question

deepseed avatar image
deepseed asked David Marginian Deactivated answered

403 error in Export API

When I have multiple users of my web app that use the same Merchant ID, I will generate an OAuth token for each user rather than reusing the same token for each user. I believe this is the correct approach from a security perspective.

The first and second tokens for a Merchant ID work fine with the Orders API. However, the second token fails with a 403 error when used in the Export API.

The first token works fine with the Export API. It's just the second (and subsequent) tokens that get the 403 error.

Any idea why this might be happening? Is it incorrect to have multiple tokens for the same Merchant ID, or should that work as described?

Any help would be appreciated!

REST APIOAuthAPI Tokenaccess token
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image
David Marginian Deactivated answered

The export API now requires special permission. The tokens that are working are older and were "grandfathered in". New tokens will not work until your app has a new permission which must be requested (not available in the UI) by contacting appmarketbusiness@clover.com.

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image
David Marginian Deactivated answered deepseed edited

Judging from your previous question I don't think you have a valid token.

1 comment
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

deepseed avatar image deepseed commented ·

Thanks for the reply, David, but as I noted in the question, I am receiving valid tokens in this scenario. I'm confident in saying this because queries to the Orders/Merchants/Refunds APIs successfully return identical results for both tokens.

The two tokens below are generated for the same Merchant ID and both queries return the same results - as expected. (I'm happy to provide the full Merchant ID and Token values if you let me know how to securely do that.)

SUCCESS: https://api.clover.com/v3/merchants/XXXXXXXXXXXX/orders?access_token=7f6XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX&limit=1

SUCCESS: https://api.clover.com/v3/merchants/XXXXXXXXXXXX/orders?access_token=e30XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX&limit=1

Both tokens also work in the Merchants API and the Refunds API.


The problem is that the Exports API fails with a 403 error when the second token is used, as follows:

SUCCESS: https://api.clover.com/v3/merchants/XXXXXXXXXXXX/exports?access_token=7f6XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

FAILURE: https://api.clover.com/v3/merchants/XXXXXXXXXXXX/exports?access_token=e30XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX


In your logs, a 403 error occurred at 2021-02-27 08:38:05.841 EST using the second token and a successful call occurred at 2021-02-27 08:44:06.191 EST using the first token. All of the parameters in the body and the server code were exactly the same. The only difference in the two Exports API calls was the token value (and the six minute time difference, of course).

So I'm looking for guidance on why a token would work for one type of API call but not another. It seems like a token that works for some APIs should work for all of them.

In case this is worth noting, the successful API calls use GET and the Exports API uses POST. I'm not sure why this would matter, but it's the only difference I could find between the successful and unsuccessful APIs.

Thank you in advance for your help with this.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community