How do I set api permissions scope?

yhabot · August 24, 2021, 2:49pm

https://connect.squareup.com/v2/locations returns an error INSUFFICIENT_SCOPES The merchant must authorize your application for the following scopes: MERCHANT_PROFILE_READ. Where do I set up this scope?

yhabot · August 24, 2021, 3:18pm

I’ll refine the question, I’m using square API from Node like this:
const options = {

hostname: 'connect.squareup.com',

port: 443,

path: '/v2/locations',

method: 'GET',

headers: {

    'Content-Type': 'application/json',

    'Content-Length': data.length,

    'Authorization':'Bearer '+<Sqaure Application access token>

  }

}

The application access token should allow permission to anything, including getting locations.
const request = https.request(options, res => {

Bryan-Square · August 24, 2021, 5:53pm

When you authorized to get the access token you will include the scope that you need with the returned token.

yhabot · August 24, 2021, 5:56pm

When you authorized to get the access token you will include the scope that you need with the returned token.

How? See my second comment. I’m using the application token in the authentication header. I’m not making an auth call and passing a scope.

Bryan-Square · August 24, 2021, 6:01pm

If you are using the Personal Access Token then there shouldn’t be any issue. What’s your application ID?

yhabot · August 24, 2021, 6:02pm

sq0idp-1AKYOtUL7kmXsFTSbnW3fQ

Bryan-Square · August 24, 2021, 6:08pm

Thanks for providing that. I just tested the personal access token for that application and it is working as expected.

yhabot · August 24, 2021, 6:13pm

GET /v2/locations HTTP/1.1

Authorization: <ends with 1jG>

version: 2021-08-18

Host: connect.squareup.com

{“errors”:[{“category”:“AUTHENTICATION_ERROR”,“code”:“INSUFFICIENT_SCOPES”,“detail”:“The merchant has not given your application sufficient permissions to do that. The merchant must authorize your application for the following scopes: MERCHANT_PROFILE_READ”}]}

Bryan-Square · August 24, 2021, 7:30pm

@yhabot I haven’t been able to replicate this error. If you are using the personal access token from the Developer Dashboard you shouldn’t be getting this error with ListLocations since that token is scoped to the whole account. If you make a simple cURL call with that personal access token does it work?

curl https://connect.squareup.com/v2/locations \
  -H 'Square-Version: 2021-08-18' \
  -H 'Authorization: Bearer {ACCESS_TOKEN}' \
  -H 'Content-Type: application/json'

yhabot · August 24, 2021, 7:55pm

I was missing the Bearer in the authorization header value. Thanks for your help.

Bryan-Square · August 24, 2021, 8:13pm

Glad to hear that you figured it out.

TheLeedz · March 6, 2024, 9:32pm

You must request the specific ‘scopes’ that your user requires when you initially construct the ‘login authorization’ link that you send to the client. This is the link that the client clicks on to take them back to the Square-hosted UI. The Leedz is a system that allows users to buy and sell – i.e. receive payments – so this is the login link with scopes:

authorize_url = (
sq_url + ‘/oauth2/authorize’
‘?client_id=’ + app_ID +
‘&scope=’ + “ORDERS_READ ORDERS_WRITE PAYMENTS_WRITE PAYMENTS_READ PAYMENTS_WRITE_ADDITIONAL_RECIPIENTS MERCHANT_PROFILE_READ” +
‘&session=’ + “false” +
‘&state=’ + state
)

Note the MERCHANT_PROFILE_READ – you will need this later to use the locations API to query about LocationID - and maybe other queries.