CC payment client side works. But server side gets 400 Bad Request

Dear All,

Based on good Square demos and Docs, the client side paying credit card (sandbox) works fine. Got the payment token.
The server side trys to access Square (sandbox) but gets error 400 Bad Request.
Checked and rechecked the keys, and amount, and the Docs for any additional parameter, but till now fail to see anything wrong with the request.
Most appreciate your help. Thanks.

I use JAVA, 27 years of age, and suspect the Square server force Http/2, so checked with CURL. Got same results.
BTW, The curl debug show server can accept Http/1.1 and Http/2, so the HttpURLConnection must work as well.

From here… debug info:

The server gets from client the next parameters:
param: data[data][amount], value: 88
param: data[data][email], value: [email protected]
param: data[data][first_name], value: first name
param: data[data][last_name], value: last name
param: data[data][address], value: New York
param: data[data][company_name], value:
param: data[payment][result][details][card][brand], value: VISA
param: data[payment][result][details][card][expMonth], value: 12
param: data[payment][result][details][card][expYear], value: 2034
param: data[payment][result][details][card][last4], value: 1111
param: data[payment][result][details][method], value: Card
param: data[payment][result][details][billing][postalCode], value: 12345
param: data[payment][result][status], value: OK
param: data[payment][result][token], value: cnon:CBASEHs4uymsJZ-28T6so2lC3Kk

curl command:
curl --silent --request POST --url -H “Authorization: Bearer *****” -H “Square-Version: 2023-11-15” -H “Accept: /” -H “Accept-Encoding: deflate” -H “Accept-Language: en-US,en;q=0.5” -H “Content-Length: 264” -H “Square-Version: 2023-11-15” -H “Content-Type: application/json” --data-binary @WebUtils.square.5278690190119105246.json --verbose
The payload data is:
{“note”:“Donation to Project General 2023-12-03 06:46:29”,“autocomplete”:“true”,“idempotency_key”:“e14157a7-504f-4e9a-94f5-e0c93f01bf0f”,“amount_money”:{“amount”:“8800”,“currency”:“USD”},“source_id”:“cnon:CBASEHs4uymsJZ-28T6so2lC3Kk”,“location_id”:“L8C2JDWCP5F2V”}

curl reply:

  • Connected to ( port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /usr/ssl/certs/ca-bundle.crt
  • CApath: none
    } [5 bytes data]
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
    { [122 bytes data]
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
    { [19 bytes data]
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
    { [2432 bytes data]
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
    { [79 bytes data]
  • TLSv1.3 (IN), TLS handshake, Finished (20):
    { [52 bytes data]
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
    } [1 bytes data]
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
    } [52 bytes data]
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.;
  • start date: Mar 30 00:00:00 2023 GMT
  • expire date: Mar 28 23:59:59 2024 GMT
  • subjectAltName: host “” matched cert’s “
  • issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
    } [5 bytes data]
  • Using Stream ID: 1 (easy handle 0x800086100)
    } [5 bytes data]

POST /v2/payments HTTP/2
user-agent: curl/7.74.0
authorization: Bearer *****
square-version: 2023-11-15
accept: /
accept-encoding: deflate
accept-language: en-US,en;q=0.5
content-length: 264
square-version: 2023-11-15
content-type: application/json

} [5 bytes data]

  • We are completely uploaded and fine
    { [5 bytes data]
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    { [230 bytes data]
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    { [230 bytes data]
  • old SSL session ID is stale, removing
    { [5 bytes data]
  • Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
    } [5 bytes data]
    < HTTP/2 400
    < server: cloudflare
    < date: Sun, 03 Dec 2023 06:46:29 GMT
    < content-type: text/html
    < content-length: 155
    < cf-ray: 82f9da54fb4909c3-HFA
    { [5 bytes data]
  • Connection #0 to host left intact
400 Bad Request

400 Bad Request


Dear All,

Cloudflair is responding with 400 Bad Request.

I tried and failed:

  1. Add http header Connection Close, but no change.

  2. Add curl parameter --http2 but No change.

  3. Add curl parameter --http2-prior-knowledge but No change.

  4. Add curl parameter --ipv4 but No change.

  5. Add curl parameter --ipv6 but new error: Could not resolve host:

  6. Autocomplete parameter is boolean, not string
    data.put(“autocomplete”, “true”); // → json “autocomplete” : “true”
    data.put(“autocomplete”, true); // → json “autocomplete” : true

  7. Amount parameter is integer, not string
    data.put(“amount”, “” + amount * 100); // → json “amount” : “3300”
    data.put(“amount”, amount * 100); // → json “amount” : 3300

No more options.

Need your help.

Many thanks

Dear Support,

It looks CloudFlare had locked my server ip address.

Can you unlock it please using

cf-ray: 83056843a9b309bb-HFA

Thank you

Hey @cto, I took a look at your API Logs, and I do see that your Payments API requests are successfully making it to Square, but you’re getting a few different 400 errors, mostly due to INVALID_REQUEST_ERRORs:

  "errors": [
      "category": "INVALID_REQUEST_ERROR",
      "code": "EXPECTED_INTEGER",
      "detail": "Expected an integer value (line 1, character 84)",
      "field": "amount_money.amount"
  "errors": [
      "category": "INVALID_REQUEST_ERROR",
      "code": "EXPECTED_BOOLEAN",
      "detail": "Expected a boolean value (line 1, character 74)",
      "field": "autocomplete"

I recommend taking a look at those API Logs to see details of what is causing your request to fail, then amending it accordingly.

Dear Sir,

I independently found these errors. Wrote it in the forum. Just by inspecting documentation etc.

Just later, I found the “APY Logs” and saw the entries “EXPECTED_INTEGER” and “EXPECTED_BOOLEAN”.

BTW, The API Logs does nto specify “detail” with line/column info. How did you get it?

Anyhow, I did already incorporated these fixes yesterday morning.

But still CouldFlare block all access to Square for 2 days.

If you read the API Logs, there are none after 2nd December 2023!!

The server is totally blocked by CloudFlare.

Sincerely Yours,


For API Logs, if you click on an entry then navigate to the “Response” tab, you’ll see the contents of the response to your request (including the error details).

Can you let me know an exact timestamp of a request that you’re seeing get blocked? I can look for it in our internal logs and see what I can find :slight_smile:

Last APP Log from 2023-12-02 22:20:54

New APP Log entries are not written due to a bug in Square system.

I am waiting 5 days for Square support.

CloudFlare still block all access to Square sandbox.

Can you unblock ipaddress in CloudFlare.
cf-ray: 83187ad8896b09cd-HFA

The team is taking a look however they noted that usually when Cloudflare: blocks a request it sends a 403 back to the client… sending a 400 would be unusual. :slightly_smiling_face:

I am blocked by Cloudflare for 7 days.
What can be done?

We took a look at the logs and none of those cf-ray values appear in the blocked requests for Where are you located? :slightly_smiling_face:

Production IP address:

Fix IPV4 is

Fix IPV6 is [2600:3c03::f03c:92ff:feda:8866]

Test machine:

IP address range can be found at

According to the team were not blocking any of the traffic. If you try any localhost requests are they successful? :slightly_smiling_face: