question

We don't have any specific restrictions on how apps can use auth tokens. We ask that developers understand that auth tokens are sensitive and take reasonable precautions to protect them.

The key point is that actions taken with an auth token are viewed as actions taken by the associated app. If the auth token is leaked, any malicious activity will be logged as coming from the associate app. When the malicious activity is detected, we will disable the auth token, and, in doing so, disable the associated app. We will also disable the auth tokens for each merchant using the app unless we can quickly confirm that only a subset of auth tokens were compromised.

Some best practices:

• Do not share auth tokens with 3rd parties. For example, do not embed auth tokens in public facing web page and use client side javascript to make calls to Clover's servers.
• Request authtokens with the minimal permissions necessary for your app. When possible, request read only permissions instead of full permissions.
• Avoid storing auth tokens in logs. Configure the logging framework to mask auth tokens in URLs.