Authorization

Build with the Mobile Authorization API

Build with the Mobile Authorization API to request authorization tokens to initialize Square mobile solutions like Reader SDK. To embed Square mobile development solutions, you must create a service to request mobile authorization codes. You should integrate this into your existing OAuth process if possible.

Prerequisites and assumptions Permalink Get a link to this section

To build with the Mobile Authorization API, the following must be true:

  • You are using HTTPS. HTTPS is required for all production Square API calls. HTTP calls are only supported for developing and testing on localhost.

  • You are using production credentials. The Mobile Authorization API is not supported in the Square Sandbox.

Additionally, you need the following information:

Information you need Permalink Get a link to this section

To use the steps in this topic, you need:

  • An active location ID. Copy a valid developer account location ID from the Production mode Locations setting page of your Square application in the Developer Dashboard.

  • A valid access token. For more information, see Square API Access Tokens.

Request a mobile authorization code Permalink Get a link to this section

Add code to use the location ID and OAuth token to request a mobile authorization code. The authorization service should return the mobile authorization code to the calling application but for the sake of this example, Square simply prints it to the screen.

Create Mobile Authorization Code
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
curl https://connect.squareupsandbox.com/mobile/authorization-code \
  -X POST \
  -H 'Square-Version: 2021-03-17' \
  -H 'Authorization: Bearer {SANDBOX_ACCESS_TOKEN}' \
  -H 'Content-Type: application/json' \
  -d '{
    "location_id": "{SANDBOX LOCATION ID}"
  }'

Important

Mobile authorization codes are short lived and should be used immediately to authorize mobile solutions like Reader SDK. Mobile authorization does not expire after a set amount of time. Authorization remains valid unless it is explicitly revoked (for example, by calling deauthorize in Reader SDK) or the authorized application fails to take a payment within 90 days.