Authorize

GET /oauth2/authorize

As part of a URL sent to a seller to authorize permissions for the developer, Authorize displays an authorization page and a list of requested permissions.

Open in API Reference

Access Tokens Sign in to populate your access tokens from the Developer Console Sign In

Parameters

client_id

The Square-issued ID for your application, which is available on the OAuth page for your application in the Developer Dashboard.

string

scope

A space-separated list of the permissions that the application is requesting. Default: "MERCHANT_PROFILE_READ PAYMENTS_READ SETTLEMENTS_READ BANK_ACCOUNTS_READ"

string

Select scope

BANK_ACCOUNTS_READ HTTP Method: GET Grants read access to bank account information associated with the targeted Square account. For example, to call the Connect v1 ListBankAccounts endpoint.
CASH_DRAWER_READ HTTP Method: GET Grants read access to cash drawer shift information. For example, to call the ListCashDrawerShifts endpoint.
CUSTOMERS_READ HTTP Method: GET Grants read access to customer information. For example, to call the ListCustomers endpoint.
CUSTOMERS_WRITE HTTP Method: POST, PUT, DELETE Grants write access to customer information. For example, to create and update customer profiles.
DEVICE_CREDENTIAL_MANAGEMENT HTTP Method: POST, GET Grants readwrite access to device credentials information. For example, to call the CreateDeviceCode endpoint.
EMPLOYEES_READ HTTP Method: GET Grants read access to employee profile information. For example, to call the Connect v1 Employees API.
EMPLOYEES_WRITE HTTP Method: POST, PUT, DELETE Grants write access to employee profile information. For example, to create and modify employee profiles.
INVENTORY_READ HTTP Method: GET Grants read access to inventory information. For example, to call the RetrieveInventoryCount endpoint.
INVENTORY_WRITE HTTP Method: POST, PUT, DELETE Grants write access to inventory information. For example, to call the BatchChangeInventory endpoint.
ITEMS_READ HTTP Method: GET Grants read access to product catalog information. For example, to obtain objects in a product catalog.
ITEMS_WRITE HTTP Method: POST, PUT, DELETE Grants write access to product catalog information. For example, to modify or add to a product catalog.
LOYALTY_READ HTTP Method: GET Grants read access to loyalty information. For example, to call the ListLoyaltyPrograms endpoint.
LOYALTY_WRITE HTTP Method: POST, PUT, DELETE Grants write access to loyalty information. For example, to call the CreateLoyaltyAccount endpoint.
MERCHANT_PROFILE_READ HTTP Method: GET Grants read access to business and location information. For example, to obtain a location ID for subsequent activity.
ORDERS_READ HTTP Method: GET Grants read access to order information. For example, to call the BatchRetrieveOrders endpoint.
ORDERS_WRITE HTTP Method: POST, PUT, DELETE Grants write access to order information. For example, to call the CreateCheckout endpoint.
PAYMENTS_READ HTTP Method: GET Grants read access to transaction and refund information. For example, to call the RetrieveTransaction endpoint.
PAYMENTS_WRITE HTTP Method: POST, PUT, DELETE Grants write access to transaction and refunds information. For example, to process payments with the Payments or Checkout API.
PAYMENTS_WRITE_ADDITIONAL_RECIPIENTS HTTP Method: POST, PUT, DELETE Allow third party applications to deduct a portion of each transaction amount. Required to use multiparty transaction functionality with the Payments API.
PAYMENTS_WRITE_IN_PERSON HTTP Method: POST, PUT, DELETE Grants write access to payments and refunds information. For example, to process in-person payments.
SETTLEMENTS_READ HTTP Method: GET Grants read access to settlement deposit information. For example, to call the Connect v1 ListSettlements endpoint.
TIMECARDS_READ HTTP Method: GET Grants read access to employee timecard information. For example, to call the Connect v2 SearchShifts endpoint.
TIMECARDS_WRITE HTTP Method: POST, PUT, DELETE Grants write access to employee shift information. For example, to create and modify employee shifts.
TIMECARDS_SETTINGS_READ HTTP Method: GET Grants read access to employee timecard settings information. For example, to call the GetBreakType endpoint.
TIMECARDS_SETTINGS_WRITE HTTP Method: POST, PUT, DELETE Grants write access to employee timecard settings information. For example, to call the UpdateBreakType endpoint.
APPOINTMENTS_READ HTTP Method: GET, POST Grants read access to booking information. For example, to call the RetrieveBooking endpoint.
APPOINTMENTS_WRITE HTTP Method: POST, PUT, DELETE Grants write access to booking information. For example, to call the CreateBooking endpoint.
APPOINTMENTS_BUSINESS_SETTINGS_READ HTTP Method: GET Grants read access to booking business settings. For example, to call the ListTeamMemberBookingProfiles endpoint.
INVOICES_READ HTTP Method: GET, POST Grants read access to invoice information. For example, to call the ListInvoices endpoint.
INVOICES_WRITE HTTP Method: POST, PUT, DELETE Grants write access to invoice information. For example, to call the CreateInvoice endpoint.
SUBSCRIPTIONS_READ HTTP Method: GET, POST Grants read access to subscription information. For example, to call the RetrieveSubscription endpoint.
SUBSCRIPTIONS_WRITE HTTP Method: POST, PUT, DELETE Grants write access to subscription information. For example, to call the CreateSubscription endpoint.
DISPUTES_READ HTTP Method: GET Grants read access to dispute information. For example, to call the RetrieveDispute endpoint.
DISPUTES_WRITE HTTP Method: POST, PUT, DELETE Grants write access to dispute information. For example, to call the SubmitEvidence endpoint.
GIFTCARDS_READ HTTP Method: GET, POST Grants read access to gift card information. For example, to call the RetrieveGiftCard endpoint.
GIFTCARDS_WRITE HTTP Method: POST, PUT, DELETE Grants write access to gift card information. For example, to call the CreateGiftCard endpoint.
ONLINE_STORE_SNIPPETS_WRITE HTTP Method: POST, PUT, DELETE Write access to ECOM online store snippets on published websites.
ONLINE_STORE_SNIPPETS_READ HTTP Method: GET, POST Read access to ECOM online store snippets on published websites.
ONLINE_STORE_SITE_READ HTTP Method: GET, POST Read access to ECOM online store site details.
PAYMENTS_WRITE_SHARED_ONFILE HTTP Method: POST, PUT, DELETE Allows the developer to process payments on behalf of a seller using a shared on file payment method.
APPOINTMENTS_ALL_READ HTTP Method: GET, POST Grants read access to all of a seller's booking information, calendar, and business details. This permission must be accompanied by the APPOINTMENTS_READ permission.
APPOINTMENTS_ALL_WRITE HTTP Method: POST, PUT, DELETE Grants write access to all booking details, including double-booking a seller. This permission must be accompanied by the APPOINTMENTS_WRITE permission.
MERCHANT_PROFILE_WRITE HTTP Method: POST, PUT Grants write access to business and location information. For example, to create a new location or update the business hours at an existing location.
VENDOR_READ HTTP Method: GET, POST Grants read access to vendor information, for example, when calling the RetrieveVendor endpoint.
VENDOR_WRITE HTTP Method: POST, PUT, DELETE Grants write access to vendor information, for example, when calling the BulkUpdateVendors endpoint.
PAYOUTS_READ HTTP Method: GET Grants read access to payouts and payout entries information. For example, to call the Connect v2 ListPayouts endpoint.
DEVICES_READ HTTP Method: GET Grants read access to device information. For example, to call the GetDevice and ListDevices endpoints.

locale

The locale to present the permission request form in. Square detects the appropriate locale automatically. Only provide this value if the application can definitively determine the preferred locale.

Currently supported values: en-IE, en-US, en-CA, es-US, fr-CA, and ja-JP.

string

session

If false, the user must log in to their Square account to view the Permission Request form, even if they already have a valid user session. This value has no effect in the Square Sandbox. Default: true

boolean

state

When provided, state is passed to the configured redirect URL after the Permission Request form is submitted. You can include state and verify its value to help protect against cross-site request forgery.

string

code_challenge

When provided, the OAuth flow uses PKCE to authorize. The code_challenge will be associated with the authorization_code and a code_verifier will need to passed in to obtain the access token.

string

redirect_uri