Mobile Authorization API Overview
The Mobile Authorization API accepts an account credential (OAuth token or personal access token) and location ID and returns an authorization code that custom mobile applications can use to initialize Square mobile solutions like the Reader SDK to accept payments using Square hardware.
The Mobile Authorization API accepts requests through HTTPS and TLS 1.2. Connections through HTTP are not supported.
The Mobile Authorization API is not supported in the Square Sandbox. For alternative recommendations, see Test Mobile Applications.
In addition, the sample code in this guide makes the following assumptions:
The authorization service uses PHP version 5.4 or later. PHP is used for the example code because it is a common web language and relatively approachable for new developers. However, Square APIs are language agnostic and the setup steps are comparable across languages.
The authorization service uses the Square PHP SDK. Installing the SDK is optional. As long as you can package and receive JSON messages, you can use Square APIs, but installing the SDK makes things easier.
The Reader SDK is currently the only Square mobile solution that requires a mobile authorization flow. The In-App Payments SDK is not initialized with an authorization code and therefore does not use the Mobile Authorization API.
The Mobile Authorization API is part of the Square API suite and is comprised of a client API instance, authorization request body, and authorization response body. It inherits the Connect Configuration object so that the API client can be initialized with an access token such as an OAuth or personal access token.
To make calls with this API, a developer must create a backend service that uses the OAuth API to take a user through the OAuth flow to get an authentication token. The token is used by the Mobile Authorization API to get a short-lived authorization code for used with the Reader SDK.
The mobile authorization flow is initiated by mobile device logic in a call to the backend service and is completed when the backend service returns a mobile authorization code to the mobile application.