Order API Authentication Error

Questions
,
1

testing oAuth flow with the ORDER_WRITE scope.

this is the authorization url for my sandbox/dev account

https://connect.squareupsandbox.com/oauth2/authorize?session=true&redirect_uri=https%3A%2F%2Fvaapi16.konnektive.com%2Foauth%2Fsquare%2F&scope=CUSTOMERS_READ+CUSTOMERS_WRITE+PAYMENTS_WRITE+PAYMENTS_READ+MERCHANT_PROFILE_READ+ORDERS_WRITE&state=NDQ2IzY=&client_id=sandbox-sq0idb-X9idYetS3YoHQZGVoV9-Yw

When I try to hit the Order’s API i get this error

{“errors”: [{“code”: “FORBIDDEN”,“detail”: “You have insufficient permissions to perform that action.”,“category”: “AUTHENTICATION_ERROR”}]}

Why would I be getting this error if I gave the proper permissions via oauth?

2

Hi @quinn.f welcome to the forums!

Following up with the Orders team, as I do see this error in our logs and it’s not obvious why it’s happening.

3

Full Request Text
POST /v2/orders HTTP/1.1
Host: connect.squareup.com
Accept: /
Content-Type: application/json
Authorization: Bearer {{redacted}}
Content-Length: 408

{“idempotency_key”:“D5829BDD9F7A”,“order”:{“location_id”:“4ZXDTNS5WA213”,“customer_id”:“601411”,“line_items”:[{“quantity”:“1”,“name”:“TruBliss 750MG CBD Gummies”,“base_price_money”:{“amount”:5995,“currency”:“USD”}}],“taxes”:[{“applied_money”:{“amount”:0,“currency”:“USD”},“scope”:“ORDER”,“type”:“ADDITIVE”}],“discounts”:[{“amount_money”:{“amount”:0,“currency”:“USD”},“scope”:“ORDER”,“type”:“FIXED_AMOUNT”}]}}

HTTP/1.1 403 Forbidden
Date: Wed, 02 Dec 2020 16:08:25 GMT
Frame-Options: DENY
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Content-Type: application/json;charset=utf-8
Square-Version: 2019-09-25
Content-Length: 141
Strict-Transport-Security: max-age=631152000; includeSubDomains; preload

{“errors”: [{“code”: “FORBIDDEN”,“detail”: “You have insufficient permissions to perform that action.”,“category”: “AUTHENTICATION_ERROR”}]}

4

There’s an example request made to the API, with full oauth permissions.

5

Please do not share your access tokens publicly. Anyone with that token can make API requests on your account. I strongly urge you to replace that token in your Square Developer Dashboard as it may have been cached and folks might be able to still access it.

As I mentioned, I do see the error, and I’m waiting on the Orders team to follow up as I’m not sure why this error would be happening.

1 Like
6

Ah, similar error to your other topic. You’re trying to create an order for location SE9DDG6BHHKHN, but using another merchant account that doesn’t have access to this location.