Authorize your Android Application

Link to section

Overview

To enable your application to securely connect to a Square seller account, the Mobile Payments SDK must be authorized using an OAuth access token and a location ID. Each Square seller who uses your application must be authorized with an OAuth access token. The same process should be used even if you only plan to use the Mobile Payments SDK with your own Square account. To get started, see OAuth documentation and the Mobile Payments SDK sample application for an example of how to authorize the SDK.

When requesting an OAuth access token from a seller, your application must request the following permissions:

  • MERCHANT_PROFILE_READ is required to get a list of all of a seller's locations.
  • PAYMENTS_WRITE and PAYMENTS_WRITE_IN_PERSON are required to take payments with the Mobile Payments SDK.
  • PAYMENTS_WRITE_ADDITIONAL_RECIPIENTS is required if you want to collect application fees.

The Mobile Payments SDK is divided into four managers to provide specific areas of functionality. Authorization is handled by the AuthorizationManager. Use authorizationManager.authorize() to authorize your Mobile Payments SDK application with a Square seller's accessToken and locationId. You also pass in a callback to be notified of authorization errors and successes and display those to the user.

Link to section

Authorization state

You can check whether a user of your application is currently authorized by checking AuthorizationState.isAuthorized() prior to beginning authorization.

To track changes in the authorization state, register a callback by using authorizationManager.setAuthorizationStateChangedCallback(). This callback can give you live updates to the authorizationManager.authorizationState whenever the Mobile Payments SDK is authorized or deauthorized.

Link to section

Session expiration

Square OAuth access tokens expire after 30 days. After expiration, applications must generate a new OAuth access token using the refresh token received when the authorization was first granted. The response looks like the following:

{ "access_token": "EAAAEL_l5ncx260W8yWz2gGO0GtJeFBJqIdHIXZjpQZ_XW-yxh-Tl7MlF8vIE__n", "token_type": "bearer", "expires_at": "2024-05-15T19:36:00Z", "merchant_id": "TVSNN09QQY609", "refresh_token": "EQAAEInZRUFx8bgauwrDjXYIioyCDEB7vyOG0cScx-qfczgTpNtUjAGLResAKOe9" }

Square recommends tracking the expires_at value on your server and refreshing the authorization token before it expires. If the SDK detects an expired token, it deauthorizes the Square seller account and invokes the callback registered with setAuthorizationStateChangedCallback with AuthorizationState(isAuthorized = false, isAuthorizationInProgress = false).

Link to section

Deauthorize the Mobile Payments SDK

To deauthorize the Mobile Payments SDK and log out of a seller's Square account, use authorizationManager.deauthorize(). This method provides a completion handler, called when the SDK finishes deauthorizing.

The seller remains authorized as long as their access token is valid. Therefore, it is a good idea to call this method when a user logs out of your application or has not had any activity within a period of time. This prevents your application from tracking a large number of dangling authorizations. Calling authorizationManager.deauthorize() doesn't expire a user's OAuth access token, it only deauthorizes the user from the mobile device running the Mobile Payments SDK.

Link to section

Next steps

After authorizing your application, you're ready to pair a card reader and prepare to start taking payments.