question

jamied avatar image
jamied asked craigreilly commented

401 Attempting to Generate a PAKMS key

I am currently attempting to generate a PAKMS key in my sandbox account using the Ecommerce API. I am successfully generating an auth token, but it seems no matter what I do, I still get {"message":"401 Unauthorized"} .

curl --request GET \  --url 'https://apisandbox.dev.clover.com/pakms/apikey' \  
--header 'accept: application/json' \  
--header 'authorization: Bearer {auth_token}'

Is there a sandbox setting I'm missing or is there a separate sandbox for the Ecommerce API?

Thanks in advance ....


ecommerceauth tokens
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

parquet76 avatar image
parquet76 answered

Questions about 401s have been asked many, many times. Please read this page very carefully 99.9 percent it will cover what you are doing wrong - https://docs.clover.com/docs/401-unauthorized.

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jamied avatar image
jamied answered craigreilly commented

Yea ... so it turns out that I was using a an access token generated by oAuth2 instead of using the private key in the merchant account settings. Absolutely nowhere in any documentation does it mention this, or it's buried in so far that no one can find it.

Clover should do their Ecommerce users a favor and put this in bold on their Ecomm Token Page. It may possibly save users a monolithic waste of time.


17 comments
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

parquet76 avatar image parquet76 commented ·

Put what in their e-commerce token page? You should be passing an oauth token to the pakms retrieval endpoint.

0 Likes 0 ·
jamied avatar image jamied parquet76 commented ·

I'm saying that Clover should specify that the Merchant App private key should be used for generating a PAKMS `apiAccessKey.`
If an oAuth token could be used to generate an oAuth token, than I wouldn't have asked this question in the first place.

0 Likes 0 ·
parquet76 avatar image parquet76 jamied commented ·

Huh? You only need to make an API call to retrieve the PAKMS if you are using an oauth token. If you are using merchant tokens the PAKMS is the public key, no call necessary. You just use the provided public key to tokenize and you use the private key for everything else (charges, refunds, etc.). Your original post says nothing about merchant tokens and the use of merchant tokens is limited to single merchant implementations which is not the norm and to my knowledge is not documented. Most devs have app integrations and use oauth tokens, especially when they are handling tokenization (increased PCI scope). Developers building one off integrations for a single merchant probably should not be directly handling card tokens, I would highly recommend using the iframe. You are increasing the PCI scope for your merchant if you don't.

0 Likes 0 ·
Show more comments
craigreilly avatar image craigreilly commented ·

Had this same issue... was not initially using the Clover eComm Hosted Checkout API. The documentation was not very clear on what was required and seemed to have large gaps in information.


0 Likes 0 ·

Welcome to the
Clover Developer Community