How do I set api permissions scope?

  1. https://connect.squareup.com/v2/locations returns an error INSUFFICIENT_SCOPES The merchant must authorize your application for the following scopes: MERCHANT_PROFILE_READ. Where do I set up this scope?

I’ll refine the question, I’m using square API from Node like this:
const options = {

hostname: 'connect.squareup.com',

port: 443,

path: '/v2/locations',

method: 'GET',

headers: {

    'Content-Type': 'application/json',

    'Content-Length': data.length,

    'Authorization':'Bearer '+<Sqaure Application access token>

  }

}

The application access token should allow permission to anything, including getting locations.
const request = https.request(options, res => {

When you authorized to get the access token you will include the scope that you need with the returned token. :slightly_smiling_face:

When you authorized to get the access token you will include the scope that you need with the returned token.

How? See my second comment. I’m using the application token in the authentication header. I’m not making an auth call and passing a scope.

If you are using the Personal Access Token then there shouldn’t be any issue. What’s your application ID?

sq0idp-1AKYOtUL7kmXsFTSbnW3fQ

Thanks for providing that. I just tested the personal access token for that application and it is working as expected.

GET /v2/locations HTTP/1.1

Authorization: <ends with 1jG>

version: 2021-08-18

Host: connect.squareup.com

{“errors”:[{“category”:“AUTHENTICATION_ERROR”,“code”:“INSUFFICIENT_SCOPES”,“detail”:“The merchant has not given your application sufficient permissions to do that. The merchant must authorize your application for the following scopes: MERCHANT_PROFILE_READ”}]}

@yhabot I haven’t been able to replicate this error. If you are using the personal access token from the Developer Dashboard you shouldn’t be getting this error with ListLocations since that token is scoped to the whole account. If you make a simple cURL call with that personal access token does it work?

curl https://connect.squareup.com/v2/locations \
  -H 'Square-Version: 2021-08-18' \
  -H 'Authorization: Bearer {ACCESS_TOKEN}' \
  -H 'Content-Type: application/json'

I was missing the Bearer in the authorization header value. Thanks for your help.

Glad to hear that you figured it out. :slightly_smiling_face:

You must request the specific ‘scopes’ that your user requires when you initially construct the ‘login authorization’ link that you send to the client. This is the link that the client clicks on to take them back to the Square-hosted UI. The Leedz is a system that allows users to buy and sell – i.e. receive payments – so this is the login link with scopes:

authorize_url = (
sq_url + ‘/oauth2/authorize’
‘?client_id=’ + app_ID +
‘&scope=’ + “ORDERS_READ ORDERS_WRITE PAYMENTS_WRITE PAYMENTS_READ PAYMENTS_WRITE_ADDITIONAL_RECIPIENTS MERCHANT_PROFILE_READ” +
‘&session=’ + “false” +
‘&state=’ + state
)

Note the MERCHANT_PROFILE_READ – you will need this later to use the locations API to query about LocationID - and maybe other queries.