Square OAuth Secret

Bridgecrew Policy ID: BC_GIT_16
Severity: LOW

Square OAuth Secret


The Square OAuth API uses the OAuth 2 protocol to get permission from the owner of the seller account to manage specific types of resources in that account.

Fix - Buildtime


Step 1: Revoke the exposed secret.

POST /oauth2/revoke: Revokes an access token generated with the OAuth flow.
If an account has more than one OAuth access token for your application, this endpoint revokes all of them, regardless of which token you specify. When an OAuth access token is revoked, all of the active subscriptions associated with that OAuth token are canceled immediately.

Replace APPLICATION_SECRET with the application secret on the OAuth page in the developer dashboard.

Authorization: Client APPLICATION_SECRET

Step 2: Clean the git history.