Resources/The Agent API Atlas/Finance/Square

Everything an AI agent can do with the Square API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints35

API version2026-05-20

Last updated23 June 2026

Orientation

How the Square API works.

The Square API is how an app or AI agent works with a Square seller account: taking a payment, refunding a charge, creating an order, updating a customer, or changing the catalog and stock. Access is granted through an OAuth access token carrying named permissions, each split into a read and a write form, so a call reaches only the areas the seller approved. Square versions its API by date, and a state change emits an event Square can deliver to a subscribed webhook URL.

35Endpoints

7Capability groups

16Read

19Write

12Permissions

Authentication

Square authenticates with an OAuth 2.0 access token sent as a Bearer token. An integration acting on other sellers' accounts uses the authorization-code flow, where a seller approves the specific permissions the app requests, and the returned token is tied to that seller. For a developer's own account, a personal access token from the Developer Dashboard works without the OAuth flow. Each token carries a fixed set of permissions.

Permissions

Access is governed by named OAuth permissions, requested when the seller authorizes the app, each split into a read and a write form. Examples are PAYMENTS_READ and PAYMENTS_WRITE for payments and refunds, ORDERS_READ and ORDERS_WRITE for orders, CUSTOMERS_READ and CUSTOMERS_WRITE for customers, ITEMS_READ and ITEMS_WRITE for the catalog, INVENTORY_READ and INVENTORY_WRITE for stock, and INVOICES_READ and INVOICES_WRITE for invoices. A call without the permission it needs returns a 403 with INSUFFICIENT_SCOPES.

Versioning

The REST API is versioned by date through the Square-Version header, in a YYYY-MM-DD scheme, with 2026-05-20 the newest version. An application is pinned to a default version that every call uses, and a request can override it per call with the header. A webhook payload reflects the API version set on the subscription.

Data model

Square is resource-oriented JSON over HTTPS, with all paths under the version-2 prefix at https://connect.squareup.com/v2. A payment is a Payment, refunded through the Refunds API; commerce combines Orders, Customers, the Catalog, Inventory, and Invoices. List and search endpoints page with a cursor, search reads use POST to carry a query body, and a state change emits an event Square can deliver by webhook.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Square determines what it can reach. There is a route for making calls, a route for receiving events, and a hosted server that exposes Square tools to agents, and each is governed by the token behind it and the permissions that token carries.

Ways to connect

REST API

The REST API answers at https://connect.squareup.com/v2 in production and https://connect.squareupsandbox.com/v2 in sandbox. A call authenticates with an OAuth access token as a Bearer token, sends and returns JSON, and a Square-Version header on each request selects the dated API version.

Best forConnecting an app or AI agent to Square.

Governed byThe access token and the permissions it carries.

Docs ↗

Webhooks

Square POSTs event notifications to an HTTPS URL subscribed to the chosen event types, like payment.created or order.updated. The receiver verifies the x-square-hmacsha256-signature header, an HMAC-SHA256 of the notification URL and the raw body computed with the subscription's signature key, to confirm the request came from Square.

Best forReceiving Square events at an app or AI agent.

Governed byThe signature key on the webhook subscription.

Docs ↗

MCP server (Model Context Protocol)

Square's hosted Model Context Protocol server at https://mcp.squareup.com/sse exposes the Square API platform to AI agents, covering payments, orders, customers, items, and more. The remote server uses OAuth login for granular permissions, and a local server authenticates with an access token. It is in Beta, and its source is at github.com/square/square-mcp-server.

Best forConnecting an AI agent to Square through MCP.

Governed byThe OAuth grant or the access token and the permissions it carries.

Docs ↗

Authentication

OAuth 2.0

Square uses the OAuth 2.0 authorization-code flow. A seller is sent to the authorization page with the set of permissions the app needs, and the returned code is exchanged for an access token tied to that seller and those permissions. This is the route for an integration acting on accounts it does not own.

TokenOAuth access token (Bearer)

Best forActing on behalf of sellers who authorize the app

Docs ↗

Personal access token

Each Square application provides a personal access token in the Developer Dashboard that calls the API for the developer's own account, with all of the application's permissions. It suits internal tools and testing, not access to other sellers' accounts.

TokenBearer access token

Best forCalling the API for the developer's own account

Docs ↗

Capability map

What an AI agent can do in Square.

The Square API is split into areas an agent can act on, like payments, orders, customers, catalog, inventory, refunds, and invoices. Each area has its own methods and its own permission, and writes in some areas move real money or change a live catalog.

Payments

6 endpoints

List, create, retrieve, update, cancel, and complete payments.

A write here takes, voids, or captures real money.

View endpoints →

Refunds

3 endpoints

List refunds, refund a payment, and retrieve a single refund.

A write here returns real money to a buyer.

View endpoints →

Orders

6 endpoints

Create, retrieve, update, search, clone, and pay for orders.

A write here changes real order data and can trigger a payment.

View endpoints →

Customers

6 endpoints

List, create, search, retrieve, update, and delete customer profiles.

A write here changes real customer data.

View endpoints →

Catalog

5 endpoints

List, upsert, retrieve, search, and delete catalog objects and items.

A write here changes the live product catalog.

View endpoints →

Inventory

3 endpoints

Retrieve stock counts, apply adjustments and counts, and read inventory history.

A write here changes real stock counts.

View endpoints →

Invoices

6 endpoints

List, create, search, retrieve, update, delete, publish, and cancel invoices.

A write here can send a real invoice to a customer.

View endpoints →

Endpoint reference

Every Square API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Payments List, create, retrieve, update, cancel, and complete payments.6
GET	`/v2/payments`	Retrieve a list of payments taken by the account making the request.	read	`PAYMENTS_READ`	Current
Read-only. Grants access to payment and refund data. Acts onpayment Permission (capability)`PAYMENTS_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/payments`	Create a payment using the provided payment source.	write	`PAYMENTS_WRITE`	Current
Takes a real payment. Adding additional recipients also needs PAYMENTS_WRITE_ADDITIONAL_RECIPIENTS. Acts onpayment Permission (capability)`PAYMENTS_WRITE` VersionAvailable since the API’s base version Webhook event`payment.created` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/payments/{payment_id}`	Retrieve details for a specific payment.	read	`PAYMENTS_READ`	Current
Read-only. Acts onpayment Permission (capability)`PAYMENTS_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/payments/{payment_id}`	Update a payment that has the APPROVED status.	write	`PAYMENTS_WRITE`	Current
Only an approved, uncaptured payment can be updated. Acts onpayment Permission (capability)`PAYMENTS_WRITE` VersionAvailable since the API’s base version Webhook event`payment.updated` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/payments/{payment_id}/cancel`	Cancel (void) a payment that is in an approved, uncaptured state.	write	`PAYMENTS_WRITE`	Current
Releases the held authorization without capturing funds. Acts onpayment Permission (capability)`PAYMENTS_WRITE` VersionAvailable since the API’s base version Webhook event`payment.updated` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/payments/{payment_id}/complete`	Complete (capture) a payment that was authorized with delayed capture.	write	`PAYMENTS_WRITE`	Current
Captures the held funds for an approved payment. Acts onpayment Permission (capability)`PAYMENTS_WRITE` VersionAvailable since the API’s base version Webhook event`payment.updated` Rate limitStandard limits apply SourceOfficial documentation ↗
Refunds List refunds, refund a payment, and retrieve a single refund.3
GET	`/v2/refunds`	Retrieve a list of refunds for the account making the request.	read	`PAYMENTS_READ`	Current
Read-only. Refund data is covered by the payments permission. Acts onrefund Permission (capability)`PAYMENTS_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/refunds`	Refund a payment, fully or partially.	write	`PAYMENTS_WRITE`	Current
Returns real money. Refunding is part of the payments write permission. Acts onrefund Permission (capability)`PAYMENTS_WRITE` VersionAvailable since the API’s base version Webhook event`refund.created` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/refunds/{refund_id}`	Retrieve a specific refund using its refund_id.	read	`PAYMENTS_READ`	Current
Read-only. Acts onrefund Permission (capability)`PAYMENTS_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Orders Create, retrieve, update, search, clone, and pay for orders.6
POST	`/v2/orders`	Create a new order that can include products, taxes, and discounts.	write	`ORDERS_WRITE`	Current
A core write. Acts onorder Permission (capability)`ORDERS_WRITE` VersionAvailable since the API’s base version Webhook event`order.created` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/orders/{order_id}`	Retrieve a single order by its ID.	read	`ORDERS_READ`	Current
Read-only. Acts onorder Permission (capability)`ORDERS_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/orders/{order_id}`	Update an open order by adding, replacing, or deleting fields.	write	`ORDERS_WRITE`	Current
Only an open order can be updated, using a sparse update and a version for optimistic concurrency. Acts onorder Permission (capability)`ORDERS_WRITE` VersionAvailable since the API’s base version Webhook event`order.updated` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/orders/search`	Search all orders for one or more locations.	read	`ORDERS_READ`	Current
Read-only. Search uses POST to carry a query body. Acts onorder Permission (capability)`ORDERS_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/orders/{order_id}/pay`	Pay for an order using one or more approved payments.	write	`ORDERS_WRITE`	Current
Also needs PAYMENTS_WRITE, because it captures the linked payments. Acts onorder Permission (capability)`ORDERS_WRITE` VersionAvailable since the API’s base version Webhook event`order.updated` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/orders/clone`	Create a new order in the DRAFT state by duplicating an existing order.	write	`ORDERS_WRITE`	Current
The clone starts as a draft and is not yet payable. Acts onorder Permission (capability)`ORDERS_WRITE` VersionAvailable since the API’s base version Webhook event`order.created` Rate limitStandard limits apply SourceOfficial documentation ↗
Customers List, create, search, retrieve, update, and delete customer profiles.6
GET	`/v2/customers`	List customer profiles associated with a Square account.	read	`CUSTOMERS_READ`	Current
Read-only. Acts oncustomer Permission (capability)`CUSTOMERS_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/customers`	Create a new customer profile.	write	`CUSTOMERS_WRITE`	Current
A core write. Acts oncustomer Permission (capability)`CUSTOMERS_WRITE` VersionAvailable since the API’s base version Webhook event`customer.created` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/customers/search`	Search customer profiles using one or more supported query filters.	read	`CUSTOMERS_READ`	Current
Read-only. Search uses POST to carry a query body. Acts oncustomer Permission (capability)`CUSTOMERS_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/customers/{customer_id}`	Return details for a single customer.	read	`CUSTOMERS_READ`	Current
Read-only. Acts oncustomer Permission (capability)`CUSTOMERS_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/customers/{customer_id}`	Update an existing customer profile.	write	`CUSTOMERS_WRITE`	Current
A core write. Acts oncustomer Permission (capability)`CUSTOMERS_WRITE` VersionAvailable since the API’s base version Webhook event`customer.updated` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/customers/{customer_id}`	Delete a customer profile from a business.	write	`CUSTOMERS_WRITE`	Current
Permanently removes the profile. Acts oncustomer Permission (capability)`CUSTOMERS_WRITE` VersionAvailable since the API’s base version Webhook event`customer.deleted` Rate limitStandard limits apply SourceOfficial documentation ↗
Catalog List, upsert, retrieve, search, and delete catalog objects and items.5
GET	`/v2/catalog/list`	Return a list of all catalog objects of the specified types.	read	`ITEMS_READ`	Current
Read-only. Acts oncatalog object Permission (capability)`ITEMS_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/catalog/object`	Create a new or update a specified catalog object.	write	`ITEMS_WRITE`	Current
A core catalog write. Acts oncatalog object Permission (capability)`ITEMS_WRITE` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/catalog/object/{object_id}`	Return a single catalog object based on the provided ID.	read	`ITEMS_READ`	Current
Read-only. Acts oncatalog object Permission (capability)`ITEMS_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/catalog/search`	Search for catalog objects by matching query filter attributes.	read	`ITEMS_READ`	Current
Read-only. Search uses POST to carry a query body. Acts oncatalog object Permission (capability)`ITEMS_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/catalog/object/{object_id}`	Delete a single catalog object based on the provided ID.	write	`ITEMS_WRITE`	Current
Deletes the object and its children, like the variations under an item. Acts oncatalog object Permission (capability)`ITEMS_WRITE` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Inventory Retrieve stock counts, apply adjustments and counts, and read inventory history.3
GET	`/v2/inventory/{catalog_object_id}`	Retrieve the current calculated stock count for a catalog object at a set of locations.	read	`INVENTORY_READ`	Current
Read-only. Acts oninventory count Permission (capability)`INVENTORY_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/inventory/changes/batch-create`	Apply adjustments and counts to the provided item quantities.	write	`INVENTORY_WRITE`	Current
Changes real stock counts. Acts oninventory change Permission (capability)`INVENTORY_WRITE` VersionAvailable since the API’s base version Webhook event`inventory.count.updated` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/inventory/counts/batch-retrieve`	Return current counts for the provided catalog objects at the requested locations.	read	`INVENTORY_READ`	Current
Read-only. Uses POST to carry the list of object IDs. Acts oninventory count Permission (capability)`INVENTORY_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Invoices List, create, search, retrieve, update, delete, publish, and cancel invoices.6
GET	`/v2/invoices`	Return a list of invoices for a given location.	read	`INVOICES_READ`	Current
Read-only. A location_id query parameter is required. Acts oninvoice Permission (capability)`INVOICES_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/invoices`	Create a draft invoice for an order created with the Orders API.	write	`INVOICES_WRITE`	Current
Starts as a draft until it is published. Acts oninvoice Permission (capability)`INVOICES_WRITE` VersionAvailable since the API’s base version Webhook event`invoice.created` Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/invoices/{invoice_id}`	Retrieve an invoice by its invoice ID.	read	`INVOICES_READ`	Current
Read-only. Acts oninvoice Permission (capability)`INVOICES_READ` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/invoices/{invoice_id}`	Modify an existing invoice.	write	`INVOICES_WRITE`	Current
A version is required for optimistic concurrency. Acts oninvoice Permission (capability)`INVOICES_WRITE` VersionAvailable since the API’s base version Webhook event`invoice.updated` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/invoices/{invoice_id}/publish`	Publish a draft invoice, which can send it to the customer.	write	`INVOICES_WRITE`	Current
Publishing can email or charge the customer, depending on the delivery method. Acts oninvoice Permission (capability)`INVOICES_WRITE` VersionAvailable since the API’s base version Webhook event`invoice.published` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/invoices/{invoice_id}/cancel`	Cancel an invoice that is not in a terminal state.	write	`INVOICES_WRITE`	Current
Stops any further payment on the invoice. Acts oninvoice Permission (capability)`INVOICES_WRITE` VersionAvailable since the API’s base version Webhook event`invoice.updated` Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Square can notify an app or AI agent when something happens in an account, like a payment being created or an order being updated, instead of the app repeatedly asking. Square posts the event to a notification URL that has been subscribed to the chosen event types.

Event	What it signals	Triggered by
`payment.created`	A payment was created.	`/v2/payments`
`payment.updated`	A field on a payment was updated, including when it is canceled or completed.	`/v2/payments/{payment_id}` `/v2/payments/{payment_id}/cancel` `/v2/payments/{payment_id}/complete`
`refund.created`	A refund was created.	`/v2/refunds`
`order.created`	An order was created.	`/v2/orders` `/v2/orders/clone`
`order.updated`	An order was updated, including when it is paid.	`/v2/orders/{order_id}` `/v2/orders/{order_id}/pay` `/v2/invoices/{invoice_id}/cancel`
`customer.created`	A customer profile was created.	`/v2/customers`
`customer.updated`	An attribute on a customer profile was changed.	`/v2/customers/{customer_id}`
`customer.deleted`	A customer profile was deleted.	`/v2/customers/{customer_id}`
`inventory.count.updated`	The stock quantity was updated for a catalog item variation.	`/v2/inventory/changes/batch-create`
`invoice.created`	A draft invoice was created.	`/v2/invoices`
`invoice.published`	An invoice was published.	`/v2/invoices/{invoice_id}/publish`
`invoice.updated`	An invoice was changed.	`/v2/invoices/{invoice_id}`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Square limits how fast an app or AI agent can call. It does not publish a fixed per-second number, and an app over the limit gets a RATE_LIMITED error to back off and retry.

Request rate

Square limits how fast an application can call, but does not publish a fixed per-second number, and notes that different endpoints can enforce different limits. An application that sends too many requests in a short period gets a RATE_LIMITED error in the RATE_LIMIT_ERROR category, returned with HTTP 429. The documented handling is to watch for 429 responses and retry with an exponential backoff schedule plus a randomized delay, so a burst does not repeatedly hit the limit.

Pagination

List and search endpoints are cursor-based. A response includes a cursor when more results remain, and that cursor is passed on the next request to fetch the following page; an absent cursor means the last page has been reached. Some endpoints take a limit parameter to set the page size.

Request size

Bodies are JSON. Batch endpoints set their own caps, such as BatchUpsertCatalogObjects creating or updating up to 10,000 objects in a single call. An idempotency key on a write makes it safe to repeat.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
400	`INVALID_REQUEST_ERROR`	The request was malformed: a field is missing, invalid, or in the wrong format, like VALUE_TOO_LONG or EXPECTED_INTEGER. An idempotency key reused with different data also returns this category, as IDEMPOTENCY_KEY_REUSED.	Read the category, code, detail, and field on each Error object, correct the named field, and resend.
401	`AUTHENTICATION_ERROR`	The access token is missing, invalid, expired, or revoked, shown by codes like UNAUTHORIZED, ACCESS_TOKEN_EXPIRED, or ACCESS_TOKEN_REVOKED.	Send a valid Bearer access token, and refresh or re-authorize through OAuth when it has expired or been revoked.
403	`INSUFFICIENT_SCOPES`	The token is valid but lacks a permission the request needs, or the action is forbidden. The error sits in the AUTHENTICATION_ERROR category.	Re-authorize with the required permission, like PAYMENTS_WRITE or ITEMS_WRITE, then retry.
404	`NOT_FOUND`	The requested object does not exist, or is not visible to this token, account, or environment.	Verify the object ID, and confirm it lives in the same account and environment, production or sandbox.
409	`VERSION_MISMATCH`	An optimistic-concurrency conflict: the version sent does not match the current version of an order, invoice, or other versioned object, because it changed in the meantime.	Refetch the object to read its current version, reapply the change, and resend.
429	`RATE_LIMITED`	Too many requests arrived in a short period, so Square temporarily stopped processing them. The error sits in the RATE_LIMIT_ERROR category.	Retry with exponential backoff and jitter, and smooth the request rate.
500	`INTERNAL_SERVER_ERROR`	An error on Square's side, in the API_ERROR category. It is rare.	Retry idempotently with backoff, and contact Square support if it persists.

Versioning & freshness

Version history.

Square versions its API by date through the Square-Version header. The newest version is 2026-05-20, and an application is pinned to a default version that every call uses unless a request overrides it.

Version history

What changed, and when

Latest version2026-05-20

2026-05-20Current version

Current version (May 2026 release)

Square versions its API by date through the Square-Version header. The 2026-05-20 version is the newest, and an application is pinned to a default version that all of its calls use unless a request overrides it with the header. Releases ship roughly monthly through the release notes.

What changed

Updates to the Payments API.
Updates to the Refunds API.

2026-04-21Feature update

April 2026 release

A dated monthly release ahead of 2026-05-20.

What changed

Updates to the Reporting API and associated documentation.

An integration can pin a version and move up on a schedule that suits it.

Square API release notes ↗

Questions

Square API, answered.

How does Square authenticate API calls?+

Every request carries an OAuth 2.0 access token as a Bearer token in the Authorization header. To act on a seller's account, an app sends the seller to Square's authorization page with the permissions it needs, and exchanges the returned code for an access token tied to that seller. For its own account, a developer can use a personal access token from the Developer Dashboard instead of running the OAuth flow.

What are Square's OAuth permissions, and what happens if one is missing?+

Square scopes access with named permissions, each in a read and a write form, such as PAYMENTS_WRITE, ORDERS_READ, CUSTOMERS_WRITE, ITEMS_WRITE, INVENTORY_WRITE, and INVOICES_WRITE. An app requests only the permissions it needs when the seller authorizes it. A call whose token lacks the required permission returns HTTP 403 with the code INSUFFICIENT_SCOPES, and the app then re-authorizes with the missing permission added.

How does Square version its API?+

Square versions by date through the Square-Version header, using a YYYY-MM-DD scheme where the date is the release date, and the newest version is 2026-05-20. Each application is pinned to a default version that all of its calls use, and a single request can target a different version by setting the header. New versions ship roughly monthly through the release notes.

How do I verify that a webhook really came from Square?+

Each notification carries an x-square-hmacsha256-signature header. The receiver computes an HMAC-SHA256 over the notification URL joined with the raw request body, using the signature key from the webhook subscription, and compares it to the header value with a constant-time check. A mismatch is rejected, which prevents a spoofed event from being trusted.

How does pagination work?+

List and search endpoints are cursor-based. When more results remain, the response includes a cursor, which is sent on the next request to fetch the following page. When the response has no cursor, the last page has been reached. Some endpoints also accept a limit parameter to set the page size.

What are the rate limits?+

Square does not publish a fixed per-second limit, and different endpoints can enforce different limits. An app that sends too many requests in a short period gets a RATE_LIMITED error with HTTP 429. The recommended handling is to watch for 429 responses and retry with exponential backoff plus a randomized delay, rather than assume a specific number.

Does Square have an MCP server for AI agents?+

Yes. Square publishes a hosted Model Context Protocol server at mcp.squareup.com that exposes the Square API platform to AI agents, covering payments, orders, customers, items, and more. The remote server uses OAuth login for granular permissions, while a local server authenticates with an access token. It is in Beta, and its source is on GitHub at square/square-mcp-server.

What is Bollard AI?

Control what every AI agent can do in Square.

Bollard AI sits between a team's AI agents and Square. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Square key.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Square access in Bollard Browse all APIs →

Square

Storefront Agent

Read orders ResourceOffReadFull use

Refund payments ActionOffReadFull use

Catalog & inventory ResourceOffReadFull use

Per-agent access, set in Bollard AI, not in Square

How the Square API works.

Connection & authentication methods.

REST API

Webhooks

MCP server (Model Context Protocol)

OAuth 2.0

Personal access token

What an AI agent can do in Square.

Payments

Refunds

Orders

Customers

Catalog

Inventory

Invoices

Every Square API method.

Payments

Refunds

Orders

Customers

Catalog

Inventory

Invoices

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Square API, answered.

More finance API guides for agents

Stripe

FreshBooks

Chargebee

Razorpay

Recurly

BILL

Control what every AI agent can do in Square.