If you run a small or mid-size business, “modernizing operations” usually means the same few moves: less re-keying between tools, faster answers from your numbers, and software that talks to each other instead of living in separate tabs.
Accounting API integration is what makes that possible — your accounting system exposes a controlled way for other apps to read (and, where you allow it, draft) financial data. You stay in charge of what connects, what it can do, and when access ends.
On NewLedger, that layer is App Connect. For most accounting API integration work — automations, internal tools, partner sync — you use API credentials (client ID + secret, server-side token exchange). OAuth with a browser consent screen is only for MCP integrations such as ChatGPT, where the AI client redirects you to approve access. This guide covers both, in that order.
Why accounting API integration helps when you modernize ops
Typical SMB goals and how a connected accounting API supports them:
| What you're trying to do | How integration helps |
|---|---|
| Ask questions about cash, AR, or expenses without exporting spreadsheets | MCP clients (e.g. ChatGPT) read live data after you approve OAuth consent — see MCP for accounting |
| Automate repetitive work (invoice drafts, expense capture, categorization hints) | Automations use API credentials and call the API instead of copying numbers by hand |
| Connect a stack you already use (payments, CRM, industry tools) | Partner apps sync through API credentials or your integration layer — not the MCP OAuth flow |
| Keep control as you add tools | One place to see what's connected, revoke access, and review activity |
The point is not “open the ledger to the internet.” It's replace manual bridges — email attachments, CSV exports, staff pasting totals into chat — with governed connections you can audit and turn off.
App Connect issues scoped, auditable access — never your login password. Two connection styles exist; they are not interchangeable:
| Connection style | Use for | How it works |
|---|---|---|
| API credentials | Accounting API integration — automations, scripts, partner backends, anything you host | Create an app in Settings → App Connect, delegate permissions, exchange client_id + client_secret for bearer tokens. No redirect URI, no consent screen. |
| OAuth (MCP only) | ChatGPT and other MCP clients that connect via a company MCP URL | Browser consent in the NewLedger app, PKCE, refresh tokens. Listed under OAuth Connections — not used for ordinary API credential apps. |
If you are modernizing ops with integrations and automations, start with API credentials below. OAuth is documented later for MCP only.
Set up accounting API integration (API credentials)
Use API credentials when you control the server, can store a client_secret safely, and do not need an interactive consent screen. This is the default path for SMB accounting API integration.
What you get
- Scoped permissions — each app only receives permissions you delegate at create time (and your user account must already hold them).
- Short-lived access tokens — clients request a new token from the token endpoint when one expires.
- One-time secrets — the client secret is shown only at create or rotate.
- Lifecycle control — revoke, delete, or restore apps from App Connect; activity is logged.
- No OAuth redirect — setup is entirely in App Connect settings plus server-side token exchange.
Steps in the workspace
- Open Settings → App Connect and use the API Credentials tab to see connected apps, permissions, and last-used dates.
- Create App, choose API credentials, name the integration, and pick the permissions it may use.
- Copy the client ID and client secret once (the secret is only shown at create or rotate).
- Open the app detail anytime to review scope, rotate the secret, or revoke access.
The API Credentials tab lists each connected app, its delegated permissions, and when it was last used.
When you create an app, you name it, set optional expiry, and delegate only the permissions that automation needs.
The detail view is where you audit scope, rotate secrets, or revoke the app.
Token exchange (server-side)
Your integration exchanges the client ID and secret for a short-lived bearer token using the App Connect token API. There is no browser step, no redirect URI, and no PKCE.
Use the NewLedger API documentation for request formats, scopes, and company-scoped token exchange. Store secrets in a vault or secrets manager — never in source control, client-side code, or chat.
MCP integration only: OAuth setup (e.g. ChatGPT)
OAuth authorization code + PKCE is for MCP clients only — not for API credential apps you create under the API Credentials tab. When you add your company MCP URL in ChatGPT (or another supported client), that product drives the OAuth flow below.
For product context and what to ask your AI assistant, see MCP for accounting. This section covers the OAuth mechanics behind MCP.
What you get with MCP OAuth
- Consent-first access — pick a company, review permissions, confirm with 2FA before any token is issued.
- Scoped permissions — same permission strings as API credentials, but chosen on the consent screen.
- PKCE (S256 only) — required for public MCP clients.
- Refresh tokens — rotate on use; revoke by deleting the connection under OAuth Connections.
End-user flow: connect an MCP client
Use the in-app setup guides; you do not need to call the API yourself to connect ChatGPT.
1. Copy your company MCP URL
In your NewLedger workspace:
- Open Settings → App Connect
- Click MCP Server
- Copy the company-specific MCP endpoint
That URL is unique to the company you have selected. Use it when the external client asks for a server address.
You can also reach per-client instructions from Settings → Integrations (for example the ChatGPT setup page).
2. Start connection in the external app
In ChatGPT (or another supported MCP client), add a connector and paste your MCP URL. The client opens NewLedger's sign-in and consent flow in your browser.
3. Review and approve on the consent screen
You land on NewLedger's OAuth consent page. The screen shows:
- Which app is requesting access (name, domain, logo when provided)
- Which company the connection applies to (you can switch companies if you have access to more than one)
- The permission list that will become the token scope — you can remove individual permissions before approving
When you continue, NewLedger asks for a verification code (TOTP or another configured confirmation method). Authorization does not complete without it.
This consent screen appears only for MCP OAuth (e.g. ChatGPT). API credential apps are configured entirely under the API Credentials tab.
4. Return to the client
After approval, you are returned to the MCP client. It completes the connection securely on its side, then can call your company's MCP server within the permissions you approved.
5. Manage connections later
Approved OAuth apps appear under Settings → App Connect → OAuth Connections. From there you can:
- See when the connection was consented
- Open connection details (scopes, MCP URL, client metadata)
- Delete the connection — this revokes refresh tokens and blocks active access; the external app must ask for consent again
Idle connections are surfaced in the list so you can audit what still has access.
Register a custom OAuth app (MCP / development)
Some MCP setups need you to register an OAuth client in NewLedger instead of relying on the external product's built-in registration.
- Go to Settings → App Connect
- Choose Register OAuth App (or create a new app and pick the OAuth connection type)
- Fill in:
- App name — shown on the consent screen
- Redirect URI — must match exactly what the MCP client shows (HTTPS required)
- Save the client ID. Public MCP clients use PKCE and do not receive a long-lived client secret.
ChatGPT tip: Copy the redirect URI from ChatGPT's connector setup. Do not guess or reuse URIs from other products.
Building an MCP client on the NewLedger API
MCP OAuth is implemented on the NewLedger API and completed in the NewLedger web app consent UI. API credential apps do not use that flow.
If you are building or certifying an integration (not just connecting ChatGPT as a user):
- Follow standard OAuth 2.1 authorization code with PKCE (S256).
- Use OAuth discovery metadata published by NewLedger for your environment rather than hard-coding URLs.
- Complete approval only through the signed-in consent screen and 2FA — tokens must not be issued without an explicit user action in the app.
- Document integration details in your own runbook; use the NewLedger API documentation for supported App Connect and MCP operations.
We do not publish step-by-step token or authorize API recipes in this post. That reduces noise for readers and avoids exposing implementation detail that could be misused. Legitimate integrators should use the official API docs and your NewLedger account team if you need partner access.
MCP OAuth flow at a glance
| Step | Who | What happens |
|---|---|---|
| 1 | MCP client (e.g. ChatGPT) | Opens NewLedger sign-in and consent using PKCE |
| 2 | You | Review company and permissions in the app, then confirm with 2FA |
| 3 | NewLedger | Records the approved connection with a scoped permission set |
| 4 | MCP client | Calls your company's MCP server only within that scope |
Quick comparison
| API credentials | OAuth (MCP only) | |
|---|---|---|
| Typical use | Automations, ETL, partner APIs, internal tools | ChatGPT / MCP URL connection |
| Setup UI | API Credentials tab | MCP URL + OAuth Connections tab |
| User consent screen | No | Yes (in-app OAuth consent) |
| Redirect URI | No | Yes (must match the MCP client exactly) |
| PKCE | No | Yes (S256) |
| How the client gets a token | Server-side exchange with client secret | User approval, then client completes OAuth |
Both issue App Connect bearer tokens under the same permission model. Only MCP uses the OAuth redirect and consent flow.
Security defaults worth knowing
API credentials
- Permissions are delegated, not elevated — at create time, from your user's permission set.
- One-time secrets — treat the client secret like a password; rotate if exposed.
- 2FA for sensitive actions — revoke, delete, and rotate require action confirmation.
- Audit trail — token exchange failures and lifecycle events appear in workspace activity.
MCP OAuth (only)
- Consent + 2FA before the connection is active.
- PKCE (S256) — required for public MCP clients.
- HTTPS redirect URIs for registered OAuth clients.
- Revoke via OAuth Connections — deleting a connection removes ongoing access; data already drafted in NewLedger stays for you to review.
Troubleshooting (workspace)
API credentials
| What you see | What to try |
|---|---|
| Token request fails | Confirm client ID and secret, app is active, and the app was not revoked or deleted |
| Access stops after a date | Check optional credential expiry on the app |
| Scope or permission errors | Ensure the permission is delegated on the app and your user role allows it |
MCP OAuth only
| What you see | What to try |
|---|---|
| Consent does not finish | Complete 2FA on the consent screen; do not skip the in-app approval step |
| ChatGPT cannot connect | Confirm the MCP URL is for the correct company; reconnect from Integrations or App Connect |
| Redirect or registration errors | Redirect URI must match the MCP client exactly (copy from ChatGPT, do not type from memory) |
| Connection still listed but client fails | Delete the OAuth connection and go through consent again |
For API error details while building an integration, use the API documentation in the context of your own test company — not production credentials.
Where to go next
- Accounting API integration (automations, partners): create API credentials under Settings → App Connect
- ChatGPT / MCP: MCP for accounting
- API reference: NewLedger API documentation
- Workspace: NewLedger app
Accounting API integration should make operations faster without weakening financial control. Use API credentials for the integrations you run; use OAuth only when an MCP client asks you to connect through a browser.