Docs Home
Dev Essentials
PaymentsCommerceCustomersStaffMerchants
Publish
Release notes

Docs

Docs Home
Dev Essentials
Payments
Commerce
Customers
Staff
Merchants
Publish
Release notes
Create an Account and App
Make your First API Call
View the API Logs
Verify the Payment
What's Next
Overview
Build Basics
Versioning
Access Tokens
Frontend and Backend Development
TLS and HTTPS
Using the REST API
Handling Errors
Collecting Information
Language Preferences
Working with Dates
Working with Monetary Amounts
Working with Addresses
Custom Attributes
Idempotency
Pagination
Optimistic Concurrency
Clear Object Fields
Square eCommerce APIs
Square API Lifecycle
Developer Console
Square Dashboard
Test in Sandbox
Sandbox Payments
Sandbox Seeding Data
API Explorer
API Logs
Webhook Event Logs
Create a Notification URL
Subscribe to Event Notifications
Verify and Validate an Event Notification
Manage Operations
Move Event Notifications to Production
Webhook Events Reference
Troubleshooting
Build a Developer Team
Authentication
Postman
Quickstart
Common API Patterns
Migration Guide
Quickstart
Common API Patterns
Migration Guide
Quickstart
Common API Patterns
Migration Guide
Quickstart
Common API Patterns
Migration Guide
Quickstart
Project Setup
Using the SDK
Common API Patterns
Quickstart
Project Setup
Using the SDK
Common API Patterns
Quickstart
Sample Applications
GraphQL Basics
Build your First Query
GraphQL Explorer
Query Examples
Create Redirect URL and Authorization Page URL
Receive Authorization and Manage OAuth Tokens
Refresh and Revoke OAuth Tokens
Token Introspection
OAuth Best Practices
OAuth Walkthrough
Migrate to the Square API OAuth Flow
Move OAuth to Production
Permissions Reference
Webhook Subscriptions
Events
Deprecated Items
v1 Payments API
v1 Refunds API
Square Transactions API
Migrate Employees to Team Members
Migrate from CreateCheckout to CreatePaymentLink
OAuth and Testing
International Payments
Regional Differences for International Development
Compliance with Japan's Tax Invoice System

/

Dev Essentials

/

Build Basics

Access Tokens and Other Square Credentials

Learn about the different types of access tokens and other credentials used to identify, authenticate, or authorize an application for Square development.

Overview
Access token types
Get a personal access token
Get an OAuth access token
Use an access token in your code
Credential types
Link to section

Overview

Access tokens are credentials that allow applications to securely interact with Square APIs. An access token authenticates your application and authorizes access to resources (such as customers, orders, and payments) in a Square account. Proper credential management and storage is critical for maintaining security.

Link to section

Access token types

You must provide a valid access token when using Square APIs to access resources in your own Square account or other Square accounts.

There are two types of access token:

  • Personal access token - Provides unrestricted Square API access to resources in a Square account. For example, you can use your own personal access token in Square API calls to perform any activity on any resource in your Square account.
  • OAuth access token - Provides authenticated and scoped Square API access to resources in a Square account. Applications use OAuth access tokens in Square API calls to access resources on behalf of account owners. For example, when Square sellers sign up to use an application, they grant the specific permissions (scopes) that the application needs to perform some activity on their account resources.

You must protect access tokens and store them securely.

Link to section

Get a personal access token

Each application you create in the Developer Console provides a personal access token for testing in the production environment and a separate Sandbox access token for testing in the Square Sandbox. These tokens grant full access to the resources in your own Square account.

  1. Sign in to the Developer Console and open an application. If needed, follow the steps in Get Started to create a Square account and an application.

  2. In the left pane, choose Credentials.

  3. Get your production or Sandbox access token:

    1. At the top of the page, choose Production.
    2. In the Production Access token box, choose Show and copy your token.

The following animation shows how to copy your Sandbox access token from the Credentials page in Sandbox mode.

An animation showing the process for getting the Sandbox access token from the Developer Console.

Did you know?

When you're signed in to API Explorer, the access tokens associated with your account are available in the Access token dropdown.

The following guidelines apply to protecting personal access tokens:

  • Don't hardcode access tokens in your code - Consult relevant documentation to find best practices for securely storing credentials, including framework-specific considerations (for example, encrypted credentials for Ruby on Rail) and platform-specific considerations (web or mobile applications). One option might be to use your cloud provider's secrets manager, such as AWS Secrets Manager, Google Cloud Secret Manager, or Azure Key Vault.

  • Don't share access tokens - A personal access token can be used to impersonate the account owner and gain full access to account resources. For example, if you paste a cURL code snippet when debugging an issue with Square support or on community forums, make sure to redact the access token used in the Authorization header.

Link to section

Get an OAuth access token

The process of getting an OAuth access token depends on the application type (which determines whether you use the code flow or PKCE flow) and whether the token is used in production or for testing in the Square Sandbox during development.

In-production applications start the OAuth flow by sending each seller to the Square authorization page. On successful flow completion, Square returns an OAuth access token to your application.

The OAuth flow includes the following high-level stages:

Stage 1: Authorization Stage 2: Callback Stage 3: Token request
Your application uses an authorization URL to send the seller to the Square authorization page where they can sign in to Square and grant the permissions you requested.Square uses your redirect URL to send the seller back to your application and appends a code query parameter that contains an authorization code.Your application calls ObtainToken and sends the authorization code, your application ID, and other fields. Square returns an access token and refresh token.

Protect access tokens and store them securely - Store OAuth access tokens and refresh tokens in a secure storage solution. Don't expose them in client-side code or version control systems. You must refresh OAuth access tokens periodically before they expire. For more information, see OAuth API and OAuth Best Practices.

Link to section

Use an access token in your code

Access tokens are sent as bearer tokens in the Authorization header of Square API requests.

  • Production requests use the https://connect.squareup.com/v2 base URL with an access token that's valid for the production environment, as shown in the following cURL request:

    curl https://connect.squareup.com/v2/locations \
  -H 'Square-Version: 2024-07-17' \
  -H 'Authorization: Bearer {PRODUCTION_ACCESS_TOKEN}' \
  -H 'Content-Type: application/json'

  • Sandbox requests use the https://connect.squareupsandbox.com/v2 base URL with an access token that's valid for the Sandbox environment, as shown in the following cURL request:

    curl https://connect.squareupsandbox.com/v2/locations \
  -H 'Square-Version: 2024-07-17' \
  -H 'Authorization: Bearer {SANDBOX_ACCESS_TOKEN}' \
  -H 'Content-Type: application/json'

Using the wrong access token for the production or Sandbox environment results in an AUTHENTICATION_ERROR error with the UNAUTHORIZED error code.

Link to section

Using access tokens with Square SDKs

When using a backend Square SDK, the client is initialized with an access token and target environment. The following PHP SDK snippet initializes the client for the Sandbox:

$client = new SquareClient(
  token: $_ENV['SQUARE_ACCESS_TOKEN'],
  options: [
    'baseUrl' => Environments::Sandbox->value
  ]
);

For more information, see the quickstart guide:

Link to section

Credential types

The following table lists the access tokens and other credentials used for Square development. Credential use is dependent on your development scenario.

Credential TypeDescriptionUseObtained from
Application IDIdentificationRandom, unique ID assigned by SquareIdentifies your application in select Square API and SDK calls against the production environment. Also called a client ID.Developer Console Credentials application page
OAuth access tokenAuthorizationScoped access tokenGrants seller-scoped and limited access to production resources in a Square account by asking an authenticated user for explicit permissions.Programmatically using the OAuth API
OAuth refresh tokenAuthorizationSpecial-purpose tokenUsed to obtain a new access token before the current one expires.Programmatically using the OAuth API
Application secretAuthenticationOAuth authentication credentialVerifies the identity of your application in OAuth API requests to get or refresh an OAuth access token. Also called a client secret.Developer Console OAuth application page
Personal access tokenAuthorizationFull-access (unscoped) access tokenGrants unrestricted access to production resources in the corresponding Square account. Also called a production access token.Developer Console Credentials application page
Repository passwordAuthorizationRandom, unique ID assigned by SquareGrants your development environment access to the remote repositories that serve Reader SDK binariesDeveloper Console Reader SDK application page
Sandbox application IDIdentificationRandom, unique ID assigned by SquareIdentifies your application in select Square API and SDK calls against the Sandbox environment. Also called a Sandbox client ID.Developer Console Credentials application page
Sandbox access tokenAuthorizationFull-access (unscoped) access tokenGrants unrestricted access to Sandbox resources in the corresponding Square account.Developer Console Credentials application page
Sandbox OAuth access tokenAuthorizationScoped access token for a Sandbox accountGrants scoped access to resources for a Sandbox application/account pair based on a specified set of permissions.Developer Console OAuth application page or Sandbox test accounts page
Sandbox OAuth refresh tokenAuthorizationSpecial-purpose tokenUsed to obtain a new access token before the current one expires.Developer Console OAuth application page
Location IDN/ARandom, unique ID assigned by SquareNot a type of credential, but required for many Square API requests.Developer Console Locations application page or programmatically using the Locations API or Merchants API
Link to section

See also

On this page
OverviewAccess token typesGet a personal access tokenGet an OAuth access tokenUse an access token in your codeCredential typesSee also