I can’t seem to find any documentation that lists the OAuth Permission scopes for the Webhooks Subscription API.
Also, the Ruby SDK does not include any documentation on the Webhooks Subscription API, although I did find the code in the SDK.
Ok, so when I try to create a Webhook Subscription, I get the message -
AUTHENTICATION_ERROR - The merchant has not given your application sufficient permissions to do that. The merchant must authorize your application for the following scopes: DEVELOPER_APPLICATION_WEBHOOKS_WRITE (RuntimeError)
Ok. Fine. Let’s add that to the list of scopes that we need for OAuth and disconnect and reauthorize.
Guess what? There’s no prompt for the Webhooks permission, and I still can’t use the API.
Is this API available for use??? If so, how do I actually manage to use it?
BTW. I noticed that there are VENDOR_READ and VENDOR_WRITE scopes, but I hadn’t added them to my authorization list. However, it looks like you don’t even check that this permission has been granted because I’ve been able to read and write using the Vendor API without a problem.
Looks like you might have a bit of a security exposure there!
Hey @spiffybrian!
Thanks for checking out the new API!
A couple of things:
- Thanks for letting us know about the Ruby SDK, we’ll take a look!
- The API doesn’t use OAuth scopes in the traditional sense, because the webhook subscriptions are owned by the application and not any particular merchant, they can’t be delegated via OAuth. You need to call them using a PAT for the application you want to manage subscriptions for. We know this isn’t super clear in the docs right now, so we’re working on updating those. I also know the error message is a little misleading, and we’re looking at that as well.
- I’m not as familiar with the Vendor API and associated scopes, so I’ll leave that to some colleagues, but tag them in (@Bryan-Square)
A quick update – but looking at the Ruby SDK on github, I do see the docs; though we are missing from the front README, we’ll get that updated.
https://github.com/square/square-ruby-sdk/blob/master/doc/api/webhook-subscriptions.md is a direct link to the documentation
Thanks for bringing this to our attention. I’m looking into the scope issue. 
Hi Bryan, I am also trying to implement a use case where adding / removing webhooks for our customers using oauth integration inside our application.
Is there any update when Its possible to request for DEVELOPER_APPLICATION_WEBHOOKS_WRITE scope using oauth.
Thank you,
Mohammad.
With the Webhooks Subscriptions endpoints you only call it with your personal access token. It’s not used with OAuth access tokens.
Hi Bryan,
Thank you for the fast reply. Is this feature in Square roadmap?
No plan to support it cause there’s no need for it. Your app is where the subscription is managed. This is why only your personal access token can make changes to it. The subscriptions that are configured in your application with work with all OAuth’d accounts
Hello Bran can you tell me how can I use this.
I created webhook subscription in my developer account but which clients authorize my application using oauth when they purchase item my webhook event is not triggered.
how can I fix it?
I’d like to help however I’m not sure I fully understand the question. When you get a moment can you further explain your technical issue?
Beg your pardon to jump in. But i will make it clear for you. The issue is that we have created webhook subscription in our application and according to square every seller that oauths our app will be subscribed to our webhook but it does not and webhook does not get triggered so in order to overcome this we have used webhooks subcription api from the sdk to create a subscription in sellers account to subscribe to our webhook which obviously does not work. I can give you the code snippets if needed please let me know.
Are you using an integration where you OAuth yourself? What is the application ID that makes all the API calls to Square?
No i am not using an integration where i oauth myself oauth is for all sellers, this is the app ID
sq0idp-ErbSt_nVE_OMdbeHRW1WpQ
I took a look at the account and I see that your only subscribed to order.created events. Where are the orders being generated? At this time order.create events will only trigger when the order is created with the Orders API. It won’t trigger an event if the order is from a payment on the POS.
Came across this thread. We want to create an webhook when a user connects via oAuth. To avoid passing it in the the onboarding checklist and to prevent errors.
I’m think these are the scopes. We can connect without receiving via oAuth without the invalid scope warning. This indicated to be the scopes indeed are recognized by Square.
Wehbooks Permissions
“DEVELOPER_APPLICATION_WEBHOOKS_WRITE”,
“DEVELOPER_APPLICATION_WEBHOOKS_READ”,
Then when attempting to list the webhooks or create one. We get these errors.
The merchant has not given your application sufficient permissions to do that. The merchant must authorize your application for the following scopes:
DEVELOPER_APPLICATION_WEBHOOKS /read MERCHANT
The merchant has not given your application sufficient permissions to do that. The merchant must authorize your application for the following scopes: DEVELOPER_APPLICATION_WEBHOOKS /write MERCHANT
Primary questions:
- Is this not supported by Square yet?
- Are the scopes correct?
Thanks, having the merchants manually create the webhook is an alternative.