question

richard3755 avatar image
richard3755 asked David Marginian Deactivated commented

Clover API authorisation etc

Hi,

I'm a developer implementing a reporting solution for a customer who are using the Clover POS, alongside other sales channels. We have a requirement to pull out order data onto an external system for reporting etc. We are under some pressure to get this job done quite quickly, and we have a few questions, so would appreciate your help.

Having had a look at the Clover API documentation, it seems that although a merchant API token is provided in the account web interface, you state that production apps must use Oauth2 to authenticate/authorise users. Currently, we have no interest in publishing an app to the Clover marketplace; we only want to pull order data through the API so that we have corresponding data in the external system for reporting.

Would using the merchant token provided in the web interface be suitable for this basic integration? I note that in the documentation you state it is heavily rate limited but we would perhaps only be making a small number of calls each hour, for example, just to grab the order data.

If we are forced to go down the route of publishing an app etc, I would have more questions. I have set up a test web app and merchant account in the sandbox, but after looking for a while I was unable to find a way of linking the two (so that the test merchant has access to the web app). In addition to this, on https://docs.clover.com/clover-platform/docs/using-oauth-20, I can see that the lifetime of the token issued by the Oauth process is one year. Having to have the merchant reauthorise every so often via a browser is clearly not going to work; we would need a token/key with an infinite lifespan, or the ability to refresh the token from our server, so that our server can continue to pull order data from your system without interruption. In addition, given that we don't want this integration to be publicly available, we'd rather not go down the route of publishing the app and implementing what looks like an Oauth2 Authorization Code Grant unless we have to, as we are under some pressure to get this done quickly.

Please let me know if I've misunderstood anything, or require clarification.

Many thanks,

Richard
OAuth
1 comment
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

zgreathouse avatar image zgreathouse commented ·

As far as setting up a developer account, what specific issues are you running into setting up your test merchant? (You can review our docs on setting up a test merchant here)

0 Likes 0 ·

1 Answer

zgreathouse avatar image
zgreathouse Deactivated answered David Marginian Deactivated commented
A developer having access to production merchant/ customer data, and potentially payment processing, is something we take very seriously. To utilize Clover's APIs in a production environment, developing a web app and publishing it on the Clover App Market is absolutely mandatory. This is so we have record of who has access to reading/writing production data on our platform and why. Apps which are published to the app market also undergo both legal and technical review. This is of course to protect Clover merchants and their customers from malicious use of their data and to adhere to legal obligations surrounding user data. If this is unclear in our documentation we will be sure to update our docs to better reflect this.

The use of Merchant Generated tokens are prohibited within the production environment with no exception. In production, the Merchant must be taken through the OAuth flow to gain a legitimate API token each time the Merchant logs into your app. Please let us know if our docs are unclear about this and we will be sure to update them.
2 comments
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

aclerkin avatar image aclerkin commented ·

Hi zgreathouse, we hope to use your terminals, gateway, etc. to proxy calls from our Client Merchants' PoS systems to your APIs to complete payment (our Client Merchants are PoS providers to whom we provide MIDs, merchant services, etc).

Does this policy therefor preclude server/service level OAuth authentication flows to your APIs, e.g. using Remote Pay Cloud/Pay Display in the method I have described? If not, is there a supported use case involving our Client Merchants authenticating against your OAuth on the Clover device through the Cloud Pay Display app? If not, could a web app that we develop and submit to your app store fulfill our desired use case within your policies?

0 Likes 0 ·
David Marginian avatar image David Marginian ♦♦ aclerkin commented ·

In order to use Remote Pay Cloud you need to create a web application which will need to go through our approval process (in production). Then when merchants login to your POS you will guide them through our OAuth process. You can then securely store the returned token (good for 1 year) and use that for your Remote Pay Cloud connection as well as any API calls you need to make from the POS.

0 Likes 0 ·

Welcome to the
Clover Developer Community