When you're working with an online application, your app will first need to access the user's my.MYOB account before it can access their business data. The MYOB API uses OAuth 2.0 to ensure that access to business data is handled securely.
The first step for this is getting an access code & you do this by having your app user login to their my.MYOB account. Of course becuase it's OAUTH your app is not allowed to ask for a users my.MYOB credentials, instead you redirect them to our secure.myob.com login page here:
https://secure.myob.com/oauth2/account/authorize?client_id=[YOUR API KEY]&redirect_uri=[URL_ENCODED_REDIRECT_URI]&response_type=code&scope=la.globalNote: The redirect URI must match the url you entered when registering for your API Key and must be URL ENCODED.
Once the User has authorised your app to access their business data they will be returned to your REDIRECT URL with a ?code= in the URL. You use this code for the next step
A number of developers have asked if we support the state parameter. The answer is YES we do.
If you wish to pass an additional identification variable that you want our oauth server to return to you along with the access code, then simply add &state=[custom_var] to the url.
Once you have the access code, you make another call to our secure.myob.com server to request an access token. (note: we'll return both an Access Token and a Refresh Token).
You do this by POSTing the following query string parameters:
'client_id' // your API Key
'client_secret' // your API Secret
'scope' // this should say la.global
'code' // the Access Code you just got
'redirect_uri' // your redirect URL
'grant_type' // this should say authorization_codeTo this url:
https://secure.myob.com/oauth2/v1/authorizeThis will return an Access token to you which you can use when making a call.
Here's an example, note that the code and redirect_uri are both url_encoded.
code=Wvof%21IAA[[TRUNCATED_FOR_READABILITY]]luF&redirect_uri=http%3A%2F%2Flocalhost%2Fmyob_redirect%2F&client_id=[[MY_API_KEY]]&scope=la.global&client_secret=[[MY_SECRET]]&grant_type=authorization_code
Note: while the data is formatted into a URL Query String you do not pass the information via the URL (that would be a GET request), you must pass the query string in the body and POST this to https://secure.myob.com/oauth2/v1/authorize
If the URL you are trying to POST to looks like:
https://secure.myob.com/oauth2/v1/authorize?code=Wvof%21IAA[[TRUNCATED_FOR_READABILITY]]luF&redirect_uri=http%3A%2F%2Flocalhost%2Fmyob_redirect%2F&client_id=[[MY_API_KEY]]&scope=CompanyFile&client_secret=[[MY_SECRET]]&grant_type=authorization_codeAccess tokens have a limited life span and when you receive one you'll also recieve an Expiry Time for it and a Refresh Token. Once your access token expires it can no longer be used to access the API. So you'll need to trigger a refresh. You do this by POSTing the following query string parameters:
'client_id' // your API Key
'client_secret' // your API Secret
'refresh_token' // your refresh token
'grant_type' // this should say refresh_tokenTo this url:
https://secure.myob.com/oauth2/v1/authorizeNote: while the data is formatted into a URL Query String you do not pass the information via the URL (that would be a GET request), you must pass the query string in the body and POST this to https://secure.myob.com/oauth2/v1/authorize
If the URL you are trying to POST to looks like:
https://secure.myob.com/oauth2/v1/authorize?code=Wvof%21IAA[[TRUNCATED_FOR_READABILITY]]luF&redirect_uri=http%3A%2F%2Flocalhost%2Fmyob_redirect%2F&client_id=[[MY_API_KEY]]&scope=CompanyFile&client_secret=[[MY_SECRET]]&grant_type=refresh_tokenOnce you have your tokens you can make any call to the API by simply passing the following headers along with any call to the API
'Authorization: Bearer [ACCESS TOKEN]',
'x-myobapi-key: [API KEY]',
'x-myobapi-version: v0',
'Accept: application/json'For more details on the headers used for our API go to our headers documentation page.
For more information about OAuth authentication, see the OAuth website.
Copyright © 2020 MYOB Technology Pty Ltd