question

miket0o avatar image
miket0o asked Jeffrey Blattman commented

Where should I store access tokens

I am making a web app with flask. When I make the request to the server and I get the access token where is the best place to store access tokens. Also is there a way to get the Merchant ID automatically instead of manually typing it in my code?

REST API
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Jeffrey Blattman avatar image
Jeffrey Blattman answered

You get a token using oauth: https://docs.clover.com/clover-platform/docs/using-oauth-20

When your webapp is called back, the callback URL has a parameter that is the merchant ID.

https://www.example.com/oauth_callback?merchant_id={mId}&client_id={APP_ID}&code={AUTHORIZATION_CODE}

As for where to store, I'd imagine you use a cookie or some other persistent storage. Sorry I'm not familiar w/ Flash in particular.


10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Bryanne Vega avatar image
Bryanne Vega answered Jeffrey Blattman commented

Hello,


As Jeffrey mentioned, the merchant ID is received as parameters in the URL when they're redirected to your site.


You should follow industries standards when managing tokens.


The first question is, why do you need to store the tokens?


If your app is only be performing API calls while your customer is in your app, I do not recommend storing them.


If you're going to make calls to the API after your app has been closed, this is up to you, the developer on how you store the token.


Do not store tokens on the local cache for obvious security reasons. Remember to implement a logic to verify the token'd validity (see Clover Docs).

4 comments
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Jeffrey Blattman avatar image Jeffrey Blattman ♦♦ commented ·


If your app is only be performing API calls while your customer is in your app, I do not recommend storing them.

If you don't store wouldn't the user have to re-login every time they navigate away and back to the page?

0 Likes 0 ·
miket0o avatar image miket0o commented ·

The Idea of the app is to automate a carwash. I want to be reading every new order the wash receives so I can put it in a queue and hook the server with the carwash and dequeue with a physical button. So I need to store the access token. I want to be reading data even when the merchant is not in the app. However the app is going to be private and I only need to read the API. I won’t be writing on it.

0 Likes 0 ·
Bryanne Vega avatar image Bryanne Vega miket0o commented ·

Careful,

Clover's sensitive when you mention "private" apps.

Read only data is sufficient for a data breach, just consider that.

There must be a way you implement controls (encryption, access to the keys, etc).

@Jeffrey, if you're still logged onto the Clover Dashboard and click on the App's Icon it will re-log you in. You can always have a cache that expires on the browser, but you're not storing in in a database for later use is what I meant, as in a "forever" token to be used over and over.

1 Like 1 ·
Jeffrey Blattman avatar image Jeffrey Blattman ♦♦ Bryanne Vega commented ·

Got it. Like I said, not a web developer so thanks for filling me in.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community