Jump to content

Is it possible to avoid N OAuth requests if you are logged in to the top level and need to log in to an entity scope?


Recommended Posts

Velixo is a reporting add-in, which means that most of the time, the user can log in to the company level (without specifying an entity) – they'll still be able to retrieve all data they have access to through the API. Therefore, in our connection set-up window, for simplicity, we don't even expose an "entity" field.

The only exception when we're being "smart" is the push-back scenarios when we update records in Sage Intacct: whenever one of the dimensions used is entity-scoped, we:

  • Temporarily change the user's session to an entity-scoped session. We can do that because we have the session ID / user credentials.
  • Write back the record
  • Change session back to the company level

I spoke to both @Louis Sterio2 and Karsten about this but obtained mixed understanding whether a trick like this is possible with the REST API with an Intacct OAuth flow (very important, not username/password). 

So my question is this: is it possible, with the REST API, to seamlessly exchange company-scoped bearer token to an entity-scoped bearer token, and vice versa?

If not, I guess it's not a question but a feature request, because the absence of such functionality will break our flow once we upgrade to the REST API...


Edited by Pavel Kabir
Link to comment
Share on other sites

I met with the engineering team, and they've confirmed a solution exists. I'll share the specifics once I have them.

Additionally, this can be accomplished through the XML API. I'll provide the details shortly, and we'll ensure they are properly documented.

Link to comment
Share on other sites

Here is information on how you can exchange a refresh token for an entity level token


Create Access Token - Refresh Token Grant Type

  • Endpoint: https://<apiurll>/api/v1-beta2/oauth2/token

  • HTTP Method: POST

  • Parameters:

    • grant_type: refresh_token

    • refresh_token:

    • client_id:

    • client_secret:

    • location_id: the access token will be created for this location

      • optional for multi-entity companies

      • Obtain a top-level access token in the absence of a location_id

  • Sample Request and Response:

    • curl --location --request POST 'https://<apiurll>/api/v1-beta2/oauth2/token/api/v1-beta2/oauth2/token' \ --header 'Content-Type: application/json' \ --data-raw '{ "grant_type": "refresh_token", "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRJZCI6IjkyZDRkY2Y0MTRlNmEyYzNkNzhkLlNhZ2VfSW50YWNjdF9VSS5hcHAuc2FnZS5jb20iLCJjbnlJZCI6Im9hdXRoMnxXZXN0ZXJuIFJlZ2lvbiIsInJlZnJlc27gjh2tlbiI6IjEwNjlmMjkzN2E1YTgwNGY2MzM4MDQyZWNhMTQyYTMyMTcxYjBhZTgifQ.wQ8zQk6ikwFJtYpsA_wVPpQtu1BaslQH5TwXCxW6ggI",

      "client_id": "92d4dcf414e6a2c3d781.Sage_Intacct_UI.app.sage.com",

      "client_secret": "a55a58f1aeajy9116cbe1bf28025c183e778268c",

      "location_id": "Central Region" }'

    • { "token_type": "Bearer", "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGll67rfhZCI6IjkyZDRkY2Y0MTRlNmEyYzNkNzhkLlNhZ2VfSW50YWNjdF9VSS5hcHAuc2FnZS5jb20iLCJjbnlJZCI6Im9hdXRoMnxDZW50cmFsIFJlZ2lvbiIsImNueUtleSI6IjQ0Nzk0MjI3IiwidXNlcklkIjoiQWRtaW4iLCJ1c2VyS2V5IjoiMSIsInNlc3Npb25JZCI6InZpUXFxRHdqQU9ackQ3dkNrbTBqSlV4bjVtb1B1NzRrS3FnX2lJR1Zhd183d3BKdEl5UkViX1pyIn0._GM-TP-llDGiaoLlJn59vBrfJ86RF_fWhw0NEamQ5Qg", "expires_in": 21600 }
Link to comment
Share on other sites


  • Create New...