Applications use the OAuth API to obtain access tokens that allow them to call Square APIs on behalf of Square sellers. Applications can request scoped permissions to limit their access to only the resources they need. The OAuth flow for obtaining an OAuth access token has three stages:
Authorization - Your application directs the seller to the Square authorization page using an authorization URL that specifies your requested permissions. The seller signs in to Square and reviews the permissions.
Callback - After approving the permissions, Square redirects the seller back to your application's registered redirect URL with an authorization code appended as a query parameter.
Token request - Your application calls the ObtainToken endpoint with the authorization code, your application ID, and other information. Square returns an access token and refresh token.
For more information, see the following guides: