Migrate legacy OAuth tokens to v2/OAuth expiring tokens
If your app uses a non-expiring auth token generated using the legacy OAuth flow, you need to migrate to using an expiring authentication (OAuth) token, which includes anaccess_token
and refresh_token
pair. The token migration flow includes the option to use Proof key for code exchange (PKCE) for low-trust apps.
Token migration flow with PKCE option

Legacy OAuth token migration flow for both high-trust and low-trust apps
Sandbox and production environment URLs
Clover sandbox and production environments use different URLs. The following table lists which URL to use for OAuth requests in each environment.
Request path | Sandbox URL | Production URL (North America) |
---|---|---|
/oauth/v2/authorize | apisandbox.dev.clover.com | www.clover.com |
/oauth/v2/token | apisandbox.dev.clover.com | api.clover.com |
/oauth/v2/refresh | apisandbox.dev.clover.com | api.clover.com |
/oauth/token/migrate_v2 | apisandbox.dev.clover.com | api.clover.com |
Migrate legacy tokens
To exchange a legacy OAuth token for a new expiring authentication (OAuth) token, which includes a pair of access_token
and refresh_token
:
Step 1: Generate code_verifier
and code_challenge
for a low-trust app
code_verifier
and code_challenge
for a low-trust appIf using PKCE in your app:
- Generate a code verifier—Create a random string between 43 and 128 characters that is stored as part of the OAuth session.
- Generate a code challenge—Use the
code_verifier
to generate thecode_challenge
. For example, with the SHA-256 encryption, thecode_challenge
= SHA256(code_verifier).
Step 2: Request and receive an authorization code
- Send a POST request to the
/oauth/token/migrate_v2
endpoint. - Do one of the following:
- For a high-trust app, include the parameters:
auth_token
,merchant_uuid
,app_id
. - For a low-trust app, if using PKCE, include the parameters:
auth_token
,merchant_uuid
,app_uuid
, andcode_challenge
.
- For a high-trust app, include the parameters:
Once a merchant is authorized, the Clover server redirects merchants to your app with an authorization code.
Request and Response example
Expiring OAuth token for high-trust app
curl --request POST \
--url 'https://apisandbox.dev.clover.com/oauth/token/migrate_v2' \
--header 'content-type: application/json' \
--data '{
"auth_token": "{LEGACY_API_TOKEN}",
"merchant_uuid": "{MERCHANT_ID}",
"app_uuid": "{APP_ID}"
}'
{
"authorization_code": "{AUTHORIZATION_CODE}",
"expiration": 1678489882
}
Expiring OAuth token for low-trust app
curl --request POST \
--url 'https://apisandbox.dev.clover.com/oauth/token/migrate_v2' \
--header 'content-type: application/json' \
--data '{
"auth_token": "{LEGACY_API_TOKEN}",
"merchant_uuid": "{MERCHANT_ID}",
"app_uuid": "{APP_ID}",
"code_challenge": "{CODE_CHALLENGE}"
}'
{
"authorization_code": "{AUTHORIZATION_CODE}",
"expiration": 1678489882
}
Step 3: Request and receive an access_token
and refresh_token
pair
access_token
and refresh_token
pairTo exchange the authorization code for an expiring OAuth token:
- Send a POST request to the
/oauth/v2/token
endpoint. - Do one of the following:
- For a high-trust app, include the parameters:
client_id
,client_secret
, andcode
. - For a low-trust app, if using PKCE, include the parameters:
client_id
,code
, andcode_verifier
.
- For a high-trust app, include the parameters:
When the Clover server responds to the request, retrieve the expiring OAuth token from your app server. The response body indicates when the access and refresh tokens expire, and the expiration dates are represented as Unix timestamps.
Request and Response example
Expiring OAuth token for high-trust app
curl --request POST \
--url 'https://apisandbox.dev.clover.com/oauth/v2/token' \
--header 'content-type: application/json' \
--data '{
"client_id": "{APP_ID}",
"client_secret": "{APP_SECRET}",
"code": "{AUTHORIZATION_CODE}"
}'
{
"access_token": "{ACCESS_TOKEN}",
"access_token_expiration": 1677875430,
"refresh_token": "{REFRESH_TOKEN}",
"refresh_token_expiration": 1709497830
}
Expiring OAuth token for low-trust app
curl --request POST \
--url 'https://apisandbox.dev.clover.com/oauth/v2/token' \
--header 'content-type: application/json' \
--data '{
"client_id": "{APP_ID}",
"code": "{AUTHORIZATION_CODE}",
"code_verifier": "{CODE_VERIFIER}"
}'
{
"access_token": "{ACCESS_TOKEN}",
"access_token_expiration": 1677875430,
"refresh_token": "{REFRESH_TOKEN}",
"refresh_token_expiration": 1709497830
}
Related topics
Updated 16 days ago