Accessing endpoint from webhook

I have created a webhook in order to update an external db of targeted catalog changes. Since that webhook only returns a timestamp, and not the data that has changed, I will need to call the catalog endpoint to get the changes. However, it looks like I will need the merchant’s personal access token for those calls. I understand that if a merchant uses my app, the webhook should be automaticlly called then they make changes. But if multiple merchants want to use my app, what is the best way to have the webhook access their personal access token. I apologize if I’m not understanding things correctly.


Square’s OAuth API will be what you’ll use to let Square merchants authorize your application. Before you get started, please visit Square’s Developer Doc for more information about our OAuth API. :slightly_smiling_face:

Thanks for your response! My app (iOS) uses OAuth for the merchant to authenticate in order to access the endpoints, which works fine. But it isn’t clear to me how my webhook can utilize OAuth since it’s not accessed directly by the merchant.

With OAuth you’ll be able to subscribe to any webhook you have scopes for. Once subscribed you’ll start to get webhook events from the OAuth’d seller. :slightly_smiling_face:

Thanks Bryan! But within the webhook, in order to access the endpoint for a merchant, I will still need to add the access token to the header, I believe. And since the webhook won’t have the token, I’m guessing I’ll need to store the token when they log into my app. And then the webhook would need to grab the token for that merchant. Is that correct? Sorry, but I didn’t see any docs around how webhooks can access an endpoint for a merchant.

With webhooks you won’t need to pass in an access token in the header. Only with the API requests will you be passing in the access token in the header. :slightly_smiling_face:

Sorry if I’m not understanding things, but my webhook does need to make an API request to get the catalog data since the webhook payload doesn’t contain the detail changes.

Okay, in that case then you would need to securely store the access token. Then when you get the webhook event for the merchant you’ll use the access token to make the appropriate API call to get the updated catalog objects. :slightly_smiling_face:

got it. Thanks Bryan!