question

Hasan avatar image
Hasan asked Richelle Herrli commented

Need help understanding usage process of Charge API

I have this project at work where we are using Clover to accept payment. I think I need to use the charge API for my case. Here's what I have done so far,

  1. Created an app in my sandbox account.
  2. Using the app ID, I request to https://sandbox.dev.clover.com/oauth/merchants/ to get AUTHORIZATION_CODE.
  3. After that, using the AUTHORIZATION_CODE, along with APP ID and APP SECRET of my app, I get OAuth token from https://sandbox.dev.clover.com/oauth/token.
  4. Then, I use the OAuth token and request for PAKMS API key at https://apisandbox.dev.clover.com/pakms/apikey.
  5. Now, I can use the received PAKMS API key to generate a Clover class using SDK from https://checkout.sandbox.dev.clover.com/sdk.js.
  6. Right after, I using the Test cards (https://docs.clover.com/docs/test-card-numbers), I can create the token (example: clv_1TSTSoC58NdDB7LQfYDkr8LM) needed for the Charge API.

However, I can see that I need to logged into browser with my merchant. Otherwise when I want to get the AUTHORIZATION_CODE, it takes me the login page.

How can I get the merchant auth code programmatically?

Also, I have noticed that the PAKMS API key is same for a couple of requests. What is the general lifetime of a PAKMS key? Is it always same?

Please note that I am using a service created with Express.js for the server side logic and a Next.js to handle the client part.

Any pointers are appreciated.

OAuthMerchantecommerce
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Richelle Herrli avatar image
Richelle Herrli answered

The PAKMS key is static from merchant to merchant.

You only need to get the auth token once; it will remain valid for API calls even when the merchant isn't logged in. When the merchant downloads and installs your app, they will be logged in to do so; afterwards, you will be able to use the token to make API calls to access and modify their data.

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hasan avatar image
Hasan answered Richelle Herrli commented

Hi, thanks for the answer.

Please allow me to explain my use case to you. I request you to tell me whether I am doing this correctly or not.

I have a website, that will just accept payments in forms of donation. And most of the time, it's plain and simple donation. So, I have added clover hosted iframe in the donation page in the frontend. And in the backend, I have setup a callback where my app in Clover returns the auth token of the merchant.

Now, I have noticed that this auth code of merchant is only fetchable if the merchant is logged in. And we can use this auth code to get OAuth token. And eventually use the OAuth token to get the PAKMS key. My problem is on the auth code getting stage.


That auth code of merchant, what if the code is somehow invalid, and someone visiting the client site tries to donate, in that moment, in order to generate new OAuth and then generate the PAKMS using it, how can we get the AUTH code of the merchant again?

1 comment
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Richelle Herrli avatar image Richelle Herrli ♦♦ commented ·
When the merchant installs the app, you will receive the auth code needed to access the auth token. During OAuth, you should request the auth token (the merchant will still be logged in when you do so). The auth token only needs to be accessed once; from there, you should save it on your end to make API calls in the future. Please review the flow on this page for more information on how to implement OAuth.
0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community