question

pttommy avatar image
pttommy asked David Marginian edited

Obtaining API token for updated permissions

In the sandbox, when changing marketplace app / API permissions I need to uninstall and reinstall the app from the marketplace in order to get an API token that has the updated permissions. Simply using the OAuth flow to obtain a new API token gives the old permissions, not the new permissions.

Is this a bug or is this how it's supposed to work? If so, how are we supposed to update permissions on production? Asking merchants to uninstall and reinstall the app is not a solution.

REST APIAPI Token
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

· Write an Answer
David Marginian avatar image
David Marginian answered David Marginian edited

The OAuth flow allows one party (the merchant) to provide another party (the app) access to their data. This process is initiated when a merchant chooses to grant access to a third-party by reviewing the requested permissions and installing an app. It is by design, that if an app changes permissions the previously aquired access token will not reflect the new permissions. This makes sense, the merchant hasn't granted your app the new permissions. If the previously acquired token reflected the new permissions applications could obtain access to data without the merchant's authorization.

So, yes, unfortunately the answer is that when you change your application's permissions the merchant must perform a re-install, and, you must obtain a new access token. This is why we request developers to strongly consider the permissions their app requires before approval and release into the App Market. In this regard, hopefully most permission changes are done to support new functionality (not mistakes that prevent your app's core functions from working). One option for handling this is to gate the new functionality and notify merchants that a new feature is available but won't be enabled until an uninstall/re-install is performed.


2 comments
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Thanks for the explanation. From a technical perspective what you say makes sense, but from a business perspective - where requirements can and do change - it doesn't sound like it this was thought through very well.


I guess we will submit a request for all permissions, so if we ever need them in the future we don't have to explain to our customers - who are mostly not technical - that they need to do this again.
0 Likes 0 ·
Unfortunately, that is not a good approach either. Permissions are reviewed as part of the app approval process and unnecessary permissions should not be requested.
0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community