question

apacedg avatar image
apacedg asked ·

Production 401 Client Error: Unauthorized for url

Hi. I am hitting the REST API ( https://www.clover.com/v3/merchants/xxx/exports/?access_token=xxx) from my local machine using python. It works fine in sandbox mode. When I switch the url/merchant-id/access-token to production, I get an error: "401 Client Error: Unauthorized for url...".

I thought it might be a CORS issue, so I added http://localhost:8000/ as a CORS domain in my app's web configuration settings. I then ran my code from a local web server, and got the same error: "HTTPError: 401 Client Error: Unauthorized for url: https://www.clover.com/v3/merchants/xxx/exports/?access_token=xxx

Is it a requirment to hit the API from a web server?
Does my app need to be approved in the market before I can hit the production API?
Is this the correct production API url?: ' https://www.clover.com'
I've already checked to make sure my app has the correct permissions allowed. Any other ideas?
REST API
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

zgreathouse avatar image
zgreathouse answered ·
1. You do not have to hit the API from a web server
2. Your app does not need to be approved in production before the API is accessible.
3. Yes, that is the correct Production API url

How are you fetching the API Token in your application? Are hardcoding the token?

One thing to note is that if permissions were changed after the application was installed, the new permissions are not reflected in the API Token. You would need to uninstall and reinstall the app in order for the newly set permissions to go into effect.
9 comments Share
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

First I get a code using this endpoint: https://www.clover.com/oauth/authorize?client_id=9...
Then I get my token: https://www.clover.com/oauth/token?client_id=9QN8D...

I then use that token to make RESTful calls.
Everything works fine in sandbox mode. it fails when I go against the production API endpoints.

0 Likes 0 · ·

Have you tried uninstalling and reinstalling the application?

I would also check your app secret and app ID are your production app's and not your sandbox app's.

0 Likes 0 · ·

I am sure that my app secret and app ID are correct for production. I doubled checked.

I'm not sure what you mean by uninstall/reinstall my app. I am running this code from my local computer, from a python file. @zgreathouse

0 Likes 0 · ·
Show more comments
@zgreathouse It seems like my authorization code expires after 1 use. Does the client need to authorize my app before every request?
0 Likes 0 · ·

Apologies, I am not sure I understand the question. The code which is used to fetch the token expires after a single use. The token however does not expire until the app has been uninstalled. If OAuth is being implemented properly, each time a Merchant logs into your app, a new code and therefore a new token should be acquired each time.
(See a python OAuth example here: https://github.com/cloverhackathons/OAuthPython)

However, if permissions have been updated since installing your production app to your production test merchant- you must uninstall and reinstall your production app on the production test merchant for the new permissions to go into effect. After reinstalling the app you need to request a new token, as any tokens previously acquired were expired upon uninstalling the app.

0 Likes 0 · ·

Basically if you have confirmed the following:
- Base url is correct in exports endpoint
- MerchantId is correct in exports endpoint
- App Secret used to fetch token is correct
- App Id (Client Id) used to fetch token is correct
- App is installed on the merchant you are fetching exports for
- Required permissions are set on your app

Then the last thing to determine is if the token is valid. It is possible the token does not have the proper permissions. For clarification the token will have the permissions which were set at the time the Merchant installed the app. So if after installing the app you add Order Read permissions, you cannot get a token with those permissions until the Merchant uninstalls/ reinstalls the app. Subsequent tokens will have the newly added permission.

-1 Like -1 · ·
Thanks. Having my merchant uninstall and re-authorize the app helped!!
1 Like 1 · ·

Wonderful :) Happy to help!

0 Likes 0 · ·

Welcome to the
Clover Developer Community