Hi Square Dev Team!
Writing from the engineering team at Town - an email first AI assistant. Multiple users have requested an ability to connect their Square accounts and access Square tools through your MCP server.
DCR allowlist request: Our dynamic client registration attempts return 400 invalid_redirect_uri — domain not in allowlist. Please allowlist our OAuth callback:
-
Redirect URI (exact):
https://www.town.com/api/mcp/oauth/callback -
Domain:
town.com -
Client name: Town
We’ve verified https://mcp.squareup.com/.well-known/oauth-authorization-server returns 200 and surfaces a /register endpoint, so we believe the 400 is purely the allowlist gate.
Bonus / alternative: We also support CIMD (Client ID Metadata Documents) per the current MCP spec — we publish a stable client identity at https://www.town.com/.well-known/oauth-client-id. If your MCP server advertises client_id_metadata_document_supported, we can connect without any per-domain DCR allowlisting. Happy to test against that if it’s available or on your roadmap.
Happy to provide any additional info. Thanks!