Clover REST API basics

United States
Canada
Europe
Latin America

Here's how you go about building Clover REST APIs:

Before you begin

  1. Create a sandbox developer account. This creates a developer account for you, as well as a test merchant account.
  2. Import the sample inventory. We’ve created a sample inventory file to help you get started with your test merchant. Use the dashboard inventory app to import this file.

Web app

Clover web apps offer a seamless experience and enable merchants to connect services through a central hub. You can build a browser-based integration that uses our REST API utilizing OAuth to create a secure connection to your website. You can redirect a merchant from the Clover dashboard to your website URL.

You can create an alternate integration path for scenarios where a native, on-device experience may not be appropriate. Clover developers have used our OAuth protocol for reporting, analytics, ecommerce integrations, etc.

The following web development guidelines are designed to help you produce high-quality apps with a smooth development and launch process. These foundations can help your apps provide the kind of excellent merchant experiences that attract and keep loyal subscribers.

Web security

Do's

Clover recommends you familiarize yourself with basic web security principles. The Open Web Application Security Project (OWASP) offers several resources that will help you get started:

Don'ts

  • Don't check app tokens into your source code online.
  • Don't prompt users to enter sensitive cardholder data, such as card numbers and expiration dates, except as part of Clover’s payments SDK (this means that third-party Clover Apps are not payment apps as the term is defined in the PCI PA DSS).

Secure merchant data

The Clover API allows access to a database, hence you need to follow the security standards for database access.

  • Web applications should access the Clover API using server-to-server requests when possible.
  • You must securely store any data that your own services cache.

Limit client access

Customer and employee-facing apps must prevent unauthorized users from accessing privileged data, including the Clover credentials your app uses.

  • Use secure logins and session tracking if needed.
  • Server logic should prevent unauthorized access to data by injection attacks.
  • Any data passed to the client in any format should be considered vulnerable.

Ease of Clover integration

  • Make it easy for merchants to login. The URL (link) for your web app should launch the login flow, not navigate to the general home page for your business.
  • Include your Web URL prior to submission and test it with an example OAuth request.

Quick reference