Associate oauth callback with my own data

In the oauth flow, my app gets the callback with authorization code that it uses to obtain an access token. The app needs to identify the seller / merchant who authorized the app. I had expected some “user defined” data to be passed from “…oauth2/authorize?client_id=…” URL back into the callback so I can use it to identify the seller / merchant. This is clearly needed for the app to work for multiple merchants who may be authorizing the app at the same time but I can’t figure out how to do this. I’m clearly missing something basic. Please help.

Once you call ObtainToken, the response will include that information :slight_smile:. The response includes merchant_id as well as the access_token unique to this merchant, as well as a refresh_token (see link for more info). Please let me know if I misunderstood, or if you have additional questions.

Hi Stephem, thank you so much for a fast reply. I already have the working code for oauth token exchange etc. I’m sorry that I didn’t explain my scenario well enough the first time,

Let’s say I have thousands of merchants with lots of data. They log on to our web dashboard and are presented with Square authorization redirect URL like “…” . When they click on this URL and authorize my app, I get a callback from Square with an auth code, which I exchange for oauth tokens and extract the “merchand_id” field from it. This merchant_id is the ID given to this merchant by Square. I want to find out our own merchant ID for this Square merchant. I can’t find a way to relate this “merchant_id” to our own merchant ID because the callback may have been called for any of our thousands of merchants.

I was expecting to find a solution like the following. Our web dashboard adds a “user defined data” parameter to the auth redirect URL like “…&appdata=…” . When Square calls our callback, it sends this data along with the auth code. Now we can exchange this auth code for tokens and also use this “appdata” to associate those tokens and Square connection to the specific merchant of ours.

This must be a very common scenario and I’m sure an alternate solution for this already exists but I have been scouring the docs yet I couldn’t find it. Thanks for your help.

Stephen, not “Stephem”. Sorry.

Ah, I think I was misunderstanding your use-case, sorry about that. In the OAuth authorize, there is an optional field called state which would be returned along with the code. So if you have some unique value that you’re trying to use from your own side, you could pass it along with state so you know where it came from. Let me know if that makes sense, or if I’m still misunderstanding of course.


That’s perfect! You understood the question and answered it completely. Thank you so much. I didn’t think about using the “state” parameter because the doc used current time as a random value. But it does make sense to use it to pass whatever data the application needs to pass. Thanks.

1 Like