How to Authorize Square Mobile Payments SDK via Backend and without using token in Frontend?

Problem Description:

I am currently using the Square Mobile Payments SDK, and the official documentation shows how to authorize the SDK directly by passing the accessToken and locationID from the frontend, as shown in the example below:

swift

import SquareMobilePaymentsSDK

class MyViewController: UIViewController {
    func authorizeMobilePaymentsSDK(accessToken: String, locationID: String) {
        guard MobilePaymentsSDK.shared.authorizationManager.state == .notAuthorized else {
            return
        }

        MobilePaymentsSDK.shared.authorizationManager.authorize(
           accessToken: accessToken,
            locationID: locationID) { error in
                if let authError = error {
                    // Handle auth error
                    print("error: \(authError.localizedDescription)")
                    return
                }

                print("Square Mobile Payments SDK successfully authorized.")
        }
    }
}

This method works but involves passing the accessToken directly in the frontend, which is not ideal for a production environment due to security concerns.

My Approach:

To improve security, my approach is as follows:

1. Frontend requests an authorization code from a Lambda function.
2. BACK END handles the actual authorization process using Square API and returns an authorization code to the frontend.
3. Frontend receives this authorization code and uses it with the Mobile Payments SDK to complete the authorization process, instead of passing the accessToken directly.

My Question:

In the official documentation, I couldn’t find any methods for authorizing the Mobile Payments SDK using an authorization code rather than the accessToken. I am looking for guidance on whether this is possible.

I would like to achieve the following workflow:

1. The frontend gets an authorization code from the backend .
2. The frontend uses this authorization code with the Mobile Payments SDK to complete the authorization.

My specific questions are:

• Does the Square Mobile Payments SDK support authorization using an authorization code?
• If so, which method or function should I call to complete this authorization?
• If not, is there any recommended best practice to secure the accessToken and avoid exposing it directly in the client-side code?

Thank You:

Any guidance or alternative solutions would be greatly appreciated. My goal is to securely authorize the SDK without exposing sensitive information like the accessToken to the client-side.

4 posts - 3 participants

Read full topic