Docs Home
Dev Essentials
PaymentsCommerceCustomersStaffMerchants
Publish
Release notes

Docs

Docs Home
Dev Essentials
Payments
Commerce
Customers
Staff
Merchants
Publish
Release notes
Create an Account and App
Make your First API Call
View the API Logs
Verify the Payment
What's Next
Overview
Versioning
Access Tokens
Frontend and Backend Development
TLS and HTTPS
Using the REST API
Handling Errors
Collecting Information
Language Preferences
Working with Dates
Working with Monetary Amounts
Working with Addresses
Custom Attributes
Idempotency
Pagination
Optimistic Concurrency
Clear Object Fields
Square eCommerce APIs
Square API Lifecycle
Developer Console
Square Dashboard
Test in Sandbox
Sandbox Payments
Sandbox Seeding Data
API Explorer
API Logs
Webhook Event Logs
Create a Notification URL
Subscribe to Event Notifications
Verify and Validate an Event Notification
Manage Operations
Move Event Notifications to Production
Webhook Events Reference
Troubleshooting
Build a Developer Team
Authentication
Postman
Quickstart
Common API Patterns
Migration Guide
Quickstart
Common API Patterns
Migration Guide
Quickstart
Common API Patterns
Migration Guide
Quickstart
Common API Patterns
Migration Guide
Quickstart
Project Setup
Using the SDK
Common API Patterns
Quickstart
Project Setup
Using the SDK
Common API Patterns
Quickstart
Sample Applications
GraphQL Basics
Build your First Query
GraphQL Explorer
Query Examples
OAuth
Create Redirect URL and Authorization Page URL
Receive Authorization and Manage OAuth Tokens
Refresh and Revoke OAuth Tokens
Token Introspection
OAuth Best Practices
OAuth Walkthrough
Migrate to the Square API OAuth Flow
Move OAuth to Production
Permissions Reference
Webhook Subscriptions
Events
Deprecated Items
v1 Payments API
v1 Refunds API
Square Transactions API
Migrate Employees to Team Members
Migrate from CreateCheckout to CreatePaymentLink
OAuth and Testing
International Payments
Regional Differences for International Development
Compliance with Japan's Tax Invoice System

/

Dev Essentials

/

OAuth

Token Introspection

Applies to: OAuth API

Learn how to use the OAuth API to get the scope details of an access token.

Overview
Link to section

Overview

The RetrieveTokenStatus endpoint performs token introspection of an OAuth access token or an application's personal access token.

With the RetrieveTokenStatus endpoint, you can ensure that a token grants all the permissions you need without having to find the scope through trial and error by calling different Square endpoints.

The following is an example RetrieveTokenStatus request where access_token is a valid production authorization credential (see Get a personal access token).

Copy
Expand
curl https://connect.squareup.com/oauth2/token/status \
  -X POST \
  -H 'Square-Version: 2022-12-14' \
  -H 'Authorization: Bearer <access_token>’ \
  -H 'Content-Type: application/json'

The following is an example response:

Copy
Expand
{
  "scopes": [
    "PAYMENTS_READ",
    "PAYMENTS_WRITE"
  ],
  "expires_at": "2022-10-20T22:03:46Z",
  "client_id": "clientid",
  "merchant_id": "merchantId"
}
Link to section

Example use cases

You can use the RetrieveTokenStatus endpoint to gracefully handle revoked or expired access tokens, check the scopes of different seller access tokens, and check whether an access token is valid before a nightly batch job.

Link to section

Handling revoked or expired access tokens

Consider a scenario where your application gets a large number of requests that it handles in parallel to stay responsive. A batch of requests receives 401 errors because their access tokens have expired.

You can use the RetrieveTokenStatus endpoint to first check whether a request has a valid access token.

Link to section

Checking scopes for seller's access tokens

Consider a CLI application that runs a set of tasks to update a catalog for a coffee shop and ensures that the catalog is accurate.

You can use the RetrieveTokenStatus endpoint to first check the scope of the seller's access token and then run all the necessary tasks.

Link to section

Checking access tokens before nightly batch jobs

Consider a scenario where an enterprise plugin uses an access token that expires every 24 hours.

You can use the RetrieveTokenStatus endpoint to check whether the access token is valid every hour so that you can refresh the access token, if needed, in time for the next batch job.

On this page
OverviewExample use cases