Square access token

ID

square_token

Severity

critical

Vendor

Square

Family

API token

Description

Square is a popular financial services and digital payments platform.

It provides payment processing SDK/API, which uses different authentication and authorization mechanisms using access tokens.

For each application in the Square dashboard, personal access tokens for two environments (production and sandbox) are created.

Security

Square personal access tokens provide unrestricted Square API access to resources in a Square account allowing Square API calls to perform any activity on any resource in your Square account. They do not expire. At least the sandbox token only operates on the Square Sandbox, which can be used to simulate orders, invoices, payments, and transactions in a test environment.

Square OAuth access tokens follow the same format, but they have a limited scope requested to the affiliated merchant during the OAuth flow, and have expiration.

Any hardcoded Square access token is a potential secret reported by this detector.

Examples

curl -i -X GET https://connect.squareup.com/v2/locations \
  -H "Square-Version: 2024-01-25"
  -H "Authorization: Bearer EAAAluxKnPH...MQ3jJKH3"

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require renewing the token in Square Developer console: For a personal access token, login with your developer account, go to Applications > Credentials, select between Production and Sandbox environments, and click Replace token. Take note of the regenerated token, as you will need to change the leaked token value with this new one.

    Revoking non-expired OAuth tokens

  2. Remove the leaked Square access token from the source code or committed configuration file. Environment variables, local files or secret vaults could be used for passing the secret, instead of hardcoding the value, as documented in How to Prevent Hard-Coded Secrets.

  3. Check access logs to ensure that the secret was not used by unintended actors during the compromised period. The Square Developer Console provides a comprehensive API logs page where you can search for suspicious activity.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference