How to Authorize Square Mobile Payments SDK via Backend and without using token in Frontend?

Questions
1

Problem Description:

I am currently using the Square Mobile Payments SDK, and the official documentation shows how to authorize the SDK directly by passing the accessToken and locationID from the frontend, as shown in the example below:

swift

import SquareMobilePaymentsSDK

class MyViewController: UIViewController {
    func authorizeMobilePaymentsSDK(accessToken: String, locationID: String) {
        guard MobilePaymentsSDK.shared.authorizationManager.state == .notAuthorized else {
            return
        }

        MobilePaymentsSDK.shared.authorizationManager.authorize(
           accessToken: accessToken,
            locationID: locationID) { error in
                if let authError = error {
                    // Handle auth error
                    print("error: \(authError.localizedDescription)")
                    return
                }

                print("Square Mobile Payments SDK successfully authorized.")
        }
    }
}

This method works but involves passing the accessToken directly in the frontend, which is not ideal for a production environment due to security concerns.

My Approach:

To improve security, my approach is as follows:

  1. Frontend requests an authorization code from a Lambda function.
  2. BACK END handles the actual authorization process using Square API and returns an authorization code to the frontend.
  3. Frontend receives this authorization code and uses it with the Mobile Payments SDK to complete the authorization process, instead of passing the accessToken directly.

My Question:

In the official documentation, I couldn’t find any methods for authorizing the Mobile Payments SDK using an authorization code rather than the accessToken. I am looking for guidance on whether this is possible.

I would like to achieve the following workflow:

  1. The frontend gets an authorization code from the backend .
  2. The frontend uses this authorization code with the Mobile Payments SDK to complete the authorization.

My specific questions are:

  • Does the Square Mobile Payments SDK support authorization using an authorization code?
  • If so, which method or function should I call to complete this authorization?
  • If not, is there any recommended best practice to secure the accessToken and avoid exposing it directly in the client-side code?

Thank You:

Any guidance or alternative solutions would be greatly appreciated. My goal is to securely authorize the SDK without exposing sensitive information like the accessToken to the client-side.

2

:wave: I’m Square Dev AI, here to help answer your question!
Based on the information you’ve provided, the following documentation will help answer your question:

Additional Documentation

Mobile Authorization API
Request a Mobile Authorization Code on the Command Line
Receive Seller Authorization and Manage Seller OAuth Tokens

If this documentation helped you find a solution, please check the box indicating that this reply solves the problem.
Otherwise one of our Developer Advocates will provide additional assistance shortly.

3

The Mobile Payments SDK can only be authorized with an access token and location_id. An authorization can’t be used with the Mobile Payments SDK. :slightly_smiling_face:

4

THX for your quick respond ,Bryan, I dont really feel comfortable to store TOKEN in the Frount End, what do you think ? can you share some advise ? [quote=“Bryan-Square, post:3, topic:18978, full:true”]
The Mobile Payments SDK can only be authorized with an access token and location_id. An authorization can’t be used with the Mobile Payments SDK. :slightly_smiling_face:
[/quote]

:smiley: