Obtain token
POST
/oauth2/token
Returns an OAuth access token and a refresh token unless the
short_lived parameter is set to true, in which case the endpoint
returns only an access token.
The grant_type parameter specifies the type of OAuth request. If
grant_type is authorization_code, you must include the authorization
code you received when a seller granted you authorization. If grant_type
is refresh_token, you must provide a valid refresh token. If you are using
an old version of the Square APIs (prior to March 13, 2019), grant_type
can be migration_token and you must provide a valid migration token.
You can use the scopes parameter to limit the set of permissions granted
to the access token and refresh token. You can use the short_lived parameter
to create an access token that expires in 24 hours.
Note: OAuth tokens should be encrypted and stored on a secure server. Application clients should never interact directly with OAuth tokens.
Request body
Example code
The Square-issued ID of your application, which is available in the OAuth page in the Developer Dashboard.
The Square-issued application secret for your application, which is available in the OAuth page
in the Developer Dashboard. This parameter is only required when you are not using the OAuth PKCE (Proof Key for Code Exchange) flow.
The PKCE flow requires a code_verifier instead of a client_secret.
The authorization code to exchange.
This code is required if grant_type is set to authorization_code to indicate that
the application wants to exchange an authorization code for an OAuth access token.
The redirect URL assigned in the OAuth page for your application in the Developer Dashboard.
Specifies the method to request an OAuth access token.
Valid values are authorization_code, refresh_token, and migration_token.
A valid refresh token for generating a new OAuth access token.
A valid refresh token is required if grant_type is set to refresh_token
to indicate that the application wants a replacement for an expired OAuth access token.
A legacy OAuth access token obtained using a Connect API version prior
to 2019-03-13. This parameter is required if grant_type is set to
migration_token to indicate that the application wants to get a replacement
OAuth access token. The response also returns a refresh token.
For more information, see Migrate to Using Refresh Tokens.
A JSON list of strings representing the permissions that the application is requesting.
For example, "["MERCHANT_PROFILE_READ","PAYMENTS_READ","BANK_ACCOUNTS_READ"]".
The access token returned in the response is granted the permissions that comprise the intersection between the requested list of permissions and those that belong to the provided refresh token.
A Boolean indicating a request for a short-lived access token.
The short-lived access token returned in the response expires in 24 hours.
A valid OAuth access token. OAuth access tokens are 64 bytes long. Provide the access token in a header with every request to Connect API endpoints. For more information, see OAuth API: Walkthrough.
The date when the access_token expires, in ISO 8601 format.
LEGACY FIELD. The ID of a subscription plan the merchant signed up for. The ID is only present if the merchant signed up for a subscription plan during authorization.
LEGACY FIELD. The ID of the subscription plan the merchant signed up for. The ID is only present if the merchant signed up for a subscription plan during authorization.
The OpenID token belonging to this person. This token is only present if the OPENID scope is included in the authorization request.
A refresh token. OAuth refresh tokens are 64 bytes long. For more information, see Refresh, Revoke, and Limit the Scope of OAuth Tokens.
A Boolean indicating that the access token is a short-lived access token. The short-lived access token returned in the response expires in 24 hours.
The date when the refresh_token expires, in ISO 8601 format.