Set app link (URL) and CORS domain

The Clover integration for web applications uses the OAuth 2.0 protocol to secure API tokens for merchants. When setting up a web app, you must enter the app link or site URL, which merchants are redirected to after they install and launch an app from the Merchant Dashboard. You can also set a custom post-authorization landing page by including a redirect_uri parameter in the OAuth authorization request. Optionally, you can enter an Alternate Launch Path and CORS Domain values in the web app settings. See how to add web app settings.

All these configurations are set in the sandbox Developer Dashboard for testing and in the production Developer Dashboard to launch an approved app and publish it in the Clover App Market. See Use Clover developer environments for information on the Developer Dashboards.

Site URL

Link (URL) for your app that you set on the Edit REST Configuration page for web apps. After a merchant installs your app and launches it from the Merchant Dashboard, they are redirected to the Site URL. The Clover server sends authenticated merchants to the Site URL through the /oauth/authorize flow, where they can log in or select their merchant account.

Redirect URI

Specific link (URI) that an app uses to redirect merchants after they have authenticated or completed an action. You can override the post-authorization landing page by providing a redirect_uri parameter in your request to/oauth/authorize. This URI must be a subpath of the app's Site URL. All redirect URIs use HTTPS to maintain security.

For example, if you enter the site URL https://www.example.com/myapp, note the redirect_uri in your OAuth request:

• https://www.example.com/**myapp/setup** is valid.
• https://example.com/setup is invalid.

CORS Domain

Security feature implemented by Clover that allows web apps to make requests to the Clover REST API from a different domain than the one serving the web app. Clover implements Cross-Origin Resource Sharing (CORS), which lets you:

1. Build pure HTML/JavaScript-based client applications that interact directly with the Clover server without needing an intermediate app server.
2. Make requests from your client-side app to the Clover REST API using the XmlHttpRequests or AJAX requests.
3. Connect a semi-integrated app to a Clover Flex, Mini, or Mobile using Cloud Pay Display.

On the sandbox Developer Dashboard, in the CORS Domain field, enter the URL of your app. This should be the domain from which your web app will make requests to the Clover API. For example, https://www.example.com or http://localhost:8000 for testing. You can use the OAuth access tokens from your application domain for cross-domain requests. You can test your CORS configuration and ensure that your web app can successfully make API requests to Clover without encountering CORS errors.

Troubleshoot CORS

If you experience difficulties in implementing CORS:

• Verify that you have entered the Site URL and CORS Domain for your app in the sandbox Developer Dashboard.
• Verify that you are using an OAuth token retrieved by following the correct OAuth flow. If you want an OAuth token instead of a code, set the response_type=token in the OAuth request.
• Make sure that you are not using test API tokens (Setup > API Tokens) on the test Merchant Dashboard.
• Note that Clover REST API does not support JSON with Padding (JSONP).

Alternate Launch Path

Link (URL) or subpath for your app that you set on the Edit REST Configuration page for web apps. When a merchant accesses your app without installing it, the app redirects the merchant to this Alternate Launch Path, which then directs them to the Clover App Market to initiate the v2/OAuth flow. This Alternate Launch Path URL is required for the /oauth/v2/authorize flow, as it uses expiring tokens to authenticate with APIs, ensuring the merchant is properly authenticated and connected to your app.

See Initiate OAuth flow from Merchant Dashboard left navigation app link.