Subscription self management

We are testing the subscription api and we could not understand why some subscriptions have the item “buyer_self_management_token” that allows the user to manager its own subscription and others do not have this item. Could I get some help on this?

Where are you seeing the buyer_self_management_token? I don’t see it in a subscription? :slightly_smiling_face:

I’m a newbie and using Square to create a subscription (using Square’s web pages as opposed to the API) after which all my subscriptions seem to have a buyer self-management token (I’ve only created a handful so far). This token can be passed in a GET to allow the user to reach a page where the subscription can be cancelled. This doesn’t seem to be a very secure approach since the URL is retained in the browser history and a mischievous actor could use that to cancel someone else’s subscription. Maybe there is a way of getting to the subscription management page using a POST but I haven’t figured that out yet.

What’s the GET call your making to get to that page? :slightly_smiling_face:

I’ve now had a reply from support:
“Hi Peter,
Josh here from Square Developer Success! I can help with API-related inquiries.
The buyer_self_management_token is currently only used internally (hence the lack of documentation around it). This is not something that Square supports building on top of with our APIs.
Let me know if you have any additional questions!
Best,
Josh
Developer Success Engineer | Square, Inc.”

The only things you can do in the buyer self-management page are to change the credit card or cancel the subscription. So I will just create a “cancel” button for my subscriptions and use the documented API.

To answer Bryan’s question, the GET I was using looks like this:

bsmt

The hyperlink is sent to the customer by email when they create a subscription:

I would share the relevant text of the email message, but this message board software hangs if you try to load two images in the same message, and if you include HTML in your message it causes all sorts of trouble. And it won’t let me post any more replies because I’m a “new user”.

So, Square, if you want to further discuss what looks to me like a significant security boo boo you will have to contact me direct.