Square Basics

Square API Access Tokens

Understand the different types of access tokens used to call Square APIs.

What are application credentials?

An application credential is any piece of information that identifies, authenticates, or authorizes an application in some way. The most common form of credentials are access tokens (also called authorization tokens).

Authentication versus authorization

While authentication (sometimes abbreviated "authN") and authorization (sometimes abbreviated "authZ") are sometimes used interchangeably, the credentials serve very different purposes.

An authentication credential works with an identifier to prove that the credential holder (e.g., a person or application) is who they claim to be. For example, when your bank prompts for a username and then sends you a text with a numeric code, the numeric code is an authentication credential. It proves you really are the person associated with the username and password entered on the login page.

An authorization credential grants the credential holder permission to take some set of actions required to do useful work, typically on behalf of a person or organization.

What is an access token?

Access token is the general term for an authorization credential. In the context of Square APIs and SDKs, access tokens grant applications permission to access a specific Square account. Access tokens can be scoped or unscoped.

A scoped access token grants specific permissions that limit what the application can do with the targeted account. For example, granting the application permission to read information about past transaction information but not granting it permission to process refunds for the account. OAuth tokens and mobile authorization tokens are examples of scoped access tokens.

An unscoped access token grants unlimited access to the targeted account. Unscoped access essentially means that the application is impersonating the account owner and can do anything the account owner would be able to do. A personal access token is an example of an unscoped access token.

Application credentials with Square APIs

Applications registered with Square through the Application Dashboard are assigned a set of credentials for accessing Square services. You will need to use different credentials depending on how your application will be used.

Credential Purpose Description What it does Dashboard settings page
OAuth token Authorization Scoped access token Grants limited access to a Square account by asking the account owner for explicit permissions. Requested programmatically using the OAuth API.
Personal access token Authorization Full-access (unscoped) access token. Grants full production access to the corresponding Square account. Credentials
Application ID Identification Random, unique ID assigned by Square. Identifies your application in mobile API calls, OAuth requests, and in the Square Payment form. Also called a client ID. Credentials
Sandbox access token Authorization Full-access (unscoped) access token. Grants full sandbox access to the corresponding Square account. Credentials
Sandbox Application ID Identification Random, unique ID assigned by Square. Identifies your application in select Connect API calls and the Square Payment form against the sandbox environment. Also called a sandbox client ID. Credentials
Application Secret Authentication OAuth authentication credential Verifies the identity of your application in OAuth requests. OAuth
Repository password Authorization Random, unique ID assigned by Square Grants your development environment access to the remote repositories that serve Reader SDK binaries. Reader SDK

Contact Developer Support, join our Slack channel, or ask for help on Stack Overflow