Greetings,
We rotated our client_secret
for one of our client_id
s in the sandbox
and production
environments yesterday, and now all requests for anyone attempting to Authorize
or Obtain Token
are failing with the message “Not Authorized”:
{
"message": "Not Authorized",
"type": "service.not_authorized"
}
This is preventing us from being able to onboard new clients, as well as refreshing old access_token
s after they are 7 days old, as per the recommendation.
We need to figure out what’s going wrong, and why ASAP.
Thanks,
~ Theodore Schnepper
Is the newly generated client_secret
being used in the header of the ObtainToken
request? Also whats your client_id
?
Grettings @Bryan-Square,
As per the documentation https://developer.squareup.com/reference/square/oauth-api/obtain-token I am passing the client_secret
via the request body as a field named "client_secret"
.
Even if I attempt to add the client_secret
into the HTTP Header
s as a Bearer
token, it does not work. It makes sense that wouldn’t change anything, as the credential should be submitted in the body
for the OAuth
process.
To answer you question about our client_id
They are as follows:
for Sandbox: sandbox-sq0idb-GowUqXPtPHsc_njczAnCYA
For Production: sq0idp-fS_lWfoTDo87DJfrl13Xvw
I’ve also been attempting to make these requests via curl
as a test example with our Sandbox
credentials. The request is made via JSON
in my curl
examples, but it’s made via form encoding in our internal software:
curl -X POST -v https://connect.squareupsandbox.com/oauth2/token -H 'Content-Type: application/json' -d '{"client_id":"sandbox-sq0idb-GowUqXPtPHsc_njczAnCYA","client_secret":"<REDACTED>","grant_type":"refresh_token","refresh_token":"<REDACTED>"}'
Please let me know if you have any questions,
Thanks,
~ Theodore Schnepper
I just tested with your sandbox client_id
and client_secret
and it worked as expected. I got an access token.
@Bryan-Square I feel like I’m going crazy here… If I test the existing access_token
for an existing test credential, the access_token
works without an issue… but that makes sense, it doesn’t use our client_secret
for those requests…
However… whenever I use our current client_secret
that is being displayed in the Developer Dashboard for our App for any OAuth
request I keep receiving the "Not Authorized"
error… I have quadruple checked that I am using the correct token… I even have another set of eyes on it. Plus tour production environment doesn’t have any code differences from the cycled credentials…
I’m not sure where this is going wrong. As far as I can tell, it looks to me like the credentials that Square is showing me on my Developer Dashboard are just incorrect.
I am currently testing the Sandbox account with the following Location ID
: 652PKK7S5PBS4
.
@Bryan-Square I just attempted to refresh the sandbox
access token
with the previous client_secret
that we had and that one still works.
I’m guessing that I’m getting the pieces confused here… I refreshed the Sandbox Access token
and I’m assuming that that would be our client_secret
… but I think that it might not be… However… we need to rotate the client_secret
, and we don’t seem to have a way to do this?
In the application on the Square Developer Dashboard the only location you can see the client_secret
is in the OAuth section of your credentials. That’s also the only place you can rotate it.
Ahhh… that’s where I was going wrong… Thank you @Bryan-Square That solves the issue I think.
Glad to hear that cleared it up. Please feel free to reach out if you have any additional questions. We’re always happy to help.