general error occurred.

REQUEST_TIMEOUT

408 Request Timeout - a general error occurred.

CONFLICT

409 Conflict - a general error occurred.

REQUEST_ENTITY_TOO_LARGE

413 Request Entity Too Large - a general error occurred.

UNSUPPORTED_MEDIA_TYPE

415 Unsupported Media Type - a general error occurred.

RATE_LIMITED

429 Rate Limited - a general error occurred.

NOT_IMPLEMENTED

501 Not Implemented - a general error occurred.

SERVICE_UNAVAILABLE

503 Service Unavailable - a general error occurred.

TEMPORARY_ERROR

A temporary internal error occurred. You can safely retry your call using the same idempotency key.

GATEWAY_TIMEOUT

504 Gateway Timeout - a general error occurred.

OAuthPermission

When you direct your user to the permissions form, you specify the scope of the permissions your application will have. Personal access tokens have all available permissions (at the time the application was created) by default.

Fields

Name Description
BANK_ACCOUNTS_READ

HTTP Method: GET

Grants read access to bank account information associated with the targeted Square account. For example, to call the Connect v1 ListBankAccounts endpoint.

CUSTOMERS_READ

HTTP Method: GET

Grants read access to customer information. For example, to call the ListCustomers endpoint.

CUSTOMERS_WRITE

HTTP Method: POST, PUT, DELETE

Grants write access to customer information. For example, to create and update customer profiles.

EMPLOYEES_READ

HTTP Method: GET

Grants read access to employee profile information. For example, to call the Connect v1 Employees API.

EMPLOYEES_WRITE

HTTP Method: POST, PUT, DELETE

Grants write access to employee profile information. For example, to create and modify employee profiles.

INVENTORY_READ

HTTP Method: GET

Grants read access to inventory information. For example, to call the RetrieveInventoryCount endpoint.

INVENTORY_WRITE

HTTP Method: POST, PUT, DELETE

Grants write access to inventory information. For example, to call the BatchChangeInventory endpoint.

ITEMS_READ

HTTP Method: GET

Grants read access to product catalog information. For example, to get an item or a list of items.

ITEMS_WRITE

HTTP Method: POST, PUT, DELETE

Grants write access to product catalog information. For example, to modify or add to a product catalog.

MERCHANT_PROFILE_READ

HTTP Method: GET

Grants read access to business and location information. For example, to obtain a location ID for subsequent activity.

ORDERS_READ

HTTP Method: GET

Grants read access to order information. For example, to call the BatchRetrieveOrders endpoint.

ORDERS_WRITE

HTTP Method: POST, PUT, DELETE

Grants write access to order information. For example, to call the CreateCheckout endpoint.

PAYMENTS_READ

HTTP Method: GET

Grants read access to transaction and refund information. For example, to call the RetrieveTransaction endpoint.

PAYMENTS_WRITE

HTTP Method: POST, PUT, DELETE

Grants write access to transaction and refunds information. For example, to process payments with the Transactions or Checkout API.

PAYMENTS_WRITE_ADDITIONAL_RECIPIENTS

HTTP Method: POST, PUT, DELETE

Allow third party applications to deduct a portion of each transaction amount. Required to use multiparty transaction functionality with the Transactions API.

PAYMENTS_WRITE_IN_PERSON

HTTP Method: POST, PUT, DELETE

Grants write access to transaction and refunds information. For example, to process in-person payments.

SETTLEMENTS_READ

HTTP Method: GET

Grants read access to settlement (deposit) information. For example, to call the Connect v1 ListSettlements endpoint.

TIMECARDS_READ

HTTP Method: GET

Grants read access to employee timecard information. For example, to call the Connect v1 ListTimecards endpoint.

TIMECARDS_WRITE

HTTP Method: POST, PUT, DELETE

Grants write access to employee timecard information. For example, to create and modify timecards.

TIMECARDS_SETTINGS_READ

HTTP Method: GET

Grants read access to employee timecard settings information. For example, to call the GetBreakType endpoint.

TIMECARDS_SETTINGS_WRITE

HTTP Method: POST, PUT, DELETE

Grants write access to employee timecard settings information. For example, to call the UpdateBreakType endpoint.

Common OAuth errors

Invalid client or client secret

Likely cause

An incorrect application secret was provided in a request to the endpoint.

Solution

Confirm you have copied the entirety of your application secret from the Credentials page in the application dashboard.

Invalid code

Likely cause

An incorrect authorization code was provided in a request to the ObtainToken endpoint.

Solution

Confirm that the authorization code matches the value provided to your Redirect URL. Additionally, it may have been long enough since the authorization code was issued that it has expired. In this case, return to the OAuth Authorize endpoint to generate a new authorization code and try again.

Unauthorized

Likely cause

In most cases, an incorrect access token was provided in the header of a request to a Connect API endpoint.

Solution

Confirm the provided access token is valid for the application and, if you are using REST, that it is provided in an HTTP header with the following format:

Authorization: Bearer ACCESS_TOKEN