Learn about the relationship between TLS and HTTPS.
HTTPS is required for all API calls to Square endpoints. Make sure your website is served using HTTPS and that you're making HTTPS calls to Square APIs.
Transport Layer Security (TLS)—previously known as Secure Socket Layer (SSL)—is the process of securing communication over a computer network by encrypting traffic. Encrypting traffic helps prevent eavesdropping, tampering, and man-in-the-middle attacks.
HTTP is a protocol for transferring data between websites. An HTTPS transfer or API call is simply an HTTP call over a connection secured by TLS. For more information about HTTPS, see Wikipedia and Why HTTPS Matters on the Google Developer Blog.
You should use TLS 1.3; however, TLS 1.2 still works when making Square API calls. TLS 1.1 isn't supported.
Enable TLS on your website by installing a small data file that authenticates your server's identity and encrypts information sent to that server. The authentication and encryption file is called an SSL certificate, which is issued by a certificate authority.
A certificate authority is a trusted entity (such as a company, nonprofit, or governing body) that issues SSL certificates after verifying the identities of users or servers. For example, Let's Encrypt is a free, automated, open-source certificate authority. SSL certificates from Let's Encrypt are easy to use and many hosting providers support one-click installation of Let's Encrypt certificates.
Your options to enable HTTPS might be:
Check to see whether your hosting provider includes Let's Encrypt integration. If it does, use the documentation to set up a Let's Encrypt certification.
If your hosting provider doesn't offer SSL certification, you might be able to manually install a Let's Encrypt SSL certificate. Visit the Let's Encrypt Get Started page for a high-level guide about how to obtain and install an SSL certificate.
To confirm that you've successfully enabled HTTPS, load your website and verify that the address bar has "https://" at the beginning of your website address. Your browser might also display a closed lock icon.