Getting started using OAuth - old version



OAuth 2.0 documentation steps are created for use in the sandbox environment. To build an OAuth flow in the production environments, replace in the example with the specific regional URL in the request. For example:

  • For US & Canada:
  • For EU:

Generate a sandbox OAuth token

To test with the OAuth flow in the sandbox environment, generate a sample access_token on the developer dashboard. If you have not already done so, refer to Creating an app to create an app.

  1. On the sandbox Developer Dashboard, select your app from the side navigation pane.
  2. Check the pencil icon next to App Type and set it to Web (REST clients).
  3. Click Save.
  4. Check the pencil icon next to REST Configuration.
  5. On the Edit REST Configuration dialog, set Site URL as the landing page of your web app. See Setting app URL & CORS for more information.
  6. Set Default OAuth Response as Token (Testing Only).
  7. Click Save.



For your app to work as expected in production, set the Default OAuth Response as Code and click Save. Use the Clover OAuth 2.0 flow below.

  1. Check the pencil icon next to REST Configuration.
  2. Click Example OAuth Request.
  • If you have multiple test merchant accounts, click to select a test merchant's name.
  • If you have not already installed the app for a test merchant, the market listing page for your app appears. Click Connect and then click Accept on the next page.
  1. After the browser redirects to your site, copy the access_token value from the address bar.

Define OAuth Concepts

To start, define a few concepts used in the OAuth 2.0 flow:

Client ID

This ID identifies your app on the Clover App Market. This ID confirms that your app is participating in the OAuth 2.0 flow. Your client ID is the App ID value in your app's Settings page on the Developer Dashboard.

Client Secret

This ID is a secret key assigned to your app by Clover. Together, the client ID and client secret authenticate the identity of your app with the Clover server. Your client secret is the App Secret value on your app's Settings page. ImportanT: Do not share this key publicly.


A Clover merchant can either be one of two states: unauthorized or authorized. The following table describes these two states:



An unauthorized merchant wants access to your app, but has not logged in to their Clover merchant account. Your app redirects this merchant to log in to their merchant account.{appId}

An authorized merchant has logged in to their Clover merchant account. The Clover server redirects this merchant to your app.{mId}&client_id={appId}&code={AUTHORIZATION_CODE}

Authorization Code

An authorized merchant is redirected to your app along with an authorization code. With this code, the Clover server confirms that your request for merchant data has been authorized by the merchant.{appId}&client_secret={APP_SECRET}&code={AUTHORIZATION_CODE}

API Token

Your app uses the authorization code, client ID, and client secret to negotiate with the Clover server for an API token. With the API token, your app can make REST API calls and access merchant data.


Related topics
Did this page help you?