Square Sandbox - Sandbox Items Not Returned via API

I set up a new Application for a microsite we’re building, and then set up a new Sandbox test account which has that Application authorized. I then added items for both production and sandbox, using each environment’s proper location. When I make API calls in the production environment to list catalog, my production items appear. But when I do it with the sandbox credentials, the call completes successfully but the catalog is empty.

I’ve triple checked - the items are created in the sandbox and assigned to the sandbox location. They have inventory and are marked as available at that location. I tried via code, with Postman, and using the API explorer - all return empty results.

What could I be missing that the calls return production items with production credentials, but return an empty catalog with sandbox credentials (using the sandbox url, access token, and location)?

EDIT: To be clear, the API response is just an empty object, not a catalog object with no items. Just {} and a 200 response.

Hi @joeator, welcome to the forums!

If you’ve already created items in your sandbox, can you provide your sandbox application id? I’ll take a look on our side to see what’s going on. Note that you can have multiple sandbox accounts, and they’re all distinct from one another, so if you created items in one, but using an access token for another, then you would not see them.

I am confirming I’m using the sandbox access tokens for the application id below. I’m not getting any connection errors - just an empty {} and 200 response from the api call in sandbox mode (but it works in production for this application id).

The application id is sq0idp-STBQiA9l2Cd9rEWAVYdoog and one of the sandbox item ids is EYKELT23N7SVBMUV2LT2RSMN. The sandbox location id for the item is LEYVDRFR2JM7E.

According to our logs, it looks like you’re using the access token for merchant BPC0EA6EEESMT (which is “Default Test Account”). The above location id and sandbox catalog object belong to “Delta Microsite Sandbox”, so you need to use a different access token (the one assigned to this account). I can confirm there’s no items in BPC0EA6EEESMT which is the reason you’re getting back an empty result.

Note you can go to https://developer.squareup.com/apps and click “Delta Microsofite Sandbox” to get the correct access token.

The access token I’m copying and using is the one I find in the ORDelta Microsite application under Sandbox Access Token. First off, thanks for your help - I can confirm that it just worked using the “Delta Microsite Sandbox” token you pointed me to, but why would my application access token not work? That application should also have access to the same sandbox items, no? If not, what is the purpose of sandbox credentials under the application versus sandbox credentials in a Sandbox Test Account?

The personal access token you see on your production Developer Dashboard would only be used with your default access token. Your other sandbox accounts only have OAuth access tokens, and not personal access tokens. I’m not sure what you mean by “I find in the ORDelta Microsite application under Sandbox Access Token” - if you launch your Delta Microsite Sandbox sandbox dashboard, and go to “Apps”, you wouldn’t be able to open any developer dashboards to see access tokens, as that’s not how it works. It should only list out your OAuthed applications.

I definitely have it working with the sandbox test account access token thanks to you. So my question was more around when can/would I use the sandbox access token for an app (found at https://developer.squareup.com/apps/{appId}/settings) versus when I need to use the Oauth access token in the sandbox test account.

Where it’s confusing is that the app sends webhooks (even in sandbox) for catalog changes, customer updates, etc etc. And the app has an access_token. So I would have thought I could use the app’s access_token to ping the api. I can’t, so what is the purpose of the app’s access_token in the sandbox environment?

Ah, pretty much the only scenario is if you want to test with “Default Test Account” and use a personal access token rather than the OAuth access token (so all permissions enabled by default, without expiration dates). It would not have have access to any other sandbox account, so the scope is pretty limited to when you would want to use it.

Basically in the sandbox, the idea is that “Default Test Account” is the application owner, so the access token you see in the dashboard belongs to it. However, as soon as you create another sandbox account, there are no “developer dashboards” for it, so you need to use OAuth to access those.