Set app link (URL) and CORS domain

United States
Latin America

For web apps, Clover uses OAuth 2.0 to generate API tokens for merchants using your app.

To use OAuth 2.0 flow, enter the Site URL of your app, and if needed, enter the Alternate Launch Path and CORS Domain values. Set the path and values in the App Settings > REST Configuration on:

Site URL (link)

The Site URL is the link where a merchant is redirected to after they install your app and launch it from the Merchant Dashboard. Your authenticated merchants are sent to the Site URL after you redirect them to /oauth/authorize. Merchants can authenticate themselves by logging in or selecting their merchant account.

You can override the post-authorization landing page by providing a redirect_uri in your request to /oauth/authorize.



A redirect_uri passed to /oauth/authorize must be a subpath of the set Site URL.

For example, if you enter the site URL, the redirect_uri of in your OAuth request is valid, but is invalid.

Alternate Launch Path (optional)

The Alternate Launch Path is an optional setting that allows you to configure an alternate link, which sends the merchant directly to your app and initiates the OAuth flow. If you have defined the alternate launch path, your merchant is redirected to this path in your app after they install and launch the app from the Merchant Dashboard.
See Initiate OAuth flow from Merchant Dashboard left navigation app link.

Cross-Origin Resource Sharing (CORS)

Clover implements Cross-Origin Resource Sharing (CORS), which enables you to:

  • Build pure HTML/JavaScript-based client applications without an app server to intermediate between your browser and the Clover server, and then
  • Make requests from your client-side app to Clover's REST API using XmlHttpRequests or AJAX requests
  • Connect a semi-integrated app to a Clover Flex, Mini, or Mobile using Cloud Pay Display



Clover REST API does not support JSON with Padding (JSONP).

On the sandbox Developer Dashboard, enter your application domain such as (or http://localhost:8000 for testing). You can use the OAuth access tokens from your application domain for cross-domain requests.

Troubleshooting CORS

If you are experiencing difficulties implementing CORS:

  • Verify that you have specified the Site URL and CORS Domain for your app in the sandbox Developer Dashboard.
  • Verify that you are using an OAuth token retrieved by following the Use OAuth 2.0 process. If you want an OAuth token instead of a code, set response_type=token in the OAuth request.
  • Ensure that you are not using test API tokens (Setup > API Tokens) on the sandbox Merchant Dashboard.