Authorization

POS-to-OpenApp HTTP calls use OpenApp Merchant API HMAC authentication. This applies to POS callbacks, POS-pushed events, health reporting, and other POS-initiated HTTP calls after activation.

The activation call itself is a bootstrap operation and uses the merchant tax identifier and short-lived activation PIN because POS credentials do not exist yet. See Activation And Health.

After activation, OpenApp returns POS-scoped credentials. The POS uses these credentials to sign HTTP requests to OpenApp.

OpenApp validates the HMAC signature and resolves the credential scope server-side, including merchant, integration profile, and POS capability.

POS clocks must be reasonably synchronized with real time. OpenApp accepts signed timestamps only within a 60-second clock skew tolerance. If the POS clock differs from OpenApp server time by more than 60 seconds, OpenApp rejects the request before processing the body.