My user requirements call for machine-to-machine server-side access to the Square APIs. It seems Code Flow is the best approach, but this still asks for a user to manually sign in. Is it possible to avoid this, and if not, what are the best practices for making machine-to-machine access work?
I’m Square Dev AI, here to help answer your question!
Based on the information you’ve provided, the following documentation will help answer your question:
Additional Documentation
If this documentation helped you find a solution, please check the box indicating that this reply solves the problem.
Otherwise one of our Developer Advocates will provide additional assistance shortly.
Looking further, it seems I can just use the access token given in the application settings under Credentials, since this is a first-party app. Can it be confirmed that using this directly is best practice?
For machine-to-machine server-side access to Square APIs, the OAuth code flow is indeed the best approach because it is designed for confidential clients that can securely store client information. However, the OAuth code flow inherently requires user interaction to authorize the application, as it involves obtaining an authorization code through a user sign-in process.
Unfortunately, there is no way to completely bypass the initial user authorization step in the OAuth process, as it is a fundamental part of ensuring that the user consents to the permissions being requested by the application.
To make machine-to-machine access work effectively after the initial authorization, you should follow these best practices:
-
Token Management: Once you have obtained the initial access token and refresh token through user authorization, you can use the refresh token to obtain new access tokens without further user interaction. Refresh tokens obtained using the code flow do not expire unless explicitly revoked, allowing you to maintain access over time.
-
Secure Storage: Store the access and refresh tokens securely on your server. Use strong encryption standards like AES to protect these tokens, and ensure that they are not accessible to unauthorized personnel.
-
Regular Token Refresh: Implement a process to refresh the access token regularly, ideally every 7 days or less, to ensure continuous access and to handle any potential issues with token expiration.
-
Error Handling: Implement robust error handling to manage token-related errors such as
ACCESS_TOKEN_EXPIREDorACCESS_TOKEN_REVOKED. Provide user-friendly messages or alerts to handle these scenarios gracefully. -
Webhooks: Set up webhooks to receive notifications if a token is revoked, allowing you to take appropriate action to reauthorize if necessary.
By following these practices, you can effectively manage machine-to-machine access to Square APIs after the initial user authorization.
This answer was reviewed by @Bryan-Square.
Thanks for the reply.
Considering that this is a server-only application with no front-end, and with only one user, what is the best way to perform initial user authorization?
Also, uptime is important. Is there any circumstance where the refresh token would be revoked?
If you only have one seller using this then you can just configure the access token. That token doesn’t expire and you won’t have to use OAuth. Otherwise there is no way around having some sort of UI for the initial authorization. 
1 Like