For web apps, Clover uses OAuth 2.0 to generate API tokens for Clover merchants using your app.
To use OAuth, configure your app's Site URL and CORS Domain values under App Settings > REST Configuration on the sandbox Developer Dashboard.
For testing and publishing your app in production, you configure these settings on the production Developer Dashboard.
This URL is where merchants are redirected after installing your app and launching it from the Merchant Dashboard.
The site URL is also where merchants land after you redirect to
/oauth/authorize and the merchant authenticates by logging in and/or selecting their merchant account as needed. You can override the post-authorization landing page by providing a
redirect_uri in your request to
/oauth/authorizemust be a subpath of the set Site URL.
For example, if you specify the site URL https://www.example.com/myapp`, the
https://www.example.com/myapp/setupin your OAuth request is valid, but
Clover implements Cross-Origin Resource Sharing (CORS), which enables you to:
- Make requests from your client-side app to Clover's REST API using XmlHttpRequests or AJAX requests
- Connect a semi-integrated app to a Clover Flex, Mini, or Mobile using Cloud Pay Display
Clover REST API does not support JSON with Padding (JSONP).
On the sandbox Developer Dashboard, enter your application domain such as
http://localhost:8000 for testing). The access token provided by the OAuth flow can be used for cross-domain requests as long as they originate from this domain.
If you are experiencing difficulties:
- Verify that you have specified the Site URL and CORS Domain for your app in the sandbox Developer Dashboard.
- Verify that you are using an OAuth token that is retrieved using OAuth and not using test API tokens (Setup > API Tokens) on the sandbox Merchant Dashboard. If you want OAuth to provide you with a token (rather than a code), set
response_type=tokenin the OAuth request.
- Verify that in your request to Clover's REST API, you send the API Token using the
access_tokenquery parameter in your request and not in the
Authorization: Bearerrequest header.
Updated 7 months ago