Skip to content

Square Credentials

Service Name: Square

Service Description: Square provides financial services and digital payment tools for businesses to manage payments, point-of-sale operations, e-commerce, and business analytics.

Service Address: https://squareup.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the application level through Square Dashboard

Secret Access Scope: Grants access to Square's API for processing payments, managing customer data, inventory, and other business operations depending on the permissions assigned to the token.

Secret Revokement URL: https://developer.squareup.com/docs/build-basics/access-tokens#revoke-oauth-tokens

Secret Example: sq0atp-TcVaG_example_FhYpOZF8ZcqQ

Suspicious Activity Investigation Instructions:

  • Review the Square Dashboard for unusual transaction activity
  • Check the API call logs for unauthorized access or unusual patterns
  • Monitor for unexpected refunds or payment processing activities
  • Verify if there are any new applications connected to your Square account
  • Review webhook subscription changes that might indicate data exfiltration

Mitigation Instructions:

  • Immediately revoke the compromised access token through the Square Developer Dashboard
  • Generate a new access token with appropriate permissions
  • Update the token in all legitimate applications
  • Review and adjust application permissions to follow the Principle of Least Privilege.
  • Enable two-factor authentication for your Square account.
  • Consider implementing webhook signatures to verify the authenticity of webhook notifications.
  • Update your application to use the new token and verify it's working correctly