I’m updating our app to use the new Cards API endpoints create_card and disable_card. Testing and everything works except for one very specific configuration.
In our web app, we’re hosting the SqPaymentForm in the app. This generates a nonce which is then sent to our API, which then creates the request to send to Square. This works fine when tested running the web app locally, pointing to either a locally hosted API or to our staging/dev API which is hosted on Heroku. It also works when using the staging/dev web app pointed to a locally hosted API.
However, when running the staging web app pointed to the staging API, Square is returning a 400. Checking the Square API logs shows that the error is ‘invalid card data’. I’m using the same card, same Square user, same Square account and the same Square app for all of these requests. Additionally, I can generate a nonce from the staging web app form, and send it to our staging API via Postman, and that works fine, or create a card through the Square API tester (https://developer.squareup.com/explorer/square/cards-api/create-card) pointed to the same Square account, and that works fine.
Could someone shed some light on why the card data is invalid in this one very specific configuration? Also, the source_id is missing from the request when I view the Square API logs - both for the successful and unsuccessful requests. I’m guessing this is for security?
Customer ID: DGRPY21NBN4MZCS165G8H6BH5W
Merchant ID: 3Q0RFH0QMQBTM
App ID: sq0idp-_s2HeXXDp5cKsxwQoYc4hg