Trying to complete a gift card payment using orders endpoint gets 403 forbidden response

I have written an inhouse application to link square to my asp website using vb.

I can process credit cards all ok, now trying to add gift card processing. Because the gift card may not cover the full purchase value I have to set autocomplete to false and accept partial payments.

(Gift cards auto complete fine)

That part works ok and I get the orderid and paymentid values.

When I process the the orders/pay endpoint I get the 403 Forbidden response in my code. When I try using the API explorer plugging in my values it works fine.

As far as I can tell I am using the same URL in my app as the explorer and the same http headers as all the other calls which get successful responses.

any advice would be appreciated



Just to confirm, using PayOrder on the API Explorer works, but not in your code? Are you currently using one of our SDKs, or building your own HTTP request? What is your Square application id so I can take a look at the logs?


I am using your API explorer to generate the JSON syntax and URL because my application uses VB in aspx pages and I could not get your .net SDK for c# to work with my website

The same code with appropriate endpoint URL works for the Credit Card processing and to reserve a payment on the test gift card

When I try to complete the gift card payment using the payments API it tells me to use the orders API, which is where I get the 403 forbidden in my code but it works in the API explorer

my App ID is sandbox-sq0idb-5qFanw4Rw7LLFCBjQwHHBA

This is the JSON I passed to the orders API to complete the payment

{“idempotency_key”: “95e82b3d-2254-4d32-9dc6-2f5e0cac6c14”," payment_ids": [“nHER2M1plcS1yxs1UIhB9loK9yAZY”]}

The URL I was calling is

My code is

   Dim data As Object = Encoding.UTF8.GetBytes(json)
    Dim myHttpWebRequest As HttpWebRequest = WebRequest.Create("https://connect." & SquareURL & "/v2/orders/" & sqordid & "/pay")
    myHttpWebRequest.Method = "POST"
    myHttpWebRequest.ContentLength = data.length
    myHttpWebRequest.ContentType = "application/json"
    myHttpWebRequest.Headers.Add("Square-Version: 2021-01-21")
    myHttpWebRequest.Headers.Add("Authorization: Bearer " & authtoken)
    myHttpWebRequest.KeepAlive = False
    Dim myHttpstream As Stream = myHttpWebRequest.GetRequestStream()
    myHttpstream.Write(data, 0, data.length)

    Dim response As String
    Dim pstat As String = "Payment Failed"
        Dim myHttpWebResponse As HttpWebResponse = myHttpWebRequest.GetResponse()

        Dim myreader As New System.IO.StreamReader(myHttpWebResponse.GetResponseStream)
        Dim myretcode As String = myHttpWebResponse.StatusCode
        response = myreader.ReadToEnd

        If myretcode = 200 Then pstat = "Success"
    Catch ex As WebException

        response = ex.Message.ToString()

        pstat = "Web Exception"

    Catch ex2 As Exception

        response = ex2.Message

        pstat = "Exception"

    End Try

Thanks for your help


In our logs I’m seeing that you have insufficient permissions; it seems the access token you’re using doesn’t have ORDERS_WRITE permissions. When I looked up the merchant token in our internal OAuth, I see most of the authorizations only have PAYMENTS_WRITE permission, but no other permissions. If you’re using OAuth, please ensure you request ORDERS_WRITE permission in order to use PayOrder endpoint.

I’m guessing on the API Explorer, you’re probably using your personal access token instead of an OAuth access token, which has access to all permissions, which is why it succeeds.

Hi, I have tried with scopes of PAYMENTS_WRITE together with ORDERS_WRITE and get the same results.

Is there any way on the sandbox I can see if my app has the permissions I have asked for?

Alternatively would you mind checking the logs again

Many Thanks


Have you created a new application? The last time I see sandbox-sq0idb-5qFanw4Rw7LLFCBjQwHHBA calling PayOrder was on February 6th, and nothing since then. There’s no way to check permissions, but each time you use OAuth, presumably you’re creating a new OAuth access token and using the new token instead?

Hi, it seems that I cannot change the scope permissions on the sandbox. I have tried a new token request having revoked the previous token, I even tried a new application but it still does not update the scope.

Merchant ID: MLCSHZ0HF4M6C
App Id: sandbox-sq0idb-5qFanw4Rw7LLFCBjQwHHBA
Token: {{redacted}}

I removed your access token, please do not share it publicly. I took a look and it definitely does not have ORDERS_WRITE permissions.

The access token you have in your dashboard should have full permissions as far as I know. If you’re creating your own OAuth authorize URL, though, you would need to include the scopes in the URL.