iBooker.onlineiBooker.online

How iBooker.online connects to Square (OAuth 2.0)

4 min read · Updated June 2, 2026

iBooker.online connects to your Square account through Square's official OAuth 2.0 authorization flow. We never ask for or store your Square password — you log in on Square's own page and explicitly grant access. Here's exactly how it works.

What is OAuth and why it matters

OAuth is the industry-standard way for one app to access another on your behalf without sharing your password. When you connect Square, you're redirected to Square, you approve a specific set of permissions, and Square hands iBooker.online a temporary access token. That token — not your password — is what we use.

The connection flow, step by step

  1. 1In your iBooker.online dashboard you click “Connect Square” on a project.
  2. 2We generate a PKCE code challenge and redirect you to Square's secure authorization page.
  3. 3You sign in to Square (on Square's domain) and approve the requested permissions.
  4. 4Square redirects back to iBooker.online with a one-time authorization code.
  5. 5Our server exchanges that code (plus the PKCE verifier) for an access token and refresh token.
  6. 6The tokens are encrypted and stored; the access token auto-refreshes before it expires.

What we use PKCE for

PKCE (Proof Key for Code Exchange) protects the authorization code in transit. It means that even if the one-time code were intercepted, it can't be exchanged for a token without the secret verifier that never leaves our server. We do not store a Square application secret in our codebase.

Which permissions we request

We request the minimum scopes needed to read your booking activity and create bookings through your branded page — for example appointments, customers, and merchant profile read access. We request buyer-level appointment scopes, so bookings respect your “requires acceptance” settings.

What iBooker.online never sees or stores

  • Your Square account password — ever.
  • Your customers' payment card details — all payments stay inside Square.
  • A persistent copy of your bookings or customer database.
You can revoke iBooker.online's access at any time from your Square Dashboard (Connected apps) or by disconnecting the project in iBooker.online. Revoking immediately invalidates our tokens.

Token storage and security

Access and refresh tokens are encrypted at rest. The access token is refreshed automatically using the refresh token, so your connection keeps working without you re-authorizing. If the refresh token expires or is revoked, the connection simply stops and you re-connect with one click.

Ready to track your Square bookings?

Start your 7-day free trial

More documentation

How conversion tracking works in iBooker.online

How a Square Appointments booking becomes an accurate conversion event in GA4, Google Ads and the Meta Conversion API — server-side, in real time, with no customer data stored.