question

Are using the new Authorization code that is generated from the authorize endpoint?

Seems like it works if using https://apisandbox.dev.clover.com

Most of the documentation references the url https://sandbox.dev.clover.com

I am also facing the same issue for the first time I get the following error but second time I was able to verify code. Is there any fix I can use or is there any thing I have mis-configured?

 {"status":"Unauthorized","message":"Failed to validate authentication code."}

I am using this endpoint url to validate code:

https://apisandbox.dev.clover.com/oauth/v2/token

I haven't had this problem during testing in the past few days.

Both production and sandbox are fine

https://sandbox.dev.clover.com/oauth/v2/authorize?client_id=xxxx&redirect_uri=xxxx

https://apisandbox.dev.clover.com/oauth/v2/token

https://www.clover.com/oauth/v2/authorize?client_id=xxxx&redirect_uri=xxxx

https://api.clover.com/oauth/v2/token

token request body:

{
    "client_id": "xxxx",
    "client_secret": "xxxx",
    "code": "xxxx"
}

And!! OAuth v1 can still work normally, and the access token obtained before can still be used!

Someone in another thread said they can repro it if the app isn’t already installed on the merchant account. If you uninstall the app from the merchant account first, does it still work?

Sorry, I can't test it. I don't have the permission to delete the APP in production.

But according to the clover document I read before, the auth code will not be returned if the app is not installed.

By the way, how long is the expiration time of everyone's v2 access token? The returned unix time shows that it expires in 30 minutes, but my test these days is 12 to 24 hours, so I don't know the pattern.

The auth code is returned if the app isn’t already installed - that’s the point (as long as the merchant does opt to install it!). The point I was making is that the auth code via v2/authorize seems to only work for v1 if the app wasn’t previously installed, but if the app was already installed, then the second time they get sent to v2/authorize it returns an auth code that works with v2. At least that seems to explain why it works perfectly for me in sandbox, why OP here says it works “second time”, etc. I also cannot test with a prod merchant (without asking a customer for their creds - no thanks!)

Re: expiry. I’m seeing +30min for access, +1yr for refresh. I refresh with 10min remaining to avoid having to lock/sync refreshes (the loser of a race to refresh can still use the old access token, so no need to avoid the race). Once someone is on v2 it actually works quite smooth. Just wish this authorize flow was either fixed or better documented. If I’m doing it wrong, I want to know!

Here is my situation.

The app has been installed on the clover machine. Whether I obtain the auth code through the OAuth v1 or OAuth v2 by URL, and then obtain the token, I can succeed.

the auth code via v2/authorize used for v1, I've never tried this before

Hope this helps

======

I saw you said that the old v1 token can still be used, even if the store has switched to v2 token

Now that I use v2 token, the old v1 token can also be used at the same time. Is this confirmed by clover? v1 token will never expire? I really want to keep using v1 token instead of changing to v2 token.

found this, "Current tokens are long lived"..