OAuth scope authorization for non-owner logins


Based on my limited observations, I think when the very first OAuth login is requested by an app, the user is asked to authorize scopes (e.g., MERCHANT_PROFILE_READ, ITEMS_READ, etc.). Authorized scopes are remembered, and unless the scopes change, future OAuth logins would skip scope (re)authorization.

However, when a login is not of business owner, OAuth would return an error “only the business owner can authorize applications for this Square account”.

Does this mean only owner logins may use OAuth to authorize an app to access a Square account data?

Or, is it possible to allow non-owner logins to also use OAuth by say:

  • first authorizing scopes to the app via an owner login, such that authorized scopes are remembered and granted for subsequent non-owner logins?
  • “pre-authorizing” scopes somewhere else in Square account settings? If yes, where may I find these settings?

Lastly, are OAuth scope authorizations separate and independent of the permissions set for a team member / login? Or are they linked? (eg, to authorize the scope for ORDERS_READ via OAuth, the team member must first have the corresponding permission to work with Orders?

Thank you.

This is expected. Only the account owner and employees with full permissions are able to authorize applications. :slightly_smiling_face:

Thank you. I understand where you’re coming from.

Here is another perspective. Suppose the owner created a team member with login “[email protected]” and limited permissions to view only order/sales information through Square web dashboard, and export/download data manually. Now an app is developed to provide customized views of the same order/sales information and automated download of it. Could you confirm that, even though the login “[email protected]” can access order/sales information through dashboard, there is no way to mirror that data access through OAuth with the same login?

That is correct. They can’t authorize an application unless they’re the owner or have administrator permissions even for reading data. :slightly_smiling_face: