Finer grained permissions for API access?

prgmr · ‎03-13-2020

We would like to proactively limit our API access to the information needed to create a transaction in our own billing system.

We really don't want card_details to be accessible to the API, nor do we want it sent in the webhook notifications. We also don't see a need to have access to customer information with the exception of their email address.

Is there any possibility of square adding finer grains permissions for application access? It doesn't help us if those permissions are part of the request - it needs to be set by a policy.

JustinC · ‎03-16-2020

@prgmr Glad to see your first post in the Community!!!

I just double checked for an answer to your question, and I'm afraid the restrictions you're looking to set is not possible. You can limit what OAuth permissions an application has, but it will only affect what API endpoints you can call, not the information you receive.

If you're interested in checking out our OAuth permissions page, click here.

Justin
Community Moderator, Square
Sign in and click Mark as Best Answer if my reply answers your question.

prgmr · ‎03-20-2020

OK. Then how do we officially make a feature request?

prgmr · ‎03-20-2020

We want this as part of defense in depth - if we're going to be offloading our credit card processing to square anyway, it makes sense to limit our own access to what we actually need to operate.

We'd actually appreciate the same limits on the UI as well, but that is much less likely to happen.

nika · ‎03-22-2020

I went ahead and passed this feature request along to our API team @prgmr. Thanks again for sharing your thoughts here.

nika
Community Program Manager, Square