Set app link (URL) and CORS domain

United States
Latin America

For web apps, Clover uses OAuth 2.0 to generate API tokens for merchants using your app.

To use the OAuth 2.0 flow, when you add web app settings, enter the Site URL of your app, and if needed, enter the Alternate Launch Path and CORS Domain values. Set the path and values in the App Settings > REST Configuration on the:

  • Sandbox Developer Dashboard to test your app.
  • Production Developer Dashboard to test your app and publish in the Clover App Market.

See Use Clover developer environments for information on the Developer Dashboards.

Site URL (link)

The Site URL is the link where a merchant is redirected after they install your app and launch it from the Merchant Dashboard. Your authenticated merchants are sent to the Site URL after you redirect them to /oauth/authorize. Merchants can authenticate themselves by logging in or selecting their merchant account.

You can override the post-authorization landing page by providing a redirect_uri in your request to./oauth/authorize.



A redirect_uri passed to /oauth/authorize must be a subpath of the set Site URL.

For example, if you enter the site URL, the redirect_uri of in your OAuth request is valid, but is invalid.

Alternate Launch Path (optional)

The Alternate Launch Path is an optional setting that allows you to configure an alternate link. If you have defined the alternate launch path link, your merchant is redirected to this link in your app after they install and launch the app from the Merchant Dashboard. This URL:

Cross-Origin Resource Sharing (CORS)

Clover implements Cross-Origin Resource Sharing (CORS), which lets you you to:

  1. Build pure HTML/JavaScript-based client applications without an app server to intermediate between your browser and the Clover server.
  2. Make requests from your client-side app to the Clover REST API using the XmlHttpRequests or AJAX requests.
  3. Connect a semi-integrated app to a Clover Flex, Mini, or Mobile using Cloud Pay Display.



Clover REST API does not support JSON with Padding (JSONP).

On the sandbox Developer Dashboard, enter your application domain, such as or http://localhost:8000 for testing. You can use the OAuth access tokens from your application domain for cross-domain requests.

Troubleshoot CORS

If you are experiencing difficulties implementing CORS:

  • Verify that you have specified the Site URL and CORS Domain for your app in the sandbox Developer Dashboard.
  • Verify that you are using an OAuth token retrieved by following the correct OAuth flow. If you want an OAuth token instead of a code, set response_type=token in the OAuth request.
  • Make sure that you are not using test API tokens (Setup > API Tokens) on the test Merchant Dashboard.