Manage Access to the Square APIs

Provides information about obtaining an access token that lets you use Square APIs for custom site development.

Requests to Square APIs require an access token. For custom site development, you must provide an OAuth access token in order to run Square Online CLI commands.

The Square Online CLI is a wrapper for the Sites API and provides a convenient way to make changes to a site from your local development environment. We recommend using the CLI instead of the Sites API.

You need to implement an OAuth flow —typically, the code flow implementation— to obtain an OAuth access token from the seller whose site you intend to customize. The OAuth access token provides authenticated and scoped Square API access to resources in the seller’s account. The OAuth flow requires credentials from your Square account, such as your application ID.

The following permissions are required for custom site development:

Permission Description
MERCHANT_PROFILE_READ Required by all Square API endpoints.
ONLINE_STORE_SITE_READ Required by the ListSites endpoint.
ONLINE_STORE_CUSTOM_THEME_WRITE Required by endpoints that perform a POST, PUT, or DELETE operation on a custom site.
ONLINE_STORE_CUSTOM_THEME_READ Required by endpoints that perform a GET operation on a custom site.

This topic describes where you can find your account credentials so you can use them in the OAuth flow. For information about how to implement the OAuth flow to obtain an access token and to refresh it before it expires, see OAuth API Overview in the Square Developer documentation.

To get your application ID and application secret

  1. Sign in to the Developer Dashboard using your Square account user name and password, and then open your application.

sq-dev-account-1

  1. At the top of the page, choose the Production toggle. Sandbox isn’t supported for custom site development.

  2. On the OAuth page, under Production Application ID, copy the application ID (also called the client ID).

  3. On the OAuth page, under Production Application Secret, copy the application secret (also called the client secret).

sq-dev-account-2

Now you’re ready to implement the OAuth flow from your client application.

To get your personal access token

When testing with a site in your own account, you can use your personal access token to authorize API requests. This personal access token provides unrestricted access to resources in your account.

  1. Sign in to the Developer Dashboard using your Square account user name and password, and then open your application.

  2. At the top of the page, choose the Production toggle. Sandbox isn’t supported for custom site development.

  3. On the Credentials page, under Production Access Token, choose Show, and then copy the token.