Reader SDK and mobile authorization code


I am having problems developing a mobile app integration with the Reader SDK. I have created a build of the Reader SDK sample app, and if I use an authorization code generated manually from the developer dashboard, the authorization code works. However if I use this same app with an authorization code generated by an API which is calling the Square SDK to get the code, the authorization code fails (invalid code).

Some details to be aware of:

  1. All of this is going against “Production” Square accounts.
  2. The Sample Reader SDK was downloaded using the URL in one account, which is the same account I get the manual auth code from. This is a different account from the one I am getting the auth code via API. I saw some questions regarding whether SDK downloads are tied to an account or not but did not see a definitive answer.
  3. When getting the auth code via API, I am using a previously authorized OAuth connection to a different production Square account. I am able to make charges on behalf of this account successfully.

Since there is no way to manually generate an auth code for accounts connected via OAuth, I cannot test without using the Square API to obtain the auth code.

My suspicion, which I hope can be corrected, is that the Reader SDK, downloaded via the URL for one account, cannot work with mobile auth codes obtained for another account. I hope this is not the case as we are a platform that would like to enable Square Reader use in our mobile app for all of our customers, each of whose Square account we are connected to via OAuth.

Thanks in advance for any information you can provide.

UPDATE: I just thought to create a second application in the developer dashboard, and attempt to use the auth code generated manually from that app. This failed. This adds weight to my suspicion that a Reader SDK downloaded with repo credentials from one app, cannot be used with a mobile authorization code from another app. In this case, both apps are even in the same Square account, but what I need is for the Reader SDK to work against any account/app, if it retrieves a mobile auth code from that account/app.

:wave: When you went through OAuth what scopes did you include? Was PAYMENTS_WRITE_IN_PERSON included?

Thanks for you assistance.

These are the scopes requested during OAuth:

We can successfully take payments by entering card info manually, but we want to use the Square Reader, hence the need for the mobile auth code.

To confirm, is the behavior I am hoping to achieve possible? Specifically, I want a single mobile app I have written, integrated with the Square Reader SDK, to be able to receive a mobile authorization code (via our API which in turn retrieves the code from Square) for different Square accounts, depending upon who is using the mobile app. In this way we can distribute one version of the app to our customers, who then login and use the Square Reader with their own Square accounts.


Those are the correct permissions. Now, with the access token that you got from when your customer authorized your application, you will call CreateMobileAuthorizationCode to authorize them to connect a reader and take in person payments. :slightly_smiling_face:

Yes, that is exactly what I do in the API. Using the customer Square OAuth credentials, I first get the location id in their account for “main” location, and then call createMobileAuthorizationCode() for that location. I get an authorization code successfully, but it cannot be used with the Reader SDK (we are attempting to enter the code returned by this API manually in the Sample Square Reader App for now, and always get “invalid code”).

As well, I am still trying to understand why (also using the Square Reader Sample App), the mobile authorization code obtained manually from the developer dashboard only works if it is from the same app as was used to get the Reader SDK repo credentials. Can you confirm that there is no requirement that the credentials used to get the Reader SDK download have to be in the same app or account as is used to retrieve the authorization code?

Thank you

What’s the location_id you’re using for the createMobileAuthorizationCode() request?

Hi Bryan,

I am using the location id which is returned when I call retrieveLocation(‘main’) on the customer’s account. This location id is then passed to createMobileAuthorizationCode(<location_id>)

Would you mind please answering the second part of my question however, which is a request for confirmation that the Reader SDK should be able to work with any mobile authorization code, and that it is not restricted to authorization codes from the account whose credentials were used to access the repo (“Repository Password” under “Reader SDK” in the developer dashboard)?

Thank you

With Reader SDK every call needs to come from the same application that was used to access the repo. You will need to OAuth, Mobil Auth, and take payments all from the same application that you created.

Also I took a look at your account and I don’t see any calls using OAuth to get the access token prior to calling CreateMobileAuthorizationCode. How are you getting the access token to call the endpoint?


“You will need to OAuth, Mobil Auth, and take payments all from the same application that you created.”

We are hoping to implement the following scenario:

We are a platform through which our customers sell items to buyers (their customers). We connect to our customer’s Square accounts via OAuth, and make charges on their behalf when their customers purchase items on our website.

Here is the relationship between accounts:
Platform (us) with Square Account “acctX”, and Application ID “appA”:
Customer 1 - Square Account “acct1” - OAuth connection to “acctX” using “appA
Customer 2 - Square Account “acct2” - OAuth connection to “acctX” using “appA

When a buyer buys an item on our website, we charge as “acct1” or “acct2” with their access token obtained via OAuth, and they receive the funds into their Square account.

We now want to enable the same using our mobile app integrated with Square Reader.

I assumed we could use the access token for “acct1” to get a mobile auth code for the location “main” in “acct1” and then proceed with completing charges initiated by the Reader for “acct1”.
And that we could do the same (using the same mobile app) to get a mobile auth code for the location “main” in “acct2” and then proceed with completing charges initiated by the Reader for “acct2”.
And so on, for all of our Square customers, using one mobile application integrated with the Square Reader.

Should we instead get the mobile auth code from “appA”? If so, will this mobile auth code work to complete payments initiated by the Reader for “acct1” and “acct2”, assuming they are connected to “appA” via OAuth? Is there any limit to the number of mobile devices that can be using auth codes from a single app, if we issue them all from “appA”?

Thanks for your patience,

You have the correct flow by using the access token from OAuth. Then with that access token calling CreateMobileAuthorizationCode. What is the location_id you are using for your CreateMobileAuthorizationCode call.

Currently there is no single location id. Here is what we do to get the mobile auth code.

Assuming the same relationships:

Platform (us) with Square Account “ acctX ”, and Application ID “ appA ”:
Customer 1 - Square Account “ acct1 ” - OAuth connection to “ acctX ” using “ appA
Customer 2 - Square Account “ acct2 ” - OAuth connection to “ acctX ” using “ appA

and I want to enable the reader to be used in our mobile app by Customer 1 (“acct1”) -

Using the access token obtained via OAuth with “acct1”, we call retrieveLocation(‘main’).
The location id that then comes back is used for:

The mobile app then attempts to use that authorization code. But to be clear, the mobile app we are currently trying to get working is the Square Sample App, using a Reader SDK that was downloaded using repo credentials in an app that is not in ANY of acctX, acct1, acct2.

I’m not sure how I can help unless you provide a location_id that you are getting a not authorized error with. I need the Id to look at our logs cause your flow is correct.

Hey Bryan,

I just tried again today to authorize the Sample Reader app using an auth code returned by our production API.
The location id is EE06GHZ87X36F.

Hopefully you can see what might be failing. Error on our side is “Something went wrong. … authorization_invalid_cde”


Bryan, are you able to see any error logs related to the mentioned location?

Thanks for your time,

So just to be clear you are generating the OAuth token with this client_id: sq0idp-G_h0wx3OJB1Fnu3LF1f7Yg and getting an access token for location_id: EE06GHZ87X36F.

With the same application sq0idp-G_h0wx3OJB1Fnu3LF1f7Yg you are generating a mobile authorization with the OAuth access token and the location_id set to EE06GHZ87X36F?

Hi Bryan,

When we get the access toke for OAuth, we do use client_id: sq0idp-G_h0wx…
We do not specify any location id at that time, we use a url to initiate the OAuth and we provide the parameters client_id, scope (noted previously), and state (for our own use). Nothing about location id.

When the user is redirected back to us as part of the OAuth flow, we obtain the access tokens via back-end API call (ObtainTokenRequest) - again no location_id here.

After this OAuth connection is established, we have an access key to our customer Square account, and successfully perform charges, refunds etc. on their behalf.

Now when we try to get the mobile auth code, we use the access token obtained via OAuth, and the location id I specified. client_id is not specified in the API call.

We successfully get a mobile auth code from the API call to square, for the noted location_id. But then when we manually input this auth code into the Square Sample Reader app, we get the error.

I also want to clarify, in case it matters, that the Sample Reader App does not share the same application id as that which we are connected via OAuth (and getting the mobile auth code).

Do we need to generate/download the Reader SDK using the same app/client_id as we use to initiate OAuth?

Greetings Bryan,

At the point when we get the entrance toke for OAuth, we do utilize client_id: sq0idp-G_h0wx…
We don’t indicate any area id around then, we utilize a url to start the OAuth and we give the boundaries client_id, scope (noted beforehand), and state (for our own utilization). Nothing about area id.

At the point when the client is diverted back to us as a feature of the OAuth stream, we get the entrance tokens through back-end API call (ObtainTokenRequest) - again no location_id here.

Later this OAuth association is set up, we have an entrance key to our client Square record, and effectively perform charges, discounts and so forth for their sake.

Presently when we attempt to get the portable auth code, we utilize the entrance token acquired by means of OAuth, and the area id I determined. client_id isn’t indicated in the API call.

We effectively get a versatile auth code from the API call to square, for the prominent location_id. However at that point when we physically input this auth code into the Square Sample Reader application, we get the blunder.

What’s the error you’re getting when going through the mobile authorization flow? :slightly_smiling_face: