question

ben-m avatar image
ben-m asked David Marginian commented

( Iframe/API ) Dashboard Generated Tokens VS Oauth Generated Tokens

I'd like some clarification regarding the differences between a merchant dashboard generated API token vs one generated by an app.

Being that you can only generate one per merchant, and they are usually linked to an App, Merchant and App, Merchant and Employee respectively. If I understand this correctly, the dashboard generated one uses an internal App.


As a developer, other than not being able to charge a subscription fee or metered fees, are there any limitations or drawbacks? Having only used Oauth, I can't quite wrap my head around how no CORS support applies to Dashboard generated keys if you can only generated one and don't put in a domain you plan to use it on.

As a merchant, other than having to set up the key by yourself, as well as sharing a common point of failure ( The same key ) between different integrations
, are there any limitations or drawbacks?

Thirdly, since it only asks for location for fraud verification during the merchant dashboard generated key setup, what difference does this make as far as fraud verification for Oauth generated keys VS Dashboard generated keys? Will it decline more often if it's not Oauth generated?

I understand the ease of access being a plus for Clover, but I'd like to offer some plus value to merchants that don't go with the internal app, charge for it or for transactions and in turn help Clover profit as well. If there is no programmatic limitation between the 2, it will kill a portion of the market that only care about supporting Clover, and in turn, will kill a portion of Clover's revenue that could be gained from (Sometimes more secure) paid apps, regardless of how much easier we can make those integrations for them.

It makes me uneasy about the long term future of paid app development with Clover.

API TokenOAuthaccess token
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image
David Marginian answered ben-m commented

There are both technical limits and compliance issues with merchant token use. Technically, the main issue is that merchant tokens are more severely rate-limited than OAuth tokens and there is no way for us to increase those limits. Alternatively, if you have an app in the Clover App Market and your app has followed our instructions (https://docs.clover.com/docs/429-too-many-requests and https://docs.clover.com/docs/429-too-many-requests) we have the option to increase your limits, no such option exists with merchant tokens.

From a compliance perspective, if an app is servicing multiple merchants the use of merchant tokens is prohibited. They are designed and intended to be used by apps being built to serve a particular merchant (e.g. merchant hires a developer to build a custom integration).


1 comment
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Thank you for your answer.

When you say it is more severely limited, are the rates lower, or is it because the same key is shared between every app the merchant chooses to share this key with?

As far as fraud validation for location, what are the specific differences? Why are we only asked for location during the dashboard token generation and not the Oauth process?

Thanks for your time again David. You've been a great help for a lot of developers this year.

0 Likes 0 ·
David Marginian avatar image
David Marginian answered David Marginian commented

"When you say it is more severely limited, are the rates lower, or is it because the same key is shared between every app the merchant chooses to share this key with?"

The rates are lower.

"As far as fraud validation for location, what are the specific differences? Why are we only asked for location during the dashboard token generation and not the Oauth process?"

I don't really know the answer to this. I suppose this would be pretty limiting in that each install would require it.

3 comments
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

"I don't really know the answer to this. I suppose this would be pretty limiting in that each install would require it."
I would really like to have information on the use of location for fraud prevention, why it's only asking for location through the dashboard generation and not Oauth. I can't seem to find any information about this other than Geo IP tracking filter. There is no documentation about it, and the fact that it uses the browsers location and not the merchant location for fraud prevention ( That is what it mentions when it asks for it ) makes little sense to me. ( What is it validated against? The location of the host at the time of the transaction? The user browser? ( No location is taken from the browser if using strictly the API for transactions ) How do I go about finding out more about this?

A last question; If you do not need to be a clover developer to create charges, how can a website that processes payments for multiple merchants (using the generated key) be penalized if no developer account can be closed? Does the domain get blacklisted automatically?

Thanks for bearing with me with the oddly specific questions!


0 Likes 0 ·

I don't see how the location check has anything to do with transactions. I would guess it has to do with the creation of the token, and that's it. I will try to get some more information.

1 Like 1 ·
David Marginian avatar image David Marginian ♦♦ David Marginian ♦♦ ·
I just got some details on this, and it is a protection that applies to the entire merchant dashboard (so not even token specific). We pass the location to a service that runs a threat algorithm and we deny access if the location is determined to be threatening. It has nothing to do with subsequent transactions, and because the protection applies to the entire dashboard app installs would be protected by it as well.
1 Like 1 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community