First token request unauthorized in OAuth2

Question

question

dav1126 asked Dec 12, '23 bryanvargas answered Dec 14, '23

First token request unauthorized in OAuth2

I can't make the requests to get a first token to work in the new oauth flow. The old flow is working fine for me.

The only differences that I can see in the doc is that the production URL changed from https://www.clover.com to https://api.clover.com. The route changed from /oauth/token to /oauth/v2/token and the the request is now a POST instead of a GET. The params (client_id, client_secret and code) are now passed in the POST request body instead of the GET search params. These are the only changes I made. The new oauth API always returns :

401 {"status":"Unauthorized","message":"Failed to validate authentication code."}

It happens in sandbox and production environment. If it helps, doing the exact same resquest ( a POST with params in the body) on the old API route ( /oauth/token ) succeeds and gets me an access_token, but no refresh_token.

Prod app id: XX4047T4M54AY

OAuth access token

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community

Answer 1 · 2023-12-13T14:23:57Z

bryanvargas answered Dec 13, '23

Are you getting a new authentication code(they can only be used once)

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 2 · 2023-12-14T15:55:12Z

dav1126 answered Dec 14, '23

Yes, I tried multiple times with different authentication codes (trying only once per code). The same authorization code will return a 401 on the new route (/oauth/v2/token) but will work on the old route (/oauth/token).

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 3 · 2023-12-14T16:18:01Z

bryanvargas answered Dec 14, '23

There must be a step you are missing, I did the full Oauth V2 flow and was able to get an accessToken and refresh token.

For merchant who are not logged in
{ {baseUrl}}/oauth/v2/authorize?client_id={ {appId}}&redirect_uri={ {redirectUrl}}

returned in the URL will be a code and you will take that code and run:
POST { {baseUrl}}/oauth/v2/token
Payload:

                 {
                  
                 "client_id"
                 : 
                 "
                 {
                  {appId}}
                 "
                 ,
                  
                 "client_secret"
                 : 
                 "
                 {
                  {appSecret}}
                 "
                 ,
                  
                 "code"
                 : 
                 "code goes here"
                 }

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

question