[{"data":1,"prerenderedAt":1090},["ShallowReactive",2],{"blog-accounting-api-integration":3,"blog-related-accounting-api-integration":1089},{"id":4,"title":5,"author":6,"body":7,"category":1055,"coverImage":1056,"createdAt":1059,"description":13,"extension":1060,"featured":1061,"meta":1062,"navigation":1064,"path":1065,"publishedAt":1059,"seo":1066,"slug":1069,"status":1070,"stem":1071,"subtitle":1072,"tags":1073,"updatedAt":1059,"__hash__":1088},"blog/blog/2026/05/26-accounting-api-integration.md","The Architecture of Modern Finance: Scaling Operations via Accounting APIs","newledger-team",{"type":8,"value":9,"toc":1028},"minimark",[10,14,21,44,49,52,114,125,132,197,203,207,216,221,255,259,295,303,309,316,321,328,333,337,344,352,356,362,368,372,400,404,407,411,414,429,432,439,443,446,450,457,476,483,490,495,499,502,506,513,527,530,534,537,582,591,595,606,609,640,643,647,708,712,801,808,812,816,841,846,872,876,880,918,923,971,978,982,1018],[11,12,13],"p",{},"If you run a small or mid-size business, “modernizing operations” usually means the same few moves: less re-keying between tools, faster answers from your numbers, and software that talks to each other instead of living in separate tabs.",[11,15,16,20],{},[17,18,19],"strong",{},"Accounting API integration"," is what makes that possible — your accounting system exposes a controlled way for other apps to read (and, where you allow it, draft) financial data. You stay in charge of what connects, what it can do, and when access ends.",[11,22,23,24,27,28,31,32,43],{},"On NewLedger, that layer is ",[17,25,26],{},"App Connect",". For most accounting API integration work — automations, internal tools, partner sync — you use ",[17,29,30],{},"API credentials"," (client ID + secret, server-side token exchange). ",[17,33,34,35,42],{},"OAuth with a browser consent screen is only for ",[36,37,41],"a",{"href":38,"rel":39},"https://modelcontextprotocol.io",[40],"nofollow","MCP"," integrations"," such as ChatGPT, where the AI client redirects you to approve access. This guide covers both, in that order.",[45,46,48],"h2",{"id":47},"why-accounting-api-integration-helps-when-you-modernize-ops","Why accounting API integration helps when you modernize ops",[11,50,51],{},"Typical SMB goals and how a connected accounting API supports them:",[53,54,55,68],"table",{},[56,57,58],"thead",{},[59,60,61,65],"tr",{},[62,63,64],"th",{},"What you're trying to do",[62,66,67],{},"How integration helps",[69,70,71,84,95,106],"tbody",{},[59,72,73,77],{},[74,75,76],"td",{},"Ask questions about cash, AR, or expenses without exporting spreadsheets",[74,78,79,80],{},"MCP clients (e.g. ChatGPT) read live data after you approve OAuth consent — see ",[36,81,83],{"href":82},"/blog/mcp-for-accounting","MCP for accounting",[59,85,86,89],{},[74,87,88],{},"Automate repetitive work (invoice drafts, expense capture, categorization hints)",[74,90,91,92,94],{},"Automations use ",[17,93,30],{}," and call the API instead of copying numbers by hand",[59,96,97,100],{},[74,98,99],{},"Connect a stack you already use (payments, CRM, industry tools)",[74,101,102,103,105],{},"Partner apps sync through ",[17,104,30],{}," or your integration layer — not the MCP OAuth flow",[59,107,108,111],{},[74,109,110],{},"Keep control as you add tools",[74,112,113],{},"One place to see what's connected, revoke access, and review activity",[11,115,116,117,120,121,124],{},"The point is not “open the ledger to the internet.” It's ",[17,118,119],{},"replace manual bridges"," — email attachments, CSV exports, staff pasting totals into chat — with ",[17,122,123],{},"governed connections"," you can audit and turn off.",[11,126,127,128,131],{},"App Connect issues ",[17,129,130],{},"scoped, auditable access"," — never your login password. Two connection styles exist; they are not interchangeable:",[53,133,134,147],{},[56,135,136],{},[59,137,138,141,144],{},[62,139,140],{},"Connection style",[62,142,143],{},"Use for",[62,145,146],{},"How it works",[69,148,149,177],{},[59,150,151,155,158],{},[74,152,153],{},[17,154,30],{},[74,156,157],{},"Accounting API integration — automations, scripts, partner backends, anything you host",[74,159,160,161,164,165,169,170,173,174],{},"Create an app in ",[17,162,163],{},"Settings → App Connect",", delegate permissions, exchange ",[166,167,168],"code",{},"client_id"," + ",[166,171,172],{},"client_secret"," for bearer tokens. ",[17,175,176],{},"No redirect URI, no consent screen.",[59,178,179,184,190],{},[74,180,181],{},[17,182,183],{},"OAuth (MCP only)",[74,185,186,187,189],{},"ChatGPT and other ",[17,188,41],{}," clients that connect via a company MCP URL",[74,191,192,193,196],{},"Browser consent in the NewLedger app, PKCE, refresh tokens. Listed under ",[17,194,195],{},"OAuth Connections"," — not used for ordinary API credential apps.",[11,198,199,202],{},[17,200,201],{},"If you are modernizing ops with integrations and automations, start with API credentials below."," OAuth is documented later for MCP only.",[45,204,206],{"id":205},"set-up-accounting-api-integration-api-credentials","Set up accounting API integration (API credentials)",[11,208,209,212,213,215],{},[17,210,211],{},"Use API credentials"," when you control the server, can store a ",[166,214,172],{}," safely, and do not need an interactive consent screen. This is the default path for SMB accounting API integration.",[217,218,220],"h3",{"id":219},"what-you-get","What you get",[222,223,224,231,237,243,249],"ul",{},[225,226,227,230],"li",{},[17,228,229],{},"Scoped permissions"," — each app only receives permissions you delegate at create time (and your user account must already hold them).",[225,232,233,236],{},[17,234,235],{},"Short-lived access tokens"," — clients request a new token from the token endpoint when one expires.",[225,238,239,242],{},[17,240,241],{},"One-time secrets"," — the client secret is shown only at create or rotate.",[225,244,245,248],{},[17,246,247],{},"Lifecycle control"," — revoke, delete, or restore apps from App Connect; activity is logged.",[225,250,251,254],{},[17,252,253],{},"No OAuth redirect"," — setup is entirely in App Connect settings plus server-side token exchange.",[217,256,258],{"id":257},"steps-in-the-workspace","Steps in the workspace",[260,261,262,272,281,292],"ol",{},[225,263,264,265,267,268,271],{},"Open ",[17,266,163],{}," and use the ",[17,269,270],{},"API Credentials"," tab to see connected apps, permissions, and last-used dates.",[225,273,274,277,278,280],{},[17,275,276],{},"Create App",", choose ",[17,279,30],{},", name the integration, and pick the permissions it may use.",[225,282,283,284,287,288,291],{},"Copy the ",[17,285,286],{},"client ID"," and ",[17,289,290],{},"client secret"," once (the secret is only shown at create or rotate).",[225,293,294],{},"Open the app detail anytime to review scope, rotate the secret, or revoke access.",[11,296,297],{},[298,299],"img",{"alt":300,"src":301,"title":302},"App Connect API credentials list in NewLedger settings","https://storage.googleapis.com/nl-blog/features/setting/api-credential-list.webp","App Connect API credentials list",[11,304,305],{},[306,307,308],"em",{},"The API Credentials tab lists each connected app, its delegated permissions, and when it was last used.",[11,310,311],{},[298,312],{"alt":313,"src":314,"title":315},"Create an API credential app with scoped permissions","https://storage.googleapis.com/nl-blog/features/setting/api-credential-form.webp","API credential create form",[11,317,318],{},[306,319,320],{},"When you create an app, you name it, set optional expiry, and delegate only the permissions that automation needs.",[11,322,323],{},[298,324],{"alt":325,"src":326,"title":327},"API credential detail with client ID and lifecycle actions","https://storage.googleapis.com/nl-blog/features/setting/api-credential-detail.webp","API credential detail view",[11,329,330],{},[306,331,332],{},"The detail view is where you audit scope, rotate secrets, or revoke the app.",[217,334,336],{"id":335},"token-exchange-server-side","Token exchange (server-side)",[11,338,339,340,343],{},"Your integration exchanges the client ID and secret for a ",[17,341,342],{},"short-lived bearer token"," using the App Connect token API. There is no browser step, no redirect URI, and no PKCE.",[11,345,346,347,351],{},"Use the ",[36,348,350],{"href":349},"/api-documentation","NewLedger API documentation"," for request formats, scopes, and company-scoped token exchange. Store secrets in a vault or secrets manager — never in source control, client-side code, or chat.",[45,353,355],{"id":354},"mcp-integration-only-oauth-setup-eg-chatgpt","MCP integration only: OAuth setup (e.g. ChatGPT)",[11,357,358,361],{},[17,359,360],{},"OAuth authorization code + PKCE is for MCP clients only"," — not for API credential apps you create under the API Credentials tab. When you add your company MCP URL in ChatGPT (or another supported client), that product drives the OAuth flow below.",[11,363,364,365,367],{},"For product context and what to ask your AI assistant, see ",[36,366,83],{"href":82},". This section covers the OAuth mechanics behind MCP.",[217,369,371],{"id":370},"what-you-get-with-mcp-oauth","What you get with MCP OAuth",[222,373,374,380,385,391],{},[225,375,376,379],{},[17,377,378],{},"Consent-first access"," — pick a company, review permissions, confirm with 2FA before any token is issued.",[225,381,382,384],{},[17,383,229],{}," — same permission strings as API credentials, but chosen on the consent screen.",[225,386,387,390],{},[17,388,389],{},"PKCE (S256 only)"," — required for public MCP clients.",[225,392,393,396,397,399],{},[17,394,395],{},"Refresh tokens"," — rotate on use; revoke by deleting the connection under ",[17,398,195],{},".",[217,401,403],{"id":402},"end-user-flow-connect-an-mcp-client","End-user flow: connect an MCP client",[11,405,406],{},"Use the in-app setup guides; you do not need to call the API yourself to connect ChatGPT.",[217,408,410],{"id":409},"_1-copy-your-company-mcp-url","1. Copy your company MCP URL",[11,412,413],{},"In your NewLedger workspace:",[260,415,416,420,426],{},[225,417,264,418],{},[17,419,163],{},[225,421,422,423],{},"Click ",[17,424,425],{},"MCP Server",[225,427,428],{},"Copy the company-specific MCP endpoint",[11,430,431],{},"That URL is unique to the company you have selected. Use it when the external client asks for a server address.",[11,433,434,435,438],{},"You can also reach per-client instructions from ",[17,436,437],{},"Settings → Integrations"," (for example the ChatGPT setup page).",[217,440,442],{"id":441},"_2-start-connection-in-the-external-app","2. Start connection in the external app",[11,444,445],{},"In ChatGPT (or another supported MCP client), add a connector and paste your MCP URL. The client opens NewLedger's sign-in and consent flow in your browser.",[217,447,449],{"id":448},"_3-review-and-approve-on-the-consent-screen","3. Review and approve on the consent screen",[11,451,452,453,456],{},"You land on NewLedger's ",[17,454,455],{},"OAuth consent"," page. The screen shows:",[222,458,459,462,469],{},[225,460,461],{},"Which app is requesting access (name, domain, logo when provided)",[225,463,464,465,468],{},"Which ",[17,466,467],{},"company"," the connection applies to (you can switch companies if you have access to more than one)",[225,470,471,472,475],{},"The ",[17,473,474],{},"permission list"," that will become the token scope — you can remove individual permissions before approving",[11,477,478,479,482],{},"When you continue, NewLedger asks for a ",[17,480,481],{},"verification code"," (TOTP or another configured confirmation method). Authorization does not complete without it.",[11,484,485],{},[298,486],{"alt":487,"src":488,"title":489},"NewLedger OAuth consent form for MCP integration","https://storage.googleapis.com/nl-blog/features/ai/app-connect-oauth-consent-form.webp","MCP OAuth consent — not used for API credential apps",[11,491,492],{},[306,493,494],{},"This consent screen appears only for MCP OAuth (e.g. ChatGPT). API credential apps are configured entirely under the API Credentials tab.",[217,496,498],{"id":497},"_4-return-to-the-client","4. Return to the client",[11,500,501],{},"After approval, you are returned to the MCP client. It completes the connection securely on its side, then can call your company's MCP server within the permissions you approved.",[217,503,505],{"id":504},"_5-manage-connections-later","5. Manage connections later",[11,507,508,509,512],{},"Approved OAuth apps appear under ",[17,510,511],{},"Settings → App Connect → OAuth Connections",". From there you can:",[222,514,515,518,521],{},[225,516,517],{},"See when the connection was consented",[225,519,520],{},"Open connection details (scopes, MCP URL, client metadata)",[225,522,523,526],{},[17,524,525],{},"Delete"," the connection — this revokes refresh tokens and blocks active access; the external app must ask for consent again",[11,528,529],{},"Idle connections are surfaced in the list so you can audit what still has access.",[217,531,533],{"id":532},"register-a-custom-oauth-app-mcp-development","Register a custom OAuth app (MCP / development)",[11,535,536],{},"Some MCP setups need you to register an OAuth client in NewLedger instead of relying on the external product's built-in registration.",[260,538,539,544,551,572],{},[225,540,541,542],{},"Go to ",[17,543,163],{},[225,545,546,547,550],{},"Choose ",[17,548,549],{},"Register OAuth App"," (or create a new app and pick the OAuth connection type)",[225,552,553,554],{},"Fill in:\n",[222,555,556,562],{},[225,557,558,561],{},[17,559,560],{},"App name"," — shown on the consent screen",[225,563,564,567,568,571],{},[17,565,566],{},"Redirect URI"," — must match ",[17,569,570],{},"exactly"," what the MCP client shows (HTTPS required)",[225,573,574,575,577,578,581],{},"Save the ",[17,576,286],{},". Public MCP clients use PKCE and do ",[17,579,580],{},"not"," receive a long-lived client secret.",[583,584,585],"blockquote",{},[11,586,587,590],{},[17,588,589],{},"ChatGPT tip:"," Copy the redirect URI from ChatGPT's connector setup. Do not guess or reuse URIs from other products.",[217,592,594],{"id":593},"building-an-mcp-client-on-the-newledger-api","Building an MCP client on the NewLedger API",[11,596,597,598,601,602,605],{},"MCP OAuth is implemented on the ",[17,599,600],{},"NewLedger API"," and completed in the ",[17,603,604],{},"NewLedger web app"," consent UI. API credential apps do not use that flow.",[11,607,608],{},"If you are building or certifying an integration (not just connecting ChatGPT as a user):",[222,610,611,617,624,634],{},[225,612,613,614,399],{},"Follow standard ",[17,615,616],{},"OAuth 2.1 authorization code with PKCE (S256)",[225,618,619,620,623],{},"Use ",[17,621,622],{},"OAuth discovery"," metadata published by NewLedger for your environment rather than hard-coding URLs.",[225,625,626,627,287,630,633],{},"Complete approval only through the ",[17,628,629],{},"signed-in consent screen",[17,631,632],{},"2FA"," — tokens must not be issued without an explicit user action in the app.",[225,635,636,637,639],{},"Document integration details in your own runbook; use the ",[36,638,350],{"href":349}," for supported App Connect and MCP operations.",[11,641,642],{},"We do not publish step-by-step token or authorize API recipes in this post. That reduces noise for readers and avoids exposing implementation detail that could be misused. Legitimate integrators should use the official API docs and your NewLedger account team if you need partner access.",[217,644,646],{"id":645},"mcp-oauth-flow-at-a-glance","MCP OAuth flow at a glance",[53,648,649,662],{},[56,650,651],{},[59,652,653,656,659],{},[62,654,655],{},"Step",[62,657,658],{},"Who",[62,660,661],{},"What happens",[69,663,664,675,686,697],{},[59,665,666,669,672],{},[74,667,668],{},"1",[74,670,671],{},"MCP client (e.g. ChatGPT)",[74,673,674],{},"Opens NewLedger sign-in and consent using PKCE",[59,676,677,680,683],{},[74,678,679],{},"2",[74,681,682],{},"You",[74,684,685],{},"Review company and permissions in the app, then confirm with 2FA",[59,687,688,691,694],{},[74,689,690],{},"3",[74,692,693],{},"NewLedger",[74,695,696],{},"Records the approved connection with a scoped permission set",[59,698,699,702,705],{},[74,700,701],{},"4",[74,703,704],{},"MCP client",[74,706,707],{},"Calls your company's MCP server only within that scope",[45,709,711],{"id":710},"quick-comparison","Quick comparison",[53,713,714,724],{},[56,715,716],{},[59,717,718,720,722],{},[62,719],{},[62,721,30],{},[62,723,183],{},[69,725,726,739,752,765,776,788],{},[59,727,728,733,736],{},[74,729,730],{},[17,731,732],{},"Typical use",[74,734,735],{},"Automations, ETL, partner APIs, internal tools",[74,737,738],{},"ChatGPT / MCP URL connection",[59,740,741,746,749],{},[74,742,743],{},[17,744,745],{},"Setup UI",[74,747,748],{},"API Credentials tab",[74,750,751],{},"MCP URL + OAuth Connections tab",[59,753,754,759,762],{},[74,755,756],{},[17,757,758],{},"User consent screen",[74,760,761],{},"No",[74,763,764],{},"Yes (in-app OAuth consent)",[59,766,767,771,773],{},[74,768,769],{},[17,770,566],{},[74,772,761],{},[74,774,775],{},"Yes (must match the MCP client exactly)",[59,777,778,783,785],{},[74,779,780],{},[17,781,782],{},"PKCE",[74,784,761],{},[74,786,787],{},"Yes (S256)",[59,789,790,795,798],{},[74,791,792],{},[17,793,794],{},"How the client gets a token",[74,796,797],{},"Server-side exchange with client secret",[74,799,800],{},"User approval, then client completes OAuth",[11,802,803,804,807],{},"Both issue ",[17,805,806],{},"App Connect bearer tokens"," under the same permission model. Only MCP uses the OAuth redirect and consent flow.",[45,809,811],{"id":810},"security-defaults-worth-knowing","Security defaults worth knowing",[11,813,814],{},[17,815,30],{},[260,817,818,824,829,835],{},[225,819,820,823],{},[17,821,822],{},"Permissions are delegated, not elevated"," — at create time, from your user's permission set.",[225,825,826,828],{},[17,827,241],{}," — treat the client secret like a password; rotate if exposed.",[225,830,831,834],{},[17,832,833],{},"2FA for sensitive actions"," — revoke, delete, and rotate require action confirmation.",[225,836,837,840],{},[17,838,839],{},"Audit trail"," — token exchange failures and lifecycle events appear in workspace activity.",[11,842,843],{},[17,844,845],{},"MCP OAuth (only)",[260,847,849,855,860,866],{"start":848},5,[225,850,851,854],{},[17,852,853],{},"Consent + 2FA"," before the connection is active.",[225,856,857,390],{},[17,858,859],{},"PKCE (S256)",[225,861,862,865],{},[17,863,864],{},"HTTPS redirect URIs"," for registered OAuth clients.",[225,867,868,871],{},[17,869,870],{},"Revoke via OAuth Connections"," — deleting a connection removes ongoing access; data already drafted in NewLedger stays for you to review.",[45,873,875],{"id":874},"troubleshooting-workspace","Troubleshooting (workspace)",[11,877,878],{},[17,879,30],{},[53,881,882,892],{},[56,883,884],{},[59,885,886,889],{},[62,887,888],{},"What you see",[62,890,891],{},"What to try",[69,893,894,902,910],{},[59,895,896,899],{},[74,897,898],{},"Token request fails",[74,900,901],{},"Confirm client ID and secret, app is active, and the app was not revoked or deleted",[59,903,904,907],{},[74,905,906],{},"Access stops after a date",[74,908,909],{},"Check optional credential expiry on the app",[59,911,912,915],{},[74,913,914],{},"Scope or permission errors",[74,916,917],{},"Ensure the permission is delegated on the app and your user role allows it",[11,919,920],{},[17,921,922],{},"MCP OAuth only",[53,924,925,933],{},[56,926,927],{},[59,928,929,931],{},[62,930,888],{},[62,932,891],{},[69,934,935,943,955,963],{},[59,936,937,940],{},[74,938,939],{},"Consent does not finish",[74,941,942],{},"Complete 2FA on the consent screen; do not skip the in-app approval step",[59,944,945,948],{},[74,946,947],{},"ChatGPT cannot connect",[74,949,950,951,954],{},"Confirm the MCP URL is for the correct company; reconnect from ",[17,952,953],{},"Integrations"," or App Connect",[59,956,957,960],{},[74,958,959],{},"Redirect or registration errors",[74,961,962],{},"Redirect URI must match the MCP client exactly (copy from ChatGPT, do not type from memory)",[59,964,965,968],{},[74,966,967],{},"Connection still listed but client fails",[74,969,970],{},"Delete the OAuth connection and go through consent again",[11,972,973,974,977],{},"For API error details while building an integration, use the ",[36,975,976],{"href":349},"API documentation"," in the context of your own test company — not production credentials.",[45,979,981],{"id":980},"where-to-go-next","Where to go next",[222,983,984,993,1001,1008],{},[225,985,986,989,990,992],{},[17,987,988],{},"Accounting API integration (automations, partners):"," create ",[17,991,30],{}," under Settings → App Connect",[225,994,995,998,999],{},[17,996,997],{},"ChatGPT / MCP:"," ",[36,1000,83],{"href":82},[225,1002,1003,998,1006],{},[17,1004,1005],{},"API reference:",[36,1007,350],{"href":349},[225,1009,1010,998,1013],{},[17,1011,1012],{},"Workspace:",[36,1014,1017],{"href":1015,"rel":1016},"https://app.newledger.io",[40],"NewLedger app",[11,1019,1020,1021,1023,1024,1027],{},"Accounting API integration should make operations faster without weakening financial control. Use ",[17,1022,30],{}," for the integrations you run; use ",[17,1025,1026],{},"OAuth"," only when an MCP client asks you to connect through a browser.",{"title":1029,"searchDepth":1030,"depth":1030,"links":1031},"",2,[1032,1033,1039,1051,1052,1053,1054],{"id":47,"depth":1030,"text":48},{"id":205,"depth":1030,"text":206,"children":1034},[1035,1037,1038],{"id":219,"depth":1036,"text":220},3,{"id":257,"depth":1036,"text":258},{"id":335,"depth":1036,"text":336},{"id":354,"depth":1030,"text":355,"children":1040},[1041,1042,1043,1044,1045,1046,1047,1048,1049,1050],{"id":370,"depth":1036,"text":371},{"id":402,"depth":1036,"text":403},{"id":409,"depth":1036,"text":410},{"id":441,"depth":1036,"text":442},{"id":448,"depth":1036,"text":449},{"id":497,"depth":1036,"text":498},{"id":504,"depth":1036,"text":505},{"id":532,"depth":1036,"text":533},{"id":593,"depth":1036,"text":594},{"id":645,"depth":1036,"text":646},{"id":710,"depth":1030,"text":711},{"id":810,"depth":1030,"text":811},{"id":874,"depth":1030,"text":875},{"id":980,"depth":1030,"text":981},"guides",{"src":301,"alt":1057,"credit":1058},"NewLedger App Connect API credentials list showing connected apps and delegated permissions","NewLedger Editorial","2026-05-26","md",false,{"contributors":1063},[6],true,"/blog/2026/05/26-accounting-api-integration",{"title":1067,"description":1068,"image":301},"Scaling operations via accounting APIs | NewLedger","Accounting API integration on NewLedger for SMBs: App Connect API credentials for automations and partner tools. OAuth consent applies to MCP integrations (e.g. ChatGPT) only — not general API setup.","accounting-api-integration","published","blog/2026/05/26-accounting-api-integration","How high-performance platforms leverage unified ledger infrastructure to achieve forensic precision, eliminate engineering debt, and build programmable financial workflows.",[1074,1075,1076,1077,1078,1079,1080,1081,1082,1083,1084,1085,1086,1087],"accounting","accounting-api","accounting-software","api","integrations","smb","small-business","automation","oauth","oauth2","app-connect","newledger","mcp","operations","JZeX7ghY7Cmbh2bUmy41EokD4o8-J3mm62bpRQVxwoI",[],1779800092593]