question

This looks helpful...

https://community.clover.com/questions/56633/oauth-20-driving-me-nuts-no-refresh-token-sent.html?childToView=57301#answer-57301

For a single merchant integration, you should use a merchant token. You don't need an approved developer account or app. Login to your test developer account and then go to your test merchant and you will see a tokens section for e-commerce.

Thanks, parquet76. However, I do need a developer account, and I'm actually not sure about needing an app or not. So, from my developer account, I go to Test Merchant, and I have generated tokens for both "API Tokens" and "Ecommerce API Tokens". I give the tokens ALL permissions.

Now the question becomes, how to test in the sandbox environment, with the Test Merchant token(s), and then after that, generate an OAuth token and use that for the live environment.

For the sandbox, I have been unable to use the REST API because it's returning "401 Unauthorized" no matter what I do. See this thread: https://community.clover.com/questions/62552/testing-rest-api-in-sandbox-always-returns-401-una.html

I get the same result if I try REST API requests from my server, using curl.

Regarding this thread, "Need help getting started...", I need to get an OAuth token, and since the curl requests aren't working, I can't accomplish this.

What am I missing, or are you saying that the "Ecommerce API Token" for the Test Merchant is the OAuth token??

I have these notes, regarding Tokenizing a Customer Card...

> To use REST API endpoint, need PAKMS key.
> Generate PAKMS key by GET request to PAKMS apikey endpoint.
>> Set the "authorization: Bearer" header value as an OAuth-generated auth_token for a test merchant with specific permissions.
>>> Get an OAuth token
>>>> Request merchant authorization (TEST MERCHANT)

thanks for your help.

So I think I am starting to understand this.

I want to "Create a charge" in the sandbox, and to do that, I don't need a PAKMS key, because the Test Merchant public and private keys are already available (Ecommerce token, IFRAME). This allows me to create a charge using authorization: Bearer {access_token}, where access_token is the Test Merchant public key.

So, I see a clear path now to creating a card token, creating a charge, and testing the payment in the sandbox.

What I am still not clean on how to generate an OAuth auth_token in the live environment.

I gather a new OAuth token needs to be generated each time I create a charge, on the fly.

I'm trying to write some code now, based on the info at "Get the API token" (i.e. the auth_token) as described here: https://docs.clover.com/docs/obtaining-an-oauth-token

Any help much appreciated.

Please help ~

From my server's shell, when I curl to the Clover documented URL for sandbox oauth endpoint, I get a 302 error...

[I'm omitting my actual client_id, which is passed when the app is clicked from the Test Merchant. So, imagine the actual client_id is in place of 13DIGITCODEXX.]

%curl -v -XPOST -H 'client_id: 13DIGITCODEXX' -H "Content-type: application/json" 'https://sandbox.dev.clover.com/oauth/v2/authorize'

Returns:

* About to connect() to sandbox.dev.clover.com port 443 (#0)
* Trying 34.117.169.22...
* Connected to sandbox.dev.clover.com (34.117.169.22) port 443 (#0)
• • •
> POST /oauth/v2/authorize HTTP/1.1
> User-Agent: curl/7.29.0
> Host: sandbox.dev.clover.com
> Accept: */*
> client_id: 13DIGITCODEXX
> Content-type: application/json
>
< HTTP/1.1 302 Moved Temporarily
< date: Sat, 20 Apr 2024 08:55:05 GMT
< Content-Type: text/html
< Content-Length: 154
< location: https://sandbox.dev.clover.com/not-found
• • •
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

When I curl to the Clover documented URL for production oauth endpoint, I get a 302 error...

%curl -v -XPOST -H 'client_id: 13DIGITCODEXX' -H "Content-type: application/json" 'https://www.clover.com/oauth/v2/authorize'

Returns:

* About to connect() to www.clover.com port 443 (#0)
* Trying 166.73.4.193...
* Connected to www.clover.com (166.73.4.193) port 443 (#0)
• • •
> POST /oauth/v2/authorize HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.clover.com
> Accept: */*
> client_id: 13DIGITCODEXX
> Content-type: application/json
>
< HTTP/1.1 301 Moved Permanently
< Content-Length: 0
< location: /oauth/v2/authorize?

I meant you do not need an approved developer account in prod or an app. Yes, of course you need a developer account in sandbox when you are testing. You have the tokens mixed up. You don't need an oauth token, the private key is your API token. And no, you don't generate one per request. It is a secret token that your merchant will securely provide to you. If it becomes compromised you must have the merchant create a new one. Keep it secure. You will use that to make the charge API call (serves same function as an oauth token, but prevents you from having to have a custom clover app, getting it approved, etc.). The public key is the PAKMS, which is used for tokenization (iframe configuration).

OK, great. I will try that out. Thanks for your help.

From what I could gather from the API documentation, this was not covered. That's why I was trying to acquire an OAuth token.