Sandbox OAuth error

I’m using the Square OAuth example for Ruby and after clicking the link to sign in with Square my callback endpoint is redirected to by Square, but the logs show

“message”: “Not Authorized”,
“type”: “service.not_authorized”

I never see the access_token but the Dashboard shows that the app was authenticated.

In a different topic I saw another person ask about this too, and his problem was resolved by correctly setting the client_secret.

I’m 100% positive I’ve set this value correctly. I even generated a new secret just to make sure, but no success.

Any tips?

Surprisingly, the same code works correctly with production settings.

Hi @binhly welcome to the forums!

Is this after calling ObtainToken or just receiving the callback? This error is typically due to an invalid client secret or an invalid application id. If you’re getting this when calling ObtainToken also be sure you’re using the sandbox environment instead of the production environment (which means changing the CONNECT_HOST to

1 Like

Hi @sjosey, thanks for the welcome.

The issue that I’m having does occur after calling ObtainToken.

Here’s the code that I’m using, with some values masked:

  APP_ID     = 'sandbox-sq0idb-z_***'
  APP_SECRET = 'sandbox-sq0csb-h7-****'


  def index
  	@app_id = APP_ID
  	@connect_host = CONNECT_HOST

  def square
  	oauth_api =
  	authorization_code = params['code']

	  if authorization_code

	    # Provide the code in a request to the Obtain Token endpoint
	    oauth_request_body = {
	      'client_id' => APP_ID,
	      'client_secret' => APP_SECRET,
	      'code' => authorization_code,
	      'grant_type' => 'authorization_code'


	    response = oauth_api.obtain_token(body: oauth_request_body)

	    # Extract the returned access token from the ObtainTokenResponse object
	    if response.success? 

As best as I can tell those are all values from the Sandbox OAuth section my developer account.

I saw on a different thread that you guys helped another developer by checking your logs. Would that be an option for my case?


We can’t really determine anything about authorization errors in our logs since they’re not tied to any account (since it’s not authorized). So we can see “Not authorized” errors, but it wouldn’t have the application id or anything, so I wouldn’t even know if it was coming from your application or another application. We also do not log the access tokens due to security.

Can you share your full app id here (it’s not a secret) and I’ll take a look at your account to verify the properties?


The full app id is sandbox-sq0idb-z_D8crPGBDFVko4T9DZPmQ

Actually, looking back at your code, it doesn’t look like you set the host anywhere? You set it to @connect_host variable, but never actually use it. You should be doing it like this:

client =
    environment: 'sandbox'
oauth_api = client.o_auth

I think. Let me know if that still doesn’t help though.

@sjosey I figured it out.

The problem was with how I was instantiating the Square Client. The client defaults to ‘production’ environment.

oauth_api = ‘sandbox’).o_auth

That did the trick. Thank you again for all of your help.


1 Like

I’m having the same problem, yet my configuration seems to be correct. Using the square nodejs client v8.0.1, I’m calling:

  const tokenRequest: ObtainTokenRequest = {
      clientId: process.env.SQUARE_APP_ID,
      clientSecret: process.env.SQUARE_ACCESS_TOKEN,
      code: authCode,  // comes from auth page
      grantType: 'authorization_code',
  const oauthResponse = await squareClient.oAuthApi.obtainToken(tokenRequest);

And the square client throws the following error:

request: {
method: 'POST',
url: '',
headers: {
  'user-agent': 'Square-TypeScript-SDK/8.0.0',
  'content-type': 'application/json',
  'Square-Version': '2020-12-16',
  accept: 'application/json'
body: {
  type: 'text',
  content: '{"client_id":"sandbox-sq0idb-HeS-xF3scAF_i15WL4VRaA","client_secret":"<SQUARE_ACCESS_TOKEN>","code":"sandbox-sq0cgb-JZaxfWumFVIBLgdpQ80TEg","grant_type":"authorization_code"}'
  statusCode: 401,
  headers: {
'access-control-allow-headers': 'Content-Type, Authorization, Accept',
'access-control-expose-headers': 'Link',
'content-type': 'application/json',
vary: 'Origin, Accept-Encoding',
'x-content-type-options': 'nosniff',
'x-download-options': 'noopen',
'x-frame-options': 'DENY',
'x-permitted-cross-domain-policies': 'none',
'x-request-id': 'CgjJXIaq_j7bChABGBAiCQiniIOsoqfuAg',
'x-xss-protection': '1; mode=block',
date: 'Tue, 19 Jan 2021 05:31:11 GMT',
'content-length': '70',
'strict-transport-security': 'max-age=631152000; includeSubDomains; preload',
connection: 'close'
  body: '{\n  "message": "Not Authorized",\n  "type": "service.not_authorized"\n}\n',
  result: { message: 'Not Authorized', type: 'service.not_authorized' },
  errors: [
  category: 'V1_ERROR',
  code: 'service.not_authorized',
  detail: 'Not Authorized',
  field: undefined

(SQUARE_ACCESS_TOKEN matches the environment variable used above)

And the square client was initialized like so:

export const squareClient = new Client({
  environment: process.env.NODE_ENV === 'production' ? Environment.Production : Environment.Sandbox,
  accessToken: process.env.SQUARE_ACCESS_TOKEN,

@yroc92 it looks like you’re setting the clientSecret to be the SQUARE_ACCESS_TOKEN which is not correct. The OAuth application secret is another secret credential found in your developer portal under “OAuth”.

Somehow I missed that in the docs. Thank you!

1 Like