How do I set api permissions scope?

  1. https://connect.squareup.com/v2/locations returns an error INSUFFICIENT_SCOPES The merchant must authorize your application for the following scopes: MERCHANT_PROFILE_READ. Where do I set up this scope?

I’ll refine the question, I’m using square API from Node like this:
const options = {

hostname: 'connect.squareup.com',

port: 443,

path: '/v2/locations',

method: 'GET',

headers: {

    'Content-Type': 'application/json',

    'Content-Length': data.length,

    'Authorization':'Bearer '+<Sqaure Application access token>

  }

}

The application access token should allow permission to anything, including getting locations.
const request = https.request(options, res => {

When you authorized to get the access token you will include the scope that you need with the returned token. :slightly_smiling_face:

When you authorized to get the access token you will include the scope that you need with the returned token.

How? See my second comment. I’m using the application token in the authentication header. I’m not making an auth call and passing a scope.

If you are using the Personal Access Token then there shouldn’t be any issue. What’s your application ID?

sq0idp-1AKYOtUL7kmXsFTSbnW3fQ

Thanks for providing that. I just tested the personal access token for that application and it is working as expected.

GET /v2/locations HTTP/1.1

Authorization: <ends with 1jG>

version: 2021-08-18

Host: connect.squareup.com

{“errors”:[{“category”:“AUTHENTICATION_ERROR”,“code”:“INSUFFICIENT_SCOPES”,“detail”:“The merchant has not given your application sufficient permissions to do that. The merchant must authorize your application for the following scopes: MERCHANT_PROFILE_READ”}]}

@yhabot I haven’t been able to replicate this error. If you are using the personal access token from the Developer Dashboard you shouldn’t be getting this error with ListLocations since that token is scoped to the whole account. If you make a simple cURL call with that personal access token does it work?

curl https://connect.squareup.com/v2/locations \
  -H 'Square-Version: 2021-08-18' \
  -H 'Authorization: Bearer {ACCESS_TOKEN}' \
  -H 'Content-Type: application/json'

I was missing the Bearer in the authorization header value. Thanks for your help.

Glad to hear that you figured it out. :slightly_smiling_face: