Back to top

SumUp uses OAuth to provide standard way for authorized access to its API.

Authorization Model

The authorization API is based on the abstract protocol flow as defined by OAuth 2.0 specification.

Supported flows

The API enables applications to use the following concrete flows

  • Authorization Code Grant

  • Implicit Grant

  • Resource Owner Password Credentials Grant

  • Client Credentials Grant

Supported content types

In addition to the standard protocol content type (application/x-www-form-urlencoded) the API supports also application/json.

Headers

Client credentials can be passed as a header (according to the specification) or in the request body.

Endpoints

  • Authorization endpoint - /authorize

  • Token endpoint - /token

SumUp supported scopes

The possible scopes that might be requested and granted by SumUp authorization server upon receiving user consent are

  • user.profile_readonly - Access user profile information

  • user.profile - Access and edit user profile information

  • user.subaccounts - Access and manage users’s employees

  • user.payout-settings - Access and edit user’s payout settings

  • user.app-settings - Access and manage mobile application settings

  • payments - Make payments

  • balance - Access and manage user balance

  • products - Access and manage your user’s products, shelves, prices, vat rates

  • transactions.history - Access user’s transaction history

By default all registered applications can request user.profile, payments, user.app-settings and transactions.history scope.

OAuth setup

You can make or change your OAuth setup in the developers section of the SumUp Dashboard.

The consent screen will be shown to users whenever you request access to their private data using your client ID. It will be shown for all your registered applications. In order to make your application recognaziable you need to provide information for

  • Product name (Required) - this is the name of your service or application that helps users recognize it

  • Home page url - Link to your home page

  • Logo URL - Your logo that if provided will be shown to the user

  • Terms of service url - Your T&C page

  • Privacy policy url - Your privacy policy page

Client credentials

Once you set your consent screen details you can create one or more client credentials. The information that you need to enter includes

  • Client type - you can choose between WEB, ANDROID, IOS, OTHER

  • Client name - your application name as you recognize it. Ex “my awesome application”

  • Authorized redirect uri - This is the path in your application that users are redirected to after they have authenticated with SumUp. It must contain protocol or custom url scheme

  • Authorized javascript origin - For use with requests from a browser - for example complete a checkout. This is the origin URI of the client application. It can’t contain a wildcard (http://*.example.com) or a path (http://example.com/subdir). If you’re using a nonstandard port, you must include it in the origin URI.

Once you create a client credentials you can download the details that includes client id and secret to use for authorization. Example:

{
    "name": "my awesome app",
    "client_id": "rncpQJkHsQxxJ3_yD5UXKTquUXwH", 
    "client_secret": "3d97e3a57f7826516e1431d10cdf4bf0b674461635e5b580f6b5eb8ec3c94654",
    "application_type": "web",
    "auth_uri":"https://api.sumup.com/authorize",
    "token_uri":"https://api.sumup.com/token",
    "redirect_uris":["https://mysite.com/oauth2callback",],
    "cors_uris":["https://mysite.com"]
}

Note that client_secret and cors_uris are applicable only for client type WEB