After rotating our client_secrets for the Sandbox and Production environments we are getting "Not Authorized" on all OAuth Endpoint requests


We rotated our client_secret for one of our client_ids in the sandbox and production environments yesterday, and now all requests for anyone attempting to Authorize or Obtain Token are failing with the message “Not Authorized”:

  "message": "Not Authorized",
  "type": "service.not_authorized"

This is preventing us from being able to onboard new clients, as well as refreshing old access_tokens after they are 7 days old, as per the recommendation.

We need to figure out what’s going wrong, and why ASAP.


~ Theodore Schnepper

:wave: Is the newly generated client_secret being used in the header of the ObtainToken request? Also whats your client_id? :slightly_smiling_face:

Grettings @Bryan-Square,

As per the documentation I am passing the client_secret via the request body as a field named "client_secret".

Even if I attempt to add the client_secret into the HTTP Headers as a Bearer token, it does not work. It makes sense that wouldn’t change anything, as the credential should be submitted in the body for the OAuth process.

To answer you question about our client_id They are as follows:

for Sandbox: sandbox-sq0idb-GowUqXPtPHsc_njczAnCYA
For Production: sq0idp-fS_lWfoTDo87DJfrl13Xvw

I’ve also been attempting to make these requests via curl as a test example with our Sandbox credentials. The request is made via JSON in my curl examples, but it’s made via form encoding in our internal software:

curl -X POST -v -H 'Content-Type: application/json' -d '{"client_id":"sandbox-sq0idb-GowUqXPtPHsc_njczAnCYA","client_secret":"<REDACTED>","grant_type":"refresh_token","refresh_token":"<REDACTED>"}'

Please let me know if you have any questions,


~ Theodore Schnepper

I just tested with your sandbox client_id and client_secret and it worked as expected. I got an access token.

@Bryan-Square I feel like I’m going crazy here… If I test the existing access_token for an existing test credential, the access_token works without an issue… but that makes sense, it doesn’t use our client_secret for those requests…

However… whenever I use our current client_secret that is being displayed in the Developer Dashboard for our App for any OAuth request I keep receiving the "Not Authorized" error… I have quadruple checked that I am using the correct token… I even have another set of eyes on it. Plus tour production environment doesn’t have any code differences from the cycled credentials…

I’m not sure where this is going wrong. As far as I can tell, it looks to me like the credentials that Square is showing me on my Developer Dashboard are just incorrect.

I am currently testing the Sandbox account with the following Location ID: 652PKK7S5PBS4.

@Bryan-Square I just attempted to refresh the sandbox access token with the previous client_secret that we had and that one still works.

I’m guessing that I’m getting the pieces confused here… I refreshed the Sandbox Access token and I’m assuming that that would be our client_secret… but I think that it might not be… However… we need to rotate the client_secret, and we don’t seem to have a way to do this?

In the application on the Square Developer Dashboard the only location you can see the client_secret is in the OAuth section of your credentials. That’s also the only place you can rotate it.

Ahhh… that’s where I was going wrong… Thank you @Bryan-Square That solves the issue I think.

Glad to hear that cleared it up. Please feel free to reach out if you have any additional questions. We’re always happy to help. :slightly_smiling_face: