I have written an inhouse application to link square to my asp website using vb.
I can process credit cards all ok, now trying to add gift card processing. Because the gift card may not cover the full purchase value I have to set autocomplete to false and accept partial payments.
(Gift cards auto complete fine)
That part works ok and I get the orderid and paymentid values.
When I process the the orders/pay endpoint I get the 403 Forbidden response in my code. When I try using the API explorer plugging in my values it works fine.
As far as I can tell I am using the same URL in my app as the explorer and the same http headers as all the other calls which get successful responses.
Just to confirm, using PayOrder on the API Explorer works, but not in your code? Are you currently using one of our SDKs, or building your own HTTP request? What is your Square application id so I can take a look at the logs?
I am using your API explorer to generate the JSON syntax and URL because my application uses VB in aspx pages and I could not get your .net SDK for c# to work with my website
The same code with appropriate endpoint URL works for the Credit Card processing and to reserve a payment on the test gift card
When I try to complete the gift card payment using the payments API it tells me to use the orders API, which is where I get the 403 forbidden in my code but it works in the API explorer
my App ID is sandbox-sq0idb-5qFanw4Rw7LLFCBjQwHHBA
This is the JSON I passed to the orders API to complete the payment
Dim data As Object = Encoding.UTF8.GetBytes(json)
Dim myHttpWebRequest As HttpWebRequest = WebRequest.Create("https://connect." & SquareURL & "/v2/orders/" & sqordid & "/pay")
myHttpWebRequest.Method = "POST"
myHttpWebRequest.ContentLength = data.length
myHttpWebRequest.ContentType = "application/json"
myHttpWebRequest.Headers.Add("Square-Version: 2021-01-21")
myHttpWebRequest.Headers.Add("Authorization: Bearer " & authtoken)
myHttpWebRequest.KeepAlive = False
Dim myHttpstream As Stream = myHttpWebRequest.GetRequestStream()
myHttpstream.Write(data, 0, data.length)
myHttpstream.Close()
Dim response As String
Dim pstat As String = "Payment Failed"
Try
Dim myHttpWebResponse As HttpWebResponse = myHttpWebRequest.GetResponse()
Dim myreader As New System.IO.StreamReader(myHttpWebResponse.GetResponseStream)
Dim myretcode As String = myHttpWebResponse.StatusCode
response = myreader.ReadToEnd
If myretcode = 200 Then pstat = "Success"
Catch ex As WebException
response = ex.Message.ToString()
pstat = "Web Exception"
Catch ex2 As Exception
response = ex2.Message
pstat = "Exception"
End Try
In our logs I’m seeing that you have insufficient permissions; it seems the access token you’re using doesn’t have ORDERS_WRITE permissions. When I looked up the merchant token in our internal OAuth, I see most of the authorizations only have PAYMENTS_WRITE permission, but no other permissions. If you’re using OAuth, please ensure you request ORDERS_WRITE permission in order to use PayOrder endpoint.
I’m guessing on the API Explorer, you’re probably using your personal access token instead of an OAuth access token, which has access to all permissions, which is why it succeeds.
Have you created a new application? The last time I see sandbox-sq0idb-5qFanw4Rw7LLFCBjQwHHBA calling PayOrder was on February 6th, and nothing since then. There’s no way to check permissions, but each time you use OAuth, presumably you’re creating a new OAuth access token and using the new token instead?
Hi, it seems that I cannot change the scope permissions on the sandbox. I have tried a new token request having revoked the previous token, I even tried a new application but it still does not update the scope.
I removed your access token, please do not share it publicly. I took a look and it definitely does not have ORDERS_WRITE permissions.
The access token you have in your dashboard should have full permissions as far as I know. If you’re creating your own OAuth authorize URL, though, you would need to include the scopes in the URL.