OAuth 2.0 overview

When you create a web app, you select the types of permissions your app needs to access data about the merchants who use your app. For example, if your app is for taking orders, your app needs order permissions at a minimum. If a merchant wants to use your app, first they need to grant your app access to their data. Clover uses the OAuth 2.0 security framework to obtain the merchant's permission to manage access to the merchant's data.

At a high level, the Clover OAuth flow is as follows:

  1. Your app directs the merchant to the Clover server to request the merchant's authorization to access your app.
  2. The Clover server redirects the merchant to your app with an authorization code.
  3. Your app uses the authorization code, your app ID (client ID) and the app secret (client secret) to request an API token.
  4. The API token that your app receives defines the scope of merchant permissions authorized for your app. Use the API token in your requests to access the merchant's data that your app requires.

🚧

IMPORTANT

If you change the app’s permissions after the merchant installed your app, the merchant must uninstall and reinstall your app, and then you must obtain a new API token.

OAuth tutorial

The following video provides helpful information about the OAuth process and how to add an OAuth flow to your app.

Next steps