Search code examples
apiauthenticationquickbooksquickbooks-online

Authenticating QuickBooks API

I don't believe I need OAuth

Then again, what do I know

All I want to do is take someone's credit card information and charge them. I am not accessing other people's QuickBooks accounts (only my own) and I am not trying to access any other personal information other than what they input into my form. For this reason it seems absolutely asinine to think that I'd have to redirect them to intuit.com and force them through an OAuth prompt (what account would they even be authorizing? They probably don't have a QuickBooks account)

I've spent the last hour reading through QuickBook's API documentation and I've run in circles and found the whole thing utterly confusing. Every page which references a particular API endpoint makes no mention of authentication -- only the headers, query parameters, and request body that are expected. The API explorer does not show any form of authentication in their examples:

QuickBooks API Explorer

No basic auth header, nothing in the request body with an API token,.. nothing

Checking the console while hitting submit isn't any more helpful. The request gets sent to their back-end server where it does the real request:

QuickBooks API Explorer (Chrome Console)

It even includes "apikey", "apisecret", and "oauth" attributes in the body which are all empty -- it acts like the endpoint doesn't even NEED authentication.

Out of dumb curiosity I tried making the request with no authentication to see what would happen:

cURL Failed

401 Not Authorized. So some authentication is needed. I continued to scour the docs and turned up nothing but page after page linking me back to OAuth and saying that I need to set up OAuth. Why do I need to set up OAuth to take a credit card number that was given to me and hand it to QuickBooks?

I even tried looking at their sample app. The "take the code for a test drive" (https://developer.intuit.com/v2/ui#/emulator?workflow=ecommerce) was utterly worthless. It only gave me some pseudo-code with zero idea for how to handle authentication:

QuickBooks tutorials are terrible

I even looked at the actual code and don't see anywhere that they provide an API key or secret key.

I'm pretty much ripping my hair out at this point, so I think I need someone with experience to point me in the right direction.

Solution

  • I don't believe I need OAuth

    You do.

    For this reason it seems absolutely asinine to think that I'd have to redirect them to intuit.com and force them through an OAuth prompt

    You misunderstand what OAuth is, and how it's used.

    OAuth is used to get YOUR auth tokens so that YOUR COMPANY can authenticate to Intuit and identify itself so you can charge customer credit cards. YOU are redirected to Intuit's website to authenticate ONCE, and ONCE ONLY, and then NEVER AGAIN.

    You store the tokens you get back from the one-time OAuth pop-up window process, and use those for all future HTTPS requests.

    The end-user (i.e. your customer) is NOT redirected.

    If you're familiar/used to something like Authorize.net or other web services, where you open a web browser and go to a website and copy a secret key/API token into your code... this is the exact same process except instead of you logging in and manually copy/pasting an API token/key, you're logging in and the OAuth process automatically gives you the API token/key programatically.