Regarding Issue with generating authorization code for READER SDK


First of all web are using a account as a marketplace for developer access. Where sellers are authorizing for mobile sdk token generate permssion using this api flow:

After completing this flow we are getting access token for generation Mobile auth code for that seller. We are asking seller to provide their location id:

After that we are using this api:

Build with the Mobile Authorization API

by using received access token from oAuth and location id shared by seller.

Which is providing us mobile authorization code that we are using for authorize Reader sdk.

But when we are authorising with received mobile authorization code SDK throwing an error like attached below screenshot:

So, please us know what’s we are doing wrong.

Here is some attached curl requests:

This url is for requesting oauth by seller. 
   "<Developer client id>&scope=PAYMENTS_WRITE_IN_PERSON&redirect_uri=redirect_url&code_challenge=<code_challenge>";

Then this one to get access token for generating mobile auth code for that seller:

curl \
  -X POST \
  -H 'Square-Version: 2022-04-20' \
  -H 'Content-Type: application/json' \
  -d '{
    "client_id": "<YOUR_APPLICATION_ID>",
    "grant_type": "authorization_code",
    "redirect_uri": "<THE REDIRECT URL>",
    "code_verifier":"<THE CODE_VERIFIER YOU CREATED>"

Which is returning output something like this:

    "access_token": "xxxxxxxx",
    "token_type": "bearer",
    "expires_at": "2024-02-14T16:54:02Z",
    "merchant_id": "yyyyyy",
    "refresh_token": "xxxxxxxxxxxxxxx",
    "short_lived": false,
    "refresh_token_expires_at": "2024-04-14T16:53:31Z"

Then hitting this api curl to generate mobile auth code:

curl \
  -X POST \
  -H 'Square-Version: 2024-01-18' \
  -H 'Authorization: Bearer {ACCESS_TOKEN}' \
  -H 'Content-Type: application/json' \
  -d '{
    "location_id": "{LOCATION ID}"

Which is returning output like below:

[authorization_code] => sq0acp-Yss2W_pagj9jsI8wCjzpcnsdHwgfyvIyxg97CzQiQO0
[expires_at] => 2024-01-15T17:55:31Z

Then when authorizing with this code we are getting above error screenshot shared.

Awaiting your solution.


:wave: I’m Square Dev AI, here to help answer your question!
Based on the information you’ve provided, the following documentation will help answer your question:

Additional Documentation

Mobile Authorization API: How It Works
Mobile Authorization API Overview
OAuth Walkthrough: Test Authorization with Web Server

If this documentation helped you find a solution, please check the box indicating that this reply solves the problem.
Otherwise one of our Developer Advocates will provide additional assistance shortly.

The error message you’re seeing typically indicates that the mobile authorization code you’re using has expired. Mobile authorization codes are short-lived and should be used immediately to authorize mobile solutions like the Reader SDK. If the code isn’t used immediately, it may expire and result in the error you’re seeing.

To resolve this, you should ensure that the mobile authorization code is used immediately after it’s generated. If the code has expired, you will need to generate a new one.

Also, please note that the Mobile Authorization API isn’t supported in the Square Sandbox. Make sure you’re using production credentials when making these API calls.

Lastly, ensure that the location ID you’re using is active and belongs to the same merchant that the access token is associated with.

If you continue to experience issues, please provide more details about the steps you’re taking and where exactly in the process the error occurs.

This answer was reviewed by @josh-square.

Hi @josh-square ,
Thanks for your response.

As we have checked we did test with Mobile Auth code, immediately(which even have 1 hours expiry time for new generated mobile auth code) after generating still we are getting error that authorize_invalid_code at app end during Authorization.

We followed below steps :

  1. Redirect seller to connect with our app using PKCE flow. which returns code. (<CLIENT_ID>&scope=PAYMENTS_WRITE_IN_PERSON,MERCHANT_PROFILE_READ&redirect_uri=<REDIRECT_URI>&code_challenge=26c5a737267a6b63fd0d1b52b7e2601cd78194c5db3cfd22e26b1c7aca206057
  2. Then using that code we used the return code to generate oAuth access token

curl --location ‘
–header ‘Square-Version: 2021-05-13’
–header ‘Content-Type: application/json’
–data ‘{
“client_id”: “<CLIENT_ID>”,
“code”: “”,
“grant_type”: “authorization_code”,
“redirect_uri” : “<REDIRECT_URI>”,
“code_verifier” : “<CODE_VERIFIER>”

3. Then we used this generated access token to generate Mobile Auth Code, In which we pass first Location Id(which same on sellers square dashboard ( received from Locations API using seller access token , 

Getting Seller Locations:

curl --location '' \
--header 'Square-Version: 2024-01-18' \
--header 'Authorization: Bearer <access token>' \
--header 'Content-Type: application/json'

Then generating: authorization-code

curl --location ‘
–header ‘Square-Version: 2024-01-18’
–header ‘Authorization: Bearer {access_token}’
–header ‘Content-Type: application/json’
–data ‘{
“location_id”: “LAJXDFV4WF19F”

which returns this output: 

“authorization_code”: “sq0acp-********”,
“expires_at”: “2024-01-29T12:52:53Z”

This authorization_code we used for authorizing mobile SDK. 

But we are getting error:  authorize_invalid_code

So, Please check and let me know what's wrong now. 

Awaiting response.


Hi @Shubham1, it looks like there’s an issue with the formatting of your post, do you mind attaching those screenshots again? Thanks!