Reginald Jackson

Hi, I haven't explored the language aspects yet, so that sounds fun! Yes, I think the cookies aspect is a big weakness. It only applies to the initial authorisation request, i.e. the granting of the first, temporary token, but nevertheless. For my own safety I've put in a bit of code so that if there's ever a mismatch between the business id I store and the one that's returned on an API call I issue an error and abort... Cheers Reg

Hi Sylvain, Sure, if you go to Settings and then against the Customise sections there's a User Management option. Click that and on the next screen there's an invite button. Once you've responded to the invite, log into your customer's account and stay logged in while you run your application - when your client authorisation code runs you should be linked correctly and receive back the tokens you need to store. If you're going to use the business id value in subsequent headers then you need to retrieve it via the api. I found the easiest way to do this was to use Postman, paste in a current Access Token I'd stored and then use the businesses endpoint. Hope this helps, please feel free to get back in touch, and good luck! Cheers Reg

Hi, Does the API expose a country's membership status with regard to the EU? I can't see that it does but I'd like to know for sure. Cheers Reg

Hi Ben, I think it's 100% certain that someone somewhere will, if they already haven't, find they are connecting to "the wrong subscription" as a result of this. Developers like me are exposed for example because I will ask every SageOne user that wants to use TradaBase to invite me as a user of their system. To do this I give them a unique email address I set up. Post-brexit I've also found that several businesses are setting up new businesses somewhere in the EU, and although these might sometimes be under the same subscription (is this possible if someone needs a different country version) it's by no means definite. I also have a potential customer who has their own business but is planning to start a new venture with someone else, so they will definitely be wanting separation of subscription for that. I think this is quite a serious flaw to be honest, but I have some suggestions to help, both in the short term and the longer term: It should be made clear to developers exactly how the authentication process works with regards to cached sessions etc, so that everyone knows that its necessary to be logged into the appropriate subscription in certain circumstances; Developers should be advised to a) store the business id in their database and then b) on every call made to the API verify that the business id the API is pointing to is the same as the one they've stored; I think that the authentication calls should include a mandatory parameter of some sort that specifically identifies an individual subscription, so that the API doesn't need to refer to any cached sessions; It would also be very useful to have an easier way to find out the business id in each case. As far as I can tell the only way to do this is via the API, which of course means you need to connect to it first to find out what it is. Cart before horse. Kind Regards Reg

Hi Ben, Yes, initially posted to the wrong place, apologies... So I've just done some more testing. I've currently got two trial subscriptions set up: 1. SolutionJ Limited, set up with email address [email protected] 2. Aardvark Aardvarks Limited, set up with email address [email protected] So nothing connects these two as far as your platform is concerned. From a single computer, I have connected to both subscriptions via the same application, which is called TradaBase, storing the resulting Access and Refresh tokens separately for each subscription. Provided I continue to pass in an Access Token with any subsequent request, the API works fine regardless of which subscription I'm logged into via the browser, i.e. if I log into the SolutionJ subscription but then try to connect from my application to the Aardvark subscription it works - I get a new Aardvark Access and Refresh token pair back. However, if I am unable to submit an Access Token, as I would be in the event of wanting to set up a new connection to a new subscription (and here I'm not sure what would happen if the Access Token has expired), then the problems start. Basically I can only do this if I first log into the subscription I wish to connect to, otherwise I get back an Access and Refresh Token for the wrong subscription. Here's specifically what I did. I logged into the SolutionJ subscription. Then I ran my Application to try and connect to the Aardvark subscription, but passing no tokens. My application tried to do the initial grant process, but instead what I got back was an Access / Refresh token pair for the SolutionJ subscription. So this is not about lead businesses etc as that only applies to individual subscriptions, this is about multiple subscriptions. It seems that trying to get an initial grant can only work if when doing so the person is also logged into the relevant subscription at the same time, and to me this is a weakness. How would my application know if the person asking for the initial grant was logged into the relevant subscription? They could easily end up pointing at the wrong subscription, with potentially very serious consequences. There's a further issue here which is related. At the moment I've put a bit of code in to trap these erroneous connections, but it requires comparing the businessid passed back from the API with one stored in my application, however when a new person uses my application to connect to a new subscription my application cannot yet know the businessid as it can only be seen via the api! Cheers Reg

Ok, thanks Ben.

Hi. Are these not exposed through the API? I would like to be able to extract only Suppliers linked to a certain group. Cheers Reg

I want to add more information to this post. I've just set up a second trial subscription to SageOne to test my connection concerns. So I have two subscriptions to SageOne using different email addresses. My application is already connected to subscription A. It appears to me that in order to connect correctly to subscription B, I must at the time be logged into subscription B, otherwise the authorization endpoint will instead incorrectly connect me to subscription A. Furthermore, in the situation where I am already connected to subscriptions A and B, if I log into subscription B and revoke my app's access and then log out again (i.e. my application doesn't know the access has been revoked and has 'valid' tokens stored as required), then when my app tries to connect to subscription B using these tokens it is instead returned a connection to subscription A rather than being told to reauthorize! The only way to overcome this seems to be to log into subscription B and then try to connect to subscription B from the application again. Something seems wrong here. If a user revokes access to my app but then tries to use my app to connect they should not be offered a connection to some other subscription surely?

Good Afternoon, I'm trying to test an app that will need to connect to several different customer accounts (with some customers in turn having multiple businesses within one account). I did have it working fine, but I wanted to test what would happen in the event of a Refresh Token expiring after 31 days. I currently have two customer accounts set up, let's call them A and B. Both have only one business in them. I manually set the expiry date of the Refresh Token for A back over 31 days to simulate expiration. From that point on whenever my app calls either A or B only A can be connected to. To try and fix this I logged into A and removed access to my app completely. Then in my app I tried to connect to A, and correctly got the screen asking me to authorize access, which I duly did. However, when I then tried to connect to B it still connects me to A! The only way to solve this seems to be to log into B and, while logged in, try to connect from my app. Ok, I guess manually expiring the token wasn't a good idea, but how can I test what happens if a Refresh Token genuinely expires? It all seems a bit flakey tbh.

So following this up, I logged into my own trial SageOne account and removed my App's connection. When I next ran my App I was prompted to log into SageOne and authorize the connection. I then ran my App pointing to the customer's SageOne account, requiring new tokens, and they came back ok pointed to the correct account. What's really worrying is that when a Refresh Token expires re-authorization will go wrong and effectively my application may stop working for several customers.

I have an application which will be used by several customers to link to SageOne. Some of these customers will in turn have more than one business in their SageOne account. Currently I have a trial business of my own set up, and I've now linked my application to a customer's real company as well - for read only purposes just now. In testing my application I've come across a problem that occurs when a Refresh Token expires after 31 days (unlikely but certainly possible). My application has code in it to recognise this and trigger the initial authentication again, however when I run it a) I don't get the SageOne login screen and b) I get tokens back that point to the wrong SageOne account (I can see this because I check the id on the Businesses endpoint against one stored in my application). So I don't understand what's happening here at all? Kind Regards Reg

I've found it!

Ok, I've found that this feature is actually there thanks 😃

It would be great if there was a way of categorizing or grouping suppliers, akin perhaps to the Analysis 1/2/3 fields on Sage 50c. Cheers Reg

Hi, is there an API endpoint through which I could return an organisation's default currency? Cheers Reg

Very heavy going though :). My trial is running short, is there any scope to extend it by another 30 days?

Hi, I'm using the contacts API to populate customer records in a desktop system (used up to now with Sage 50c). There seems to be item in the SageOne UI or the API for the default sales tax code that has always been there in Sage50c. Is this right, that in Sage 50c you cannot set a default sales tax code? Cheers Reg

Hi. I thought I'd probably not set up class definitions up correctly, so I used Postman to give me a sample output of all contacts, then found a great website (Convert JSON to C# Classes Online - Json2CSharp Toolkit) that takes a pasted json message and generates the required class structure., and this solved it. Thanks for responding. Reg

Hi, I'm trying to retrieve a list of customer contacts and, for each one, perform some crud processes on another system; this is using c#. I used the api response sample for Get all contacts to copy the resulting json string and used the paste special .. paste as json classes feature of Visual Studio, however when I run my code the Deserialization function doesn't return any data, although the raw json string has returned exactly what I expected. I'm thinking the classes have not been generated correctly for some reason. Here's the first bit of the classes that get generated. { public class SageOneContactRootobject { public SageOneContact[] Property1 { get; set; } } public class SageOneContact { public string id { get; set; } public string displayed_as { get; set; } public string path { get; set; } public DateTime created_at { get; set; } public DateTime updated_at { get; set; } public Link[] links { get; set; } public DateTime deleted_at { get; set; } public int balance { get; set; } and on it goes. I try and Deserialize as follows: string contacturl = "https://api.accounting.sage.com/v3.1/contacts/?attributes=all&contact_type_id=CUSTOMER"; var contactresponse = client.GetAsync(contacturl); var contactcontent = await contactresponse.Result.Content.ReadAsStringAsync(); SageOneContactRootobject SageOneContactRootobject = JsonConvert.DeserializeObject<SageOneContactRootobject>(contactcontent); Am I doing something daft? Cheers Reg

Hi, I solved this by changing the content type to Json and specifying the parameters that way...

Hi, I'm just exploring this API and I agree. In Sage 50c every table had a unique id that could be used, customer code, sales invoice number etc, so it is confusing why they've gone down this path, particularly in requiring yo uto somehow know this new id field in order to do a search...

Hi, I have some code (c#) working which retrieves an authorization code using clientid and secret values. I am then trying to exchange this code (which was stored in a string variable) for access and refresh tokens. The request body is being built thus: string.Format("code={0}&redirect_uri={1}&client_id={2}&client_secret={3}&grant_type=authorization_code" The value for code is taken from a variable into which the code value as retrieved from the initial authorization call. The redirecturi, clientid and clientsecret values are taken from the same variables used in the initial authorization code call. And yet this second call fails with the attached message. I can't understand why given that the values it's complaining about are simply coming from the same variables both times? Cheers Reg Jackson

Hi, This turned out to be a syntax error on my part thanks.

Hi, I'm working in C# / Visual Studio 2019 (this is a Windows Desktop application not a web app), and using Postman as a test tool for the API. I can and have obtained access tokens using Postman and its own callback uri, but when I try and repeat it using a callback url to my own laptop I get the 'Authorise Application Error' screen. Repeating the exercise from my C# project gives the same error, although I have checked the request string carefully against that generated by Postman. I'm wondering if the underlying problem is that I have IIS running on my laptop? My callback uri is based on localhost. Is there any additional configuration I need to do make the api work under this scenario? Many thanks Reg