When you signed up did it ask you to sign in to your Square account? 
I signed up for a Square account like 8 years ago, no idea how that is related to what I am doing?
I am so incredibly lost on what you mean with these cryptic messages. I have my own Square account, my own Sunshine Photo Cart App and related IDs, I have my own developer test accounts, etc. I am using my app IDs when creating OAuth connections and connecting via my custom OAuth process (not touching WooCommerce in anyway) with the sandbox account I have.
Is WooCommerce the one thatâs processing the payment on your account?
No, what I am doing has 0.00000% to do with WooCommerce. I used their plugin as a model to follow UX and code-wise but what I am making is wholly separate and has absolutely nothing to do with WooCommerce.
Oh, okay. Bringing WooCommerce integration into the conversation was a bit confusing.
In that case do you have your own independent OAuth flow figured out? If not where is the confusion?
Sorry, thought I explained what I was doing here: When taking app fees, do I connect with my own API keys? - #10 by sccr410
I have no more confusion, I got it working with the code flow. Someone recommended the PKCE flow but whatev.
The only key of your that will be used when collecting app_fee_money is the application ID. All the rest come from the token you get from the authorization.
Having an implementation using app_fee_money for some time, my take on the way it works is:
- you use one of the two flows (code or PKCE) to obtain an access_token - and both flows do use the Application ID. It doesnât matter which flow you use, though be careful not to expose your App Secret
- you use that access_token as a Bearer Token to authorize transactions
- the App Id isnât used in the transaction, as itâs implied by the access_token (createPayment doco)
- you include the app_fee_money request in the transaction and that amount is credited to your developer account (the developer account as used in the oAuth flow you did in the first step).
PKCE can be a little confusing initially (like all of oAuth!), Iâm almost there myself; the summary is:
- With PKCE you only use the App ID, you donât use the App Secret with the code_verifier
- with the ObtainToken call to get the first access_token, you use the code_challenge value instead of using App Secret
- with the subsequent refresh call via ObtainToken, you leave out the App Secret entirely, and save the new refresh key it sends you each time you refresh (rather than just once)
- not commonly needed: you canât yet do a specific RevokeToken - note that RevokeToken (1) uses App Secret and (2) revokes all active tokens (as I understand it).
Itâs only possible to use app_fee_money with an access_token, canât be done otherwise (as the access_token tells Square where to send the app fee)
The beautiful thing about the Square app fee is that it allows collection of micro-payments; and I think Square is one of very few providers that allow you to do this - the standard merchant flow as used by most providers doesnât allow for developer fees at this point.