• Example searches: “transaction”, “CreateOrder”, “/v2/locations”, “inventory”, “delete customer”

You are viewing an old version of the API
Authorize

GET /oauth2/authorize

As part of a URL sent to a seller to authorize permissions for the developer, Authorize displays an authorization page and a list of requested permissions.

This is not a callable API endpoint.

The completed URL looks similar to the following example: https://connect.squareup.com/oauth2/authorize?client_id={YOUR_APP_ID}&scope=CUSTOMERS_WRITE+CUSTOMERS_READ&session=False&state=82201dd8d83d23cc8a48caf52b

The seller can approve or deny the permissions. If approved,Authorize returns an AuthorizeResponse that is sent to the redirect URL and includes a state string and an authorization code. The code is used in the ObtainToken call to obtain an access token and a refresh token that the developer uses to manage resources on behalf of the seller.

Important: The AuthorizeResponse is sent to the redirect URL that you set on the OAuth page of your application in the Developer Dashboard.

If an error occurs or the seller denies the request, Authorize returns an error response that includes error and error_description values. If the error is due to the seller denying the request, the error value is access_denied and the error_description is user_denied.

Name Description
client_id
string

Required

The Square-issued ID for your application, available from the OAuth page for your application on the Developer Dashboard.

scope
string

A space-separated list of the permissions that the application is requesting. Default: "MERCHANT_PROFILE_READ PAYMENTS_READ SETTLEMENTS_READ BANK_ACCOUNTS_READ"

locale
string

The locale to present the permission request form in. Square detects the appropriate locale automatically. Only provide this value if the application can definitively determine the preferred locale.

Currently supported values: en-IE, en-US, en-CA, es-US, fr-CA, and ja-JP.

session
boolean

If false, the user must log in to their Square account to view the Permission Request form, even if they already have a valid user session. This value has no effect in Sandbox. Default: true

state
string

When provided, state is passed to the configured redirect URL after the Permission Request form is submitted. You can include state and verify its value to help protect against cross-site request forgery.

Response Fields

Name Description
code
string

A valid authorization code. Authorization codes are exchanged for OAuth access tokens with the ObtainToken endpoint.

Max Length 191
state
string

The same value specified in the request.

Min Length 1 Max Length 2048

Examples

You are viewing an old version of the API
GET /oauth2/authorize
cURL
https://connect.squareup.com/oauth2/authorize