question

spiceappmatt avatar image
spiceappmatt asked spiceappmatt answered

Payload for OAuth API Request?

So here goes...

I've got an app (in development, not production) that is using OAuth. When Clover redirects the user to our web app, the app successfully captures the merchant_id and access_token and sends them to a server endpoint. The server then crafts the request for the API key:

  let authInfo = {
      'grant_type': 'authorization_code',
      'code': _authCode,
      'redirect_uri': url,
      'client_id': appid,
      'client_secret': appSecret
  }
  const _apiOptions = {
    method: "POST",
    body: JSON.stringify(authInfo),
    headers: { "Accept": "application/json"}
  };

and sends it off to:

  var _apiUrl = 'https://sandbox.dev.clover.com/oauth/token?client_id=' + appid + '&client_secret=' + appSecret + '&code=' + _authCode;

I make the call using fetch:

  fetch(_apiUrl, _apiOptions)
    .then(tok => tok.json())
    .then(json => {
      apiKey = json.access_token;
    }).catch( err => {
      console.log('There was a problem: ' + err.message);
    });

If I don't include a body in the options, I get back 'Please specify a payload' as a response message. If I don't stringify the body JSON, I get 'Invalid value in JSON' as a response message. As it is, I get back 'Invalid OAuth credentials' as a response message. A console log of the body before it goes out looks like this (sensitive info redacted):

"{\"grant_type\":\"authorization_code\",\"code\":\"{
                 {authCode}}\",\"redirect_uri\":\"https://myspiceapp.com/manage/#/clover\",\"client_id\":\"{
                 {appID}}\",\"client_secret\":\"{
                 {secret}}\"}"

There is nothing in the Clover documentation specifying what the structure of the payload should be. So I have a few questions:

1) Am I correct in setting the web app's URL, our redirect URL, as the redirect_uri for the API key request?

2) Will it work passing the authorization token to a server endpoint to get the API key? The server cannot see the access_token because it is fragmented from the rest of the URL, and the app should not hold the secret, so this seems to be the correct way to do it.

3) What should be included in the body and, based on the log of how it's structured going out, is it being received on Clover's end properly?

REST APIOAuthAPI Token
10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

2 Answers

spiceappmatt avatar image
spiceappmatt answered

Sorry, I never updated the status of this.


The code I was passing to get an API key was actually an API key. We had our app set up to accept the key in the header as #access_token. Once we switched from Token to Code in the REST Configuration, we had no trouble passing the code along and receiving an API key in response. Sorry about the confusion, and thank you for your patience in helping me with this.

10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image
David Marginian Deactivated answered David Marginian Deactivated converted comment to answer

https://docs.clover.com/docs/using-oauth-20#step-3-request-an-api-token

The token request is a GET, not a POST: 

curl --location --request GET 'https://api.clover.com/oauth/token?client_id={appId}&client_secret={appSecret}&code={appCode}'
2 comments
10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

spiceappmatt avatar image spiceappmatt commented ·

Still getting:

{ message: 'Invalid OAuth credentials' }

Is there something I'm missing? Should I be submitting &access_token={ {_authCode}} instead of &code={ {_authCode}}?

0 Likes 0 ·
David Marginian avatar image David Marginian ♦♦ spiceappmatt commented ·
No, you don't have an access_token, the access_token is obtained by making the call. I see your requests in the logs, and you are still passing a request body, why? The call to obtain is a GET with no request body.
0 Likes 0 ·

Welcome to the
Clover Developer Community