2023-11 Authorization request changes

From the 1st of March 2024, the state parameter in authorization requests will be required, with a minimum length of 8 characters.

What is the state parameter?

The state parameter is part of the authorization request that allows users to authorize an integration to access their store.

Example:

https://secure.retail.lightspeed.app/connect?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&state={state}

Currently, the state parameter is supported, included in our Authorization guide, but not required. In case it's provided, we are not validating its length.

Please refer to the Authorization page for more information.

Why are we making this change?

We are making this change to ensure that the state parameter is always provided, and that it's long enough to be effective in protecting integrations against Cross-Site Request Forgery attacks.

What do I need to do?

Make sure your authorization requests include the state parameter with a minimum length of 8 characters. It should be a unique, randomly generated, opaque, and non-guessable string.

When you receive the authorization response, make sure that the state parameter matches the one you sent in the authorization request.