403 error in Export API

Question

question

deepseed asked Feb 26, '21 David Marginian Deactivated answered Feb 27, '21

403 error in Export API

When I have multiple users of my web app that use the same Merchant ID, I will generate an OAuth token for each user rather than reusing the same token for each user. I believe this is the correct approach from a security perspective.

The first and second tokens for a Merchant ID work fine with the Orders API. However, the second token fails with a 403 error when used in the Export API.

The first token works fine with the Export API. It's just the second (and subsequent) tokens that get the 403 error.

Any idea why this might be happening? Is it incorrect to have multiple tokens for the same Merchant ID, or should that work as described?

Any help would be appreciated!

REST API OAuth API Token access token

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community

Answer 1 · 2021-02-27T15:30:06Z

David Marginian Deactivated answered Feb 27, '21

The export API now requires special permission. The tokens that are working are older and were "grandfathered in". New tokens will not work until your app has a new permission which must be requested (not available in the UI) by contacting appmarketbusiness@clover.com.

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 2 · 2021-02-26T17:09:29Z

David Marginian Deactivated answered Feb 26, '21 deepseed edited Feb 27, '21

Judging from your previous question I don't think you have a valid token.

1

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

deepseed commented · Feb 27, 2021 at 01:58 PM

Thanks for the reply, David, but as I noted in the question, I am receiving valid tokens in this scenario. I'm confident in saying this because queries to the Orders/Merchants/Refunds APIs successfully return identical results for both tokens.

The two tokens below are generated for the same Merchant ID and both queries return the same results - as expected. (I'm happy to provide the full Merchant ID and Token values if you let me know how to securely do that.)

SUCCESS: https://api.clover.com/v3/merchants/XXXXXXXXXXXX/orders?access_token=7f6XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX&limit=1

SUCCESS: https://api.clover.com/v3/merchants/XXXXXXXXXXXX/orders?access_token=e30XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX&limit=1

Both tokens also work in the Merchants API and the Refunds API.

The problem is that the Exports API fails with a 403 error when the second token is used, as follows:

SUCCESS: https://api.clover.com/v3/merchants/XXXXXXXXXXXX/exports?access_token=7f6XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

FAILURE: https://api.clover.com/v3/merchants/XXXXXXXXXXXX/exports?access_token=e30XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

In your logs, a 403 error occurred at 2021-02-27 08:38:05.841 EST using the second token and a successful call occurred at 2021-02-27 08:44:06.191 EST using the first token. All of the parameters in the body and the server code were exactly the same. The only difference in the two Exports API calls was the token value (and the six minute time difference, of course).

So I'm looking for guidance on why a token would work for one type of API call but not another. It seems like a token that works for some APIs should work for all of them.

In case this is worth noting, the successful API calls use GET and the Exports API uses POST. I'm not sure why this would matter, but it's the only difference I could find between the successful and unsuccessful APIs.

Thank you in advance for your help with this.

0 ·

question