QuickBooks Online API Access Without End-User Login: How Server-to-Server OAuth Works
Developers building customer-facing integrations with QuickBooks Online can use server-to-server OAuth to access company data without requiring customers to log in to QuickBooks.
A developer building a customer payment portal for a QuickBooks Online subscriber recently asked whether it is possible for a web application to pull invoice and balance data from the QuickBooks API without requiring each customer to authenticate against QuickBooks directly. The answer is yes — but the path forward requires understanding how OAuth delegation works in the QuickBooks Online ecosystem, and accepting that at least one desired feature, the hosted payment link, is not currently exposed by the API.
The Scenario
The developer’s client uses QuickBooks Online and wants customers to log in to a custom website, view their outstanding balances, and pay invoices by credit card. Requiring those customers to also sign in to QuickBooks is obviously a non-starter. The developer had experience with similar integrations using Gmail and Salesforce and assumed — correctly — that QuickBooks Online should support an equivalent pattern.
The confusion centered on whether the API could be accessed purely server-side, without any interactive login at runtime. The developer also hoped to retrieve the same payment link that QuickBooks generates when a user emails an invoice from inside the product, so that customers could be redirected to Intuit’s hosted payment page.
How Server-to-Server OAuth Actually Works
The core misunderstanding, as identified in the accepted answer, was about who authenticates and when. In a server-to-server integration with QuickBooks Online, the QuickBooks company owner — not the end customer — goes through the OAuth authorization flow exactly once. That one-time authorization grants the application a set of OAuth tokens: a refresh token and an access token.
Those tokens are stored on the application’s server, typically in a database. From that point forward, the web application can make API calls to QuickBooks Online at any time using the stored access token, without any human interaction. The access token is short-lived — currently valid for one hour — but the refresh token (valid for roughly 100 days) lets the server programmatically request a new access token whenever the previous one expires. As long as the refresh token remains valid and is periodically renewed, the integration runs indefinitely.
This is the same delegation model used by Gmail, Salesforce, and most modern cloud APIs. The QuickBooks company owner authorizes the application once, and the application acts on their behalf from then on.
What the API Exposes
Through the QuickBooks Online API, a server-side application can query invoices, customers, balances, payment methods, and related records. The developer can retrieve a specific customer’s open invoices and outstanding balances and present that information on the custom website. The application can also process payments programmatically using the API — or, alternatively, redirect the customer to a hosted payment page.
However, the specific piece the developer most wanted — the Intuit-generated payment link that appears when emailing an invoice from within QuickBooks Online — is not currently available through the API. That link is constructed internally by QuickBooks when an invoice email is sent from the product interface, and the API does not expose it as a retrievable field on the invoice object.
What the API does offer is an endpoint to programmatically send an invoice email through QuickBooks, which would trigger the standard email — including the payment link — to be delivered to the customer. For developers who need QuickBooks Online help understanding the available API endpoints and authentication flow, the Intuit Developer portal documents the full list of supported operations.
The Webhook Alternative
The developer also considered using webhooks to keep a local copy of invoice and payment data synchronized on the web server. That approach works but introduces complexity: the server must handle initial data migration for existing records, process incoming webhook events reliably, and deal with retry logic when synchronization fails. For a read-heavy use case where real-time data is important, calling the API directly with stored OAuth tokens is generally simpler than maintaining a full local replica.
Practical Takeaway
Server-to-server access to QuickBooks Online is fully supported and follows standard OAuth 2.0 practices. The QuickBooks company owner authenticates once; the application stores the resulting tokens and makes API calls on demand. The main limitation to be aware of is that certain UI-generated artifacts — like the hosted payment link embedded in invoice emails — are not surfaced through the API and would need to be worked around, either by triggering the invoice email endpoint or by building a custom payment flow using the API’s payment processing capabilities.