Currently we config each merchant’s webhook by directly accessing their Square and build application there, we also use their access token to use obtain information like orders, payment, etc. I wonder whether we can setup webhook and call APIs using their oAuth token to avoid touching their account and using their access token?
Yes, ideally (and we strongly encourage and recommend) you should always be using OAuth so you can limit access to the merchant’s account, and so the merchant doesn’t need to create their own application.
In regards to webhooks specifically, whatever your application has enabled for V2 webhooks, your merchants will automatically be subscribed to when they complete the OAuth process.
If you’re still using V1 webhooks, then you would need to use their unique OAuth access token and call
UpdateWebhook endpoint to subscribe them manually.
“If you’re still using V1 webhooks, then you would need to use their unique OAuth access token”.
It that means, for v1 webhooks, we still need to use their OAuth access token (which appears in their application) to call API to bind the location and application in merchant’s account?
Sorry for the misunderstanding. The access token you’re referring to (in their dashboard) is not an OAuth access token, it is a personal access token. I was meaning, with V1 webhooks, you still need to manually call the API, while V2 webhooks will automatically handle it for you. You should be using OAuth to access merchant accounts, always.