API Security concerns

Just starting out using FreeAgent API, and I’m a little concerned about the security model, so I am hoping I’ve just missed something.

It appears that for my app that just wants to read invoices, I have no way of restricting access to just that part of the API. It appears that we can only control access based on user permissions which is incremental. Any reason why scopes aren’t being used?

Many thanks



Hi Andy,

My name is Katie, I’m one of the Support Engineers here at FreeAgent.

Yes you are correct, currently the access you get from the API is dependant on the permission level the authenticated user has, rather than a section by section access. The different areas of the app can be tightly interlinked with each other, which makes it hard to separate them out into different sections for access. For example, if you add payments to invoices, you would also need access to bank transactions and ledger entries. This is why the primary method of access is done on a user level rather than by section. However, we understand what you are asking for, and this is certainly something that we can look into and record this as a feature request with the relevant team.

Please let me know if you have any other queries about this!


Hi Katie

Thank you for taking the time to look into this. Adding support for scopes should be very simple, and allow us to deploy an application with confidence that if it is compromised it can only for example read invoices. Scopes would allow you to layer additional security as opposed to having to re-think the existing security model.

1 Like

Was this ever put forward as a feature request? I agree with @Andy_Clymer that it is good practice to have a scope associated with every access token, and access tokens should only be created for the absolute minimum access required for that particular API request.

1 Like

+1. Scopes have nothing to do with the current level based system or how strongly the data intertwine inside. Just allow or forbid access to particular API endpoints based on scopes, that is their entire purpose. Having “read only” scopes is VERY IMPORTANT. By not having them you are putting your customers in danger and it is (I’m sad to say) simply unprofessional.

Never mind your competitors with their .read scopes https://developer.xero.com/documentation/guides/oauth2/scopes

Hi tictag & Andy_S

Thank you for getting in touch! Yes, I can confirm that this has been raised as a feature request with the relevant team. I have also added your comments onto the feature request to document the need for this functionality.

I hope this helps!