Accessing the Api for multiple Accountancies


I have a bit of a conundrum which I would like your help with.

I am developing a SaaS platform which requires the ability to set up an accountancy and for them to be able to retrieve data for their client companies.

So the owner of the software will add accountancies into the system. As far as I am aware, the only way to authenticate for the api is for an admin user of the accountancy to create a developer app at to obtain a client id and secret and then using the Google Playground or similar, go through the OAuth flow in order to obtain an Access Token. I appreciate that once this is done once then the token can be kept valid using the refresh token so that it does not need to be done again.

However, as this is not currently a system where people would be able to sign up to it themselves (meaning I would be able to interrupt the sign up flow) this becomes very difficult to direct every accountancy to perform the steps of setting up a Developer app and obtaining an access token.

Is there any way to enable authentication using an API key so that this can be provided by the accountancy and used to access the data of the accountancy and all of their clients?

Thanks for any help you can provide with this. I know there have been posts previosuly about this but they all seem to be relatively old.

Hi Dan,

Is your SaaS platform centrally hosted or would the different practices host your app themselves? If all accountancy practices are going to use a single instance of your application, there’s no need to create multiple apps for it on Developer Dashboard. The most common setup scenario would be for you to generate a single app on Developer Dashboard and store the client_id and client_secret somewhere in your app’s configuration. You would then build in the OAuth flow into your software, which would involve sending any of its users (account managers) who haven’t yet approved your app to a URL along the lines of<YOUR_REDIRECT_URL>&response_type=code&client_id=<YOUR_CLIENT_ID>&state=<ANY_EXTRA_PARAMS>; once an account manager approves the app, you’d swap the one-off authorization code for an an access and refresh tokens, after which, as you mentioned in your post, the refresh_token would give you a way to generate new access_tokens that allow you to query API endpoints for the relevant accountancy practice. With this setup, account managers would never have to use Google OAuth Playground, which I appreciate would be a somewhat awkward user flow.

Would this type of setup work for you, or is there a reason why the OAuth flow cannot be incorporated into your platfrom?

Best wishes,