Authentication

The Authorization header

Every API request needs an Authorization header. Keys always start with live_sk_ or test_sk_.

Authorization: Bearer live_sk_<48 hex chars>

Key format

Use test keys during development. Swap to live keys only when you're ready to post to real business data.

Who can generate keys

API keys are a Premium-tier feature. You'll need a subscription to Premium or Accountant Pro to see the Generate Key button in Settings → API & Integrations. Free-tier accounts receive a clear 403 from the API even if they somehow obtain a key.

Keys rotate every 90 days

To rotate: generate a new key, deploy it, then revoke the old one from the dashboard. Both keys can coexist during the cutover.

Keeping your key secret

• Never expose keys client-side

  Keys belong on your server, in an environment variable or secret manager. A browser request with Authorization: Bearer live_sk_… leaks the key to every visitor.

• Scope one key per integration

  Give every WooCommerce store, Shopify shop, or cron job its own key. When one leaks or rotates, the others keep working.

• Revoke suspected leaks immediately

  The dashboard has a revoke button. Revocation is instant — new requests with the old key start returning 401 INVALID_API_KEY.

What a retail key can do

Dashboard keys are full-access within the retail surface — they can read and write every core accounting module (Invoices, Receipts, Customers, Suppliers, Products, Expenses, Bills, Quotations, Loans, Petty Cash, Payroll, Journal Entries, Chart of Accounts, Reports, Tax, Documents, Webhooks).

Enterprise modules (Smart Loans, Business Intelligence, Account Officers, Branch Analytics, Payments, AI) require enterprise provisioning. Calling them with a retail key returns 403 ENTERPRISE_ONLY.

Scoped keys (e.g. read-only, per-module) are on the roadmap alongside OAuth 2.0 for enterprise service accounts.