Migrate legacy OAuth tokens to v2/OAuth expiring tokens
If your app uses a non-expiring auth token generated using the legacy OAuth flow, you need to migrate to using an expiring authentication (OAuth) token, which includes anaccess_token and refresh_token pair. The token migration flow includes the option to use Proof key for code exchange (PKCE) for low-trust apps.
Token migration flow with PKCE option
Legacy OAuth token migration flow for both high-trust and low-trust apps
Sandbox and production environment URLs
Clover sandbox and production environments use different URLs. The following table lists which URL to use for OAuth requests in each environment.
| Request path | Sandbox URL | Production URL (North America) |
|---|---|---|
| /oauth/v2/authorize | apisandbox.dev.clover.com | www.clover.com |
| /oauth/v2/token | apisandbox.dev.clover.com | api.clover.com |
| /oauth/v2/refresh | apisandbox.dev.clover.com | api.clover.com |
| /oauth/token/migrate_v2 | apisandbox.dev.clover.com | api.clover.com |
Migrate legacy tokens
To exchange a legacy OAuth token for a new expiring authentication (OAuth) token, which includes a pair of access_token and refresh_token:
Step 1: Generate code_verifier and code_challenge for a low-trust app
code_verifier and code_challenge for a low-trust appIf using PKCE in your app:
- Generate a code verifier—Create a random string between 43 and 128 characters that is stored as part of the OAuth session.
- Generate a code challenge—Use the
code_verifierto generate thecode_challenge. For example, with the SHA-256 encryption, thecode_challenge= SHA256(code_verifier).
Step 2: Request and receive an authorization code
- Send a POST request to the
/oauth/token/migrate_v2endpoint. - Do one of the following:
- For a high-trust app, include the parameters:
auth_token,merchant_uuid,app_id. - For a low-trust app, if using PKCE, include the parameters:
auth_token,merchant_uuid,app_uuid, andcode_challenge.
- For a high-trust app, include the parameters:
Once a merchant is authorized, the Clover server redirects merchants to your app with an authorization code.
Request and Response example
Expiring OAuth token for high-trust app
curl --request POST \
--url 'https://apisandbox.dev.clover.com/oauth/token/migrate_v2' \
--header 'content-type: application/json' \
--data '{
"auth_token": "{LEGACY_API_TOKEN}",
"merchant_uuid": "{MERCHANT_ID}",
"app_uuid": "{APP_ID}"
}'
{
"authorization_code": "{AUTHORIZATION_CODE}",
"expiration": 1678489882
}
Expiring OAuth token for low-trust app
curl --request POST \
--url 'https://apisandbox.dev.clover.com/oauth/token/migrate_v2' \
--header 'content-type: application/json' \
--data '{
"auth_token": "{LEGACY_API_TOKEN}",
"merchant_uuid": "{MERCHANT_ID}",
"app_uuid": "{APP_ID}",
"code_challenge": "{CODE_CHALLENGE}"
}'
{
"authorization_code": "{AUTHORIZATION_CODE}",
"expiration": 1678489882
}
Step 3: Request and receive an access_token and refresh_token pair
access_token and refresh_token pairTo exchange the authorization code for an expiring OAuth token:
- Send a POST request to the
/oauth/v2/tokenendpoint. - Do one of the following:
- For a high-trust app, include the parameters:
client_id,client_secret, andcode. - For a low-trust app, if using PKCE, include the parameters:
client_id,code, andcode_verifier.
- For a high-trust app, include the parameters:
When the Clover server responds to the request, retrieve the expiring OAuth token from your app server. The response body indicates when the access and refresh tokens expire, and the expiration dates are represented as Unix timestamps.
Request and Response example
Expiring OAuth token for high-trust app
curl --request POST \
--url 'https://apisandbox.dev.clover.com/oauth/v2/token' \
--header 'content-type: application/json' \
--data '{
"client_id": "{APP_ID}",
"client_secret": "{APP_SECRET}",
"code": "{AUTHORIZATION_CODE}"
}'
{
"access_token": "{ACCESS_TOKEN}",
"access_token_expiration": 1677875430,
"refresh_token": "{REFRESH_TOKEN}",
"refresh_token_expiration": 1709497830
}
Expiring OAuth token for low-trust app
curl --request POST \
--url 'https://apisandbox.dev.clover.com/oauth/v2/token' \
--header 'content-type: application/json' \
--data '{
"client_id": "{APP_ID}",
"code": "{AUTHORIZATION_CODE}",
"code_verifier": "{CODE_VERIFIER}"
}'
{
"access_token": "{ACCESS_TOKEN}",
"access_token_expiration": 1677875430,
"refresh_token": "{REFRESH_TOKEN}",
"refresh_token_expiration": 1709497830
}
Related topics
Updated 16 days ago