Authorising Merchants... How to tie everything back up

I am implementing the oAuth authorisation process between a merchant and my app in the test environment. This is just a quick question of the recommended way to tie up the response.

As expected I get a response with an Access Token, a Refresh Token and a Merchant Id.

When I look at the test merchant in sandbox account, I cannot find a Merchant Id anywhere in any of the settings etc. My initial thought for identifying this response was the fact that I should already know the Merchant Id and have this in my database prior to beginning this process… I can then simply tie these up as they arrive in. With not having a test Merchant Id visible in the sandbox account, would this also be the case in production?

The user will be logged in to my app (but not the broswer) so I could do something like set a cookie with a temporary Id and pick it back up when the response hits, but this solution isn’t as solid as “Where savedMerchantId = responseMerchantId”

Could someone clarify the usual way of constructing this and if I will have access to the MerchantId before hand in Production etc.


Hi @craig,

The merchant_id is only accessable via the API at this time. There isn’t a location in the Dashboard that you could confirm the ID. You can call RetrieveMerchant with that Id to get the merchant information that has the main_location_id which is visible in the locations section of the Developer Dashboard.

I see, thanks Bryan. That leaves things a little tricky as I guess, although unlikely, location is changable by the merchant. So if we need to re-authorise for any reason, we can’t leave this as an automatic procedure within our app… we’ll have to manually check the location ID is the same with the merchant first. Are you aware of how other customers identify the response and tie up with the details in their database.

You can use ListLocations with the access token. In this call it will include all the location_ids for the account and the merchant_id.

Hi Bryan,

The only place I can see the location Id (I assume it is the location Id) is in the url. Will the merchant have any other access to this Id or the merchat Id itself? Maybe in emails, or if they see any more information in production? If I’m sending instructions to send me their location Id, having them chop it out of a url is asking for trouble and is no way scalable. Could I put forward a feature request: To be able to send my Id with the Auth … and this Id be sent back in the callback. This would eliminate any need for asking merchants to send me their Merchant or locations Ids.


There is an optional state field (GET /oauth2/authorize - Square API Reference), that you can provide in the OAuth authorize url, that will be returned along with the code, so you would know who clicked it. You can use this state field to identify which merchant (on your side) is currently authorizing, and save it accordingly.

1 Like

Stephen, you are a star… That’s just what I need, I’ll do just that!.. Thanks…