We have a cloud app, which is currently approved but not working in live environment. The developer who wrote it left, so we're re-familiarizing ourselves with the dev environment and process.
Our approved app has only 1 permission, which is to READ payments - no other permissions were requested previously.
In our Sandbox environment, we are only able to get our browser-based cloud app to connect to the Clover Device successfully if we have both READ and WRITE permissions to Merchant, Orders, and Payments. We figured this out via trial and error in our sandbox environment.
Truthfully, we don't think that we need READ or WRITE for Merchant or Orders (unless there's something we don't know about how Clover cloud apps work). But since these permissions seem to be required for our app to work in sandbox, we're inclined to request those permissions in our live app.
Our problem is providing the required justification for requesting READ and WRITE for Merchant and Orders. The reality is "...because that's the only way we can get it to work..."
Is "...because that's the only way we can get it to work..." an acceptable reason to request those permissions? Do you believe we should be able to connect to our Clover device with fewer permissions?
Thanks for your help