Offer

50% off your first bill on Starter & Growth

First bill only · standard pricing afterward

GuidesMay 26, 2026 · 3 min read · Updated June 11, 2026

The Architecture of Modern Finance: Scaling Operations via Accounting APIs

How high-performance platforms leverage unified ledger infrastructure to achieve forensic precision, eliminate engineering debt, and build programmable financial workflows.

NL
NewLedger team
Editorial
NewLedger App Connect API credentials list showing connected apps and delegated permissions

NewLedger Editorial

If you run a small or mid-size business, “modernizing operations” usually means the same few moves: less re-keying between tools, faster answers from your numbers, and software that talks to each other instead of living in separate tabs.

Accounting API integration is what makes that possible — your accounting system exposes a controlled way for other apps to read (and, where you allow it, draft) financial data. You stay in charge of what connects, what it can do, and when access ends.

On NewLedger, that layer is App Connect. For most accounting API integration work — automations, internal tools, partner sync — you use API credentials (client ID + secret, server-side token exchange). When an external client needs a delegated, browser-based approval flow, you use OAuth 2.0 with consent, redirect URIs, and PKCE where required. MCP clients such as ChatGPT are one example of that delegated flow. This guide covers both, in that order.

In finance, that choice is not just technical. It decides where secrets live, how narrowly access can be scoped, whether a human must approve the connection, and how cleanly your team can revoke access later.

Why accounting API integration helps when you modernize ops

Typical SMB goals and how a connected accounting API supports them:

What you're trying to doHow integration helps
Ask questions about cash, AR, or expenses without exporting spreadsheetsMCP clients (e.g. ChatGPT) read live data after you approve OAuth 2.0 consent — see MCP for accounting
Automate repetitive work (invoice drafts, expense capture, categorization hints)Automations use API credentials and call the API instead of copying numbers by hand
Connect a stack you already use (payments, CRM, industry tools)Partner apps sync through API credentials or OAuth 2.0, depending on whether they need server-side credentials or user-approved delegated access
Keep control as you add toolsOne place to see what's connected, revoke access, and review activity

The point is not “open the ledger to the internet.” It's replace manual bridges — email attachments, CSV exports, staff pasting totals into chat — with governed connections you can audit and turn off.

App Connect issues scoped, auditable access — never your login password. Two connection styles exist; they are not interchangeable:

Connection styleUse forHow it works
API credentialsAccounting API integration — automations, scripts, partner backends, anything you hostCreate an app in Settings → App Connect, delegate permissions, exchange client_id + client_secret for bearer tokens. No redirect URI, no consent screen.
OAuth 2.0MCP clients, partner apps, or custom clients that need a user-approved connectionRegister or use an OAuth client, send the user through NewLedger's consent flow, and complete the token exchange with redirect URI + PKCE where required. Managed under OAuth Connections.

If you are modernizing ops with integrations and automations, start with API credentials below. OAuth 2.0 is documented later for delegated client connections, with MCP as the most common example.

Set up accounting API integration (API credentials)

Use API credentials when you control the server, can store a client_secret safely, and do not need an interactive consent screen. This is the default path for SMB accounting API integration.

What you get

  • Scoped permissions — each app only receives permissions you delegate at create time (and your user account must already hold them).
  • Short-lived access tokens — clients request a new token from the token endpoint when one expires.
  • One-time secrets — the client secret is shown only at create or rotate.
  • Lifecycle control — revoke, delete, or restore apps from App Connect; activity is logged.
  • No OAuth redirect — setup is entirely in App Connect settings plus server-side token exchange.

Steps in the workspace

  1. Open Settings → App Connect and use the API Credentials tab to see connected apps, permissions, and last-used dates.
  2. Create App, choose API credentials, name the integration, and pick the permissions it may use.
  3. Copy the client ID and client secret once (the secret is only shown at create or rotate).
  4. Open the app detail anytime to review scope, rotate the secret, or revoke access.

The API Credentials tab lists each connected app, its delegated permissions, and when it was last used.

When you create an app, you name it, set optional expiry, and delegate only the permissions that automation needs.

The detail view is where you audit scope, rotate secrets, or revoke the app.

Token exchange (server-side)

Your integration exchanges the client ID and secret for a short-lived bearer token using the App Connect token API. There is no browser step, no redirect URI, and no PKCE.

Use the NewLedger API documentation for request formats, scopes, and company-scoped token exchange. Store secrets in a vault or secrets manager — never in source control, client-side code, or chat.

OAuth 2.0 setup for delegated clients (e.g. ChatGPT / MCP)

OAuth 2.0 authorization code + PKCE is the delegated-access path — not the flow used by API credential apps under the API Credentials tab. When you add your company MCP URL in ChatGPT (or another supported client), that product drives the OAuth flow below. The same consent model also supports other custom or partner clients that need user-approved access instead of a stored client_secret.

For product context and what to ask your AI assistant, see MCP for accounting. For a concise decision guide, see API credentials vs OAuth 2.0 in NewLedger. This section covers the OAuth mechanics behind delegated connections.

What you get with OAuth 2.0

  • Consent-first access — pick a company, review permissions, confirm with 2FA before any token is issued.
  • Scoped permissions — same permission strings as API credentials, but chosen on the consent screen.
  • PKCE (S256 only) — required for public MCP clients.
  • Refresh tokens — rotate on use; revoke by deleting the connection under OAuth Connections.

End-user flow: connect a delegated client

Use the in-app setup guides; you do not need to call the API yourself to connect ChatGPT.

1. Copy your company MCP URL

In your NewLedger workspace:

  1. Open Settings → App Connect
  2. Click MCP Server
  3. Copy the company-specific MCP endpoint

That URL is unique to the company you have selected. Use it when the external client asks for a server address.

You can also reach per-client instructions from Settings → Integrations (for example the ChatGPT setup page).

2. Start connection in the external app

In ChatGPT (or another supported MCP client), add a connector and paste your MCP URL. For other OAuth-capable clients, start the connection from the client using the redirect URI and client registration it expects. The client opens NewLedger's sign-in and consent flow in your browser.

You land on NewLedger's OAuth consent page. The screen shows:

  • Which app is requesting access (name, domain, logo when provided)
  • Which company the connection applies to (you can switch companies if you have access to more than one)
  • The permission list that will become the token scope — you can remove individual permissions before approving

When you continue, NewLedger asks for a verification code (TOTP or another configured confirmation method). Authorization does not complete without it.

This screen is part of App Connect's OAuth 2.0 flow. API credential apps are configured entirely under the API Credentials tab and do not use browser consent.

4. Return to the client

After approval, you are returned to the MCP client. It completes the connection securely on its side, then can call your company's MCP server within the permissions you approved.

5. Manage connections later

Approved OAuth apps appear under Settings → App Connect → OAuth Connections. From there you can:

  • See when the connection was consented
  • Open connection details (scopes, MCP URL, client metadata)
  • Delete the connection — this revokes refresh tokens and blocks active access; the external app must ask for consent again

Idle connections are surfaced in the list so you can audit what still has access.

OAuth 2.0 connections stay visible in App Connect so finance and security teams can review scopes, usage context, and revocation options later.

Register a custom OAuth app

Some delegated setups need you to register an OAuth client in NewLedger instead of relying on the external product's built-in registration. That includes MCP development, partner app testing, and any browser-based client connection you operate yourself.

  1. Go to Settings → App Connect
  2. Choose Register OAuth App (or create a new app and pick the OAuth connection type)
  3. Fill in:
    • App name — shown on the consent screen
    • Redirect URI — must match exactly what the MCP client shows (HTTPS required)
  4. Save the client ID. Public clients use PKCE and do not receive a long-lived client secret.

ChatGPT tip: Copy the redirect URI from ChatGPT's connector setup. Do not guess or reuse URIs from other products.

Register OAuth 2.0 clients only when the integration genuinely needs delegated browser-based access. Keep server-side automations on API credentials instead.

Building against NewLedger's OAuth layer

App Connect OAuth is implemented on the NewLedger API and completed in the NewLedger web app consent UI. API credential apps do not use that flow.

If you are building or certifying an integration (not just connecting ChatGPT as a user):

  • Follow the OAuth 2.0 authorization code flow with PKCE (S256) used by App Connect for delegated access.
  • Use OAuth discovery metadata published by NewLedger for your environment rather than hard-coding URLs.
  • Complete approval only through the signed-in consent screen and 2FA — tokens must not be issued without an explicit user action in the app.
  • Document integration details in your own runbook; use the NewLedger API documentation for supported App Connect and MCP operations.

If you want to document an OAuth 2.1-specific profile or migration path, keep that as a separate technical page or implementation note. This guide is intentionally about the OAuth 2.0 product flow users see in App Connect.

We do not publish step-by-step token or authorize API recipes in this post. That reduces noise for readers and avoids exposing implementation detail that could be misused. Legitimate integrators should use the official API docs and your NewLedger account team if you need partner access.

OAuth 2.0 flow at a glance

StepWhoWhat happens
1Client (e.g. ChatGPT)Opens NewLedger sign-in and consent using PKCE
2YouReview company and permissions in the app, then confirm with 2FA
3NewLedgerRecords the approved connection with a scoped permission set
4ClientCalls the allowed NewLedger surface only within that scope

Quick comparison

API credentialsOAuth 2.0
Typical useAutomations, ETL, partner APIs, internal toolsMCP clients, partner apps, or delegated user connections
Setup UIAPI Credentials tabClient registration, consent flow, and OAuth Connections tab
User consent screenNoYes (in-app OAuth consent)
Redirect URINoYes (must match the MCP client exactly)
PKCENoYes (S256)
How the client gets a tokenServer-side exchange with client secretUser approval, then client completes OAuth

Both issue App Connect bearer tokens under the same permission model. The difference is who holds the secret and whether the user must approve the connection in a browser.

Security defaults worth knowing

API credentials

  1. Permissions are delegated, not elevated — at create time, from your user's permission set.
  2. One-time secrets — treat the client secret like a password; rotate if exposed.
  3. 2FA for sensitive actions — revoke, delete, and rotate require action confirmation.
  4. Audit trail — token exchange failures and lifecycle events appear in workspace activity.
  5. Separate non-production from production — use distinct apps, scopes, and owners for testing versus live finance workflows.

OAuth 2.0 connections

  1. Consent + 2FA before the connection is active.
  2. PKCE (S256) — required for public MCP clients.
  3. HTTPS redirect URIs for registered OAuth clients.
  4. Approve only the scopes you actually need — treat scope review as a finance-control step, not a formality.
  5. Revoke via OAuth Connections — deleting a connection removes ongoing access; data already drafted in NewLedger stays for you to review.

A secure rollout looks like this

  1. Create a test-company connection first so token exchange, scopes, and workflows are proven before production.
  2. Start with the smallest permission set that lets the integration do useful work.
  3. Confirm the activity log shows the events finance and security teams expect to review later.
  4. Record an internal owner, purpose, and revocation path for every live API credential app or OAuth connection.

Troubleshooting (workspace)

API credentials

What you seeWhat to try
Token request failsConfirm client ID and secret, app is active, and the app was not revoked or deleted
Access stops after a dateCheck optional credential expiry on the app
Scope or permission errorsEnsure the permission is delegated on the app and your user role allows it

OAuth 2.0

What you seeWhat to try
Consent does not finishComplete 2FA on the consent screen; do not skip the in-app approval step
ChatGPT cannot connectConfirm the MCP URL is for the correct company; reconnect from Integrations or App Connect
Redirect or registration errorsRedirect URI must match the MCP client exactly (copy from ChatGPT, do not type from memory)
Connection still listed but client failsDelete the OAuth connection and go through consent again

For API error details while building an integration, use the API documentation in the context of your own test company — not production credentials.

Where to go next

Accounting API integration should make operations faster without weakening financial control. Use API credentials when you run the integration and can store a secret safely; use OAuth 2.0 when the client needs delegated, consent-driven access through the browser.

# accounting # accounting-api # accounting-software # api # integrations # smb # small-business # automation # oauth # oauth2 # app-connect # newledger # mcp # operations

Put these workflows in NewLedger

Start the 14-day trial, review pricing, or contact us if you want help mapping an article like this to your rollout.