OAuth 2.0 authorization

Sage Intacct uses the OAuth 2.0 authorization standard to allow REST API clients to obtain secure access to our web services on behalf of specific resource owners. Client applications can use the authorization code or the client credentials grant type depending on the type of access required.

Authorization code grant type

The authorization code grant type is supported for applications where a user requests authorization and grants access to their data by signing in to their Intacct company.

To request an authorization code, use the following endpoint with the listed parameters:

  • Endpoint: https: //api.intacct.com/ia/api/v1/oauth2/authorize
  • HTTP method: GET
  • Parameters:
    • response _ type: code
    • client _ id: your application's client ID
    • redirect _ uri: the redirect URI provided when registering the application
    • state: a random value used to validate the response

Sample authorization code request:

Copy
Copied
https://api.intacct.com/ia/api/v1/oauth2/authorize?response_type=code&client_id=b5974b6c5d6f2f1edb33.app.sage.com&redirect_uri=phttps://mysite.com/rest-callback.php&state=123456

Extract the authorization code from the response, then include it in a request for the access token. To request an access token, use the following endpoint with the listed parameters:

  • Endpoint: https: //api.intacct.com/ia/api/v1/oauth2/token
  • HTTP method: POST
  • Parameters:
    • grant _ type: authorization _ code
    • code: < authorization code >
    • redirect _ uri: the redirect URI provided when registering the application
    • client _ id: your application's client ID
    • client _ secret: your application's client secret

Sample access token request:

Copy
Copied
curl --location --request POST 'https://api.intacct.com/api/v1/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRJZCI6IjkyZDRkY2Y0MTRlNmEyYzNkNzhkLlNhZ2VfSW50YWNjdF9VSS5hcHAuc2FnZS5jb20iLCJjbnlJZCI6Im9hdXRoMiIsImF1dGh6Q29kZSI6IjQ2MTkyMTYxNGZmMTM5ODcwMWQxY2UzOTdjZjI5M2M3ZWUwNDY5MjUiLCJ1c2VySWQiOiJBZG1pbiJ9.49P6x_nOqwTe5_Cr-MiMYTI2q9KOsvlyIGzTQgk7nc4' \
--data-urlencode 'redirect_uri=https://mysite.com/callback.php' \
--data-urlencode 'client_id=92d4dcf414e6a2c3d78d.app.sage.com' \
--data-urlencode 'client_secret=a55a58f1aeaf09116cbe1bf28025c183e778268c'

Sample response:

Copy
Copied
{
  "token_type": "Bearer",
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FwaS5pbnRhY2N0LmNvbSIsImlhdCI6MTcyNjIxODkyMSwiZXhwIjoxNzI2MjIyNTIxLCJjbGllbnRJZCI6ImQ0ZjJiNmIzMTgxNzRiOWE2MGE3LklOVEFDQ1QuYXBwLnNhZ2UuY29tIiwiY255SWQiOiJvYXV0aDJfbWFpbjIiLCJjbnlLZXkiOiI0NTIwODgwMiIsInVzZXJJZCI6IkFkbWluIiwidXNlcktleSI6IjEiLCJzZXNzaW9uSWQiOiJ1MHRGV1UtdEpRTjNjSnlNeTRBVHV0MzhBM1p3bkx0TFJWbE5YUEhoZDNDY2pNdUFFN3MwRlFOMyIsImVudGl0eUtleSI6IjQiLCJlbnRpdHlJZCI6IkNlbnRyYWwgUmVnaW9uIn0.bWD3UmTeKa1Y-R-ZJDg1NwaZcAfcvpeBxWZALNQkZFQ",
  "expires_in": 3600
}

See the PHP tutorial or the Node.js tutorial for more details on how to authenticate with the OAuth2 server, and send requests to the REST API.

Client credentials grant type

The client credentials grant type is supported for applications needing direct access without user interaction. The client application must be whitelisted and associated with a Web Services user.

To request client credentials, use the following endpoint with the listed parameters:

  • Endpoint: https: //api.intacct.com/ia/api/v1/oauth2/token
  • HTTP Method: POST
  • Parameters:
    • grant _ type: client _ credentials
    • client _ id: your application's client ID
    • client _ secret: your application's client secret
    • username: (optional) in userId@companyId|entityId format, skip if using session_id
    • session _ id: (optional) valid UI or API session ID, skip if using username

Sample client credentials request with username:

Copy
Copied
curl -s --request POST 'https://api.intacct.com/ia/api/v1/oauth2/token' \
 --header 'Content-Type: application/json' \
 --data-raw '{
   "grant_type": "client_credentials",
   "client_id": "d4f2b6b318174b9a60a7.INTACCT.app.sage.com",
   "client_secret": "0f4e72b55e88906255c34a800b5e177fce5f1ba9",
    "username": "Admin@oauth2_main2|Central Region" }' | jq

Sample client credentials request with session_id:

Copy
Copied
curl -s --request POST 'https://api.intacct.com/ia/api/v1/oauth2/token' \
--header 'Content-Type: application/json' \
--data-raw '{
  "grant_type": "client_credentials",
  "client_id": "d4f2b6b318174b9a60a7.INTACCT.app.sage.com",
  "client_secret": "0f4e72b76e88909955c34a800b5e177fce5f1ba9",
  "session_id": "CkAU0b-G_RCd42yvvJvCo7aUEJwmVwcCFNG-xJE6neNsr7ybwuKriRKe" }' | jq

Sample response:

Copy
Copied
{
  "token_type": "Bearer",
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FwaS5pbnRhY2N0LmNvbSIsImlhdCI6MTcyNjIxODkyMSwiZXhwIjoxNzI2MjIyNTIxLCJjbGllbnRJZCI6ImQ0ZjJiNmIzMTgxNzRiOWE2MGE3LklOVEFDQ1QuYXBwLnNhZ2UuY29tIiwiY255SWQiOiJvYXV0aDJfbWFpbjIiLCJjbnlLZXkiOiI0NTIwODgwMiIsInVzZXJJZCI6IkFkbWluIiwidXNlcktleSI6IjEiLCJzZXNzaW9uSWQiOiJ1MHRGV1UtdEpRTjNjSnlNeTRBVHV0MzhBM1p3bkx0TFJWbE5YUEhoZDNDY2pNdUFFN3MwRlFOMyIsImVudGl0eUtleSI6IjQiLCJlbnRpdHlJZCI6IkNlbnRyYWwgUmVnaW9uIn0.bWD3UmTeKa1Y-R-ZJDg1NwaZcAfcvpeBxWZALNQkZFQ",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FwaS5pbnRhY2N0LmNvbSIsImlhdCI6MTcyNjIxODkyMSwiZXhwIjoxNzMzOTk0OTIxLCJjbGllbnRJZCI6ImQ0ZjJiNmIzMTgxNzRiOWE2MGE3LklOVEFDQ1QuYXBwLnNhZ2UuY29tIiwiY255SWQiOiJvYXV0aDJfbWFpbjIiLCJyZWZyZXNoVG9rZW4iOiJiMzdiODg2ODcyNTQwZjk5Yjg2ZWQ4OWFiMjFiMWU0YmNlODMwZjUzIn0.2XgOzUcHQKGG7JkdF6gBHo6vmawld_TeCrjiyAXNBVw",
  "expires_in": 3600
}