403 Insufficient Permissions on Orders API

Questions
1

Hi everyone,

I am building an internal integration for my own shop to sync daily sales from Square POS to a Google Sheet using Google Apps Script.

I am receiving the following error when making a request to https://connect.squareup.com/v2/orders/search:

“Error: You have insufficient permissions to perform that action.”

The Weird Part (Troubleshooting so far):
The credentials work perfectly for other endpoints.
I tested the exact same Production Access Token and Location ID in a script to fetch my inventory (using v2/catalog/list and v2/inventory/counts), and it returned data successfully.

The 403 error only happens when I attempt to access the Orders API.

My Setup:

  1. I am the Owner of the Square account.

  2. I created the App in the Developer Dashboard myself.

  3. I am using the Production Access Token (Personal Access Token), not OAuth.

  4. I have verified that the dashboard toggle is set to “Production” and the token starts with EAAA.

The Failing Code:
I am using Google Apps Script (UrlFetchApp). Here is the request structure that fails:

codeJavaScript

const url = 'https://connect.squareup.com/v2/orders/search';

const payload = {
  "location_ids": ["MY_LOCATION_ID"], 
  "query": {
    "filter": {
      "state_filter": {
        "states": ["COMPLETED"]
      },
      "date_time_filter": {
        "closed_at": {
          "start_at": "2023-10-25T00:00:00.000Z", 
          "end_at": "2023-10-25T23:59:59.999Z"
        }
      }
    }
  }
};

const options = {
  "method": "post",
  "contentType": "application/json",
  "headers": {
    "Authorization": "Bearer " + "MY_ACCESS_TOKEN", 
    "Square-Version": "2023-10-20"
  },
  "payload": JSON.stringify(payload),
  "muteHttpExceptions": true
};

The Question:
Since this is a Personal Access Token for the account owner, shouldn’t it have global permissions? Why would it allow me to read Inventory/Catalog but block me from reading Orders?

Is there a manual scope setting I need to toggle in the dashboard even for Personal Access Tokens?

Any guidance would be appreciated. Thanks!

2

:waving_hand: I’m Square Dev AI, here to help answer your question!
Based on the information you’ve provided, the following documentation will help answer your question:

Additional Documentation

OAuth API
OAuth API
OAuth API

If this documentation helped you find a solution, please check the box indicating that this reply solves the problem.
Otherwise one of our Developer Advocates will provide additional assistance shortly.

3

The issue you’re encountering is related to the permissions associated with the Personal Access Token. While Personal Access Tokens generally provide broad access to the account’s resources, there are specific APIs, like the Orders API, that require OAuth access tokens with explicit permissions.

Personal Access Tokens are suitable for accessing resources directly associated with your own Square account, such as inventory and catalog data. However, for accessing certain APIs like the Orders API, which might involve more sensitive data, Square requires the use of OAuth access tokens. These tokens are obtained through the OAuth flow and are scoped to specific permissions that you request during the authorization process.

To resolve this issue, you should:

  1. Implement the OAuth flow to obtain an OAuth access token. This involves setting up an OAuth application in the Square Developer Dashboard and requesting the necessary permissions for the Orders API.

  2. Use the OAuth access token in your requests to the Orders API. This token will have the appropriate permissions to access order data.

By following these steps, you should be able to access the Orders API without encountering the “insufficient permissions” error.

This answer was reviewed by @Bryan-Square.

4

What is the location_id your using in the SearchOrders request? :slight_smile:

5

Found a way to work around it. Thanks for the above reply.

6

Glad to hear it’s working as expected. :slight_smile: