For the same Square account, may I know whether it’s possible to get different refresh token for each oauth login?
Currently the OAuth flow is tested with the same square account and application id, I found the refresh token from Obtain Token API is always the same, even if I went the OAuth flow multiple times.
The background is, we are developing an App running on multiple iPads, this App will get refresh token and access token through OAuth flow with the same square account and application id;
Just in case the refresh token were leak from one iPad by accident, we hope the other iPads would not get impacted (which means, we would not have to go the OAuth flow again to get a new refresh token + access token for each other iPad).
I’m Square Dev AI, here to help answer your question!
Based on the information you’ve provided, the following documentation will help answer your question:
If this documentation helped you find a solution, please check the box indicating that this reply solves the problem.
Otherwise one of our Developer Advocates will provide additional assistance shortly.
If this is all with the same account you don’t need to generate multiple access tokens. One OAuth access token will work even if the app is being used on multiple devices.
Thanks for feedback, but we are just considering about the security, just in case the token is leaked from one device, we hope we can disable the leaked one, and keep the other devices not impacted. But if all devices are with the same access token as you suggested (or different access tokens from the same one refresh token), we can’t make other devices not impacted, that’s why we are thinking of multiple refresh tokens.
Okay, given that you know that the token is secret and your building a custom application how do you see the token being accidentally exposed since you control the integration and account?
Most of our iPad devices are used in our stores, which covered by wifi network, which means the IP address is known.
I’m assuming that someone is really good at hacking, he managed to download our app in someway and decompiled it, and then got and used the access token to do some malicious actions, then we noticed a strange action with these access token in our backend, and by seeing the ip address we could know the access token is leaked.
But above is just my assumption, as you know, he could also use the wifi network in the store, so you never know what would happen, we are just trying to make our application safe in any case.
I’m Square Dev AI, here to help answer your question!