Retrieving Company File GUIDs via MYOB API (Post-March 2025)

What Changed

As of 12 March 2025, MYOB made changes that affect how Company File information is accessed through the API for newly created API keys.

Key changes:

• The GET https://api.myob.com/accountright/ endpoint no longer returns a list of company files when using an API key created after this date.
• The legacy CompanyFile OAuth scope is deprecated for new API keys.
• You must now retrieve the Company File GUID (businessId) from the redirect URL after the user approves authentication.

🧭 Where to Find the Company File GUID Now

When the user successfully authorises your app, they’ll be redirected to your redirect_uri with several parameters, including:

&businessId=5d4b1ce0-bb9f-4f4c-9578-2b168b7295db
&businessName=MYOB+Shared+Sandbox+21

• businessId = Company File GUID
• businessName = Name of the Company File

🔐 This is currently the only place the GUID is returned for new API keys.

✅ Prompting for Consent

To ensure the businessId and businessName are included in the redirect URL, you must include the prompt=consent parameter in your OAuth2.0 authorisation URL.

Why it's required:

• It forces the user to re-approve the app, which is necessary to return the businessId after login.
• It is also required when a user needs to authorise access to multiple company files — without it, previously cached tokens or approvals may prevent a new company file selection.

Example URL:

https://secure.myob.com/oauth2/account/authorize
  ?client_id=YOUR_CLIENT_ID
  &redirect_uri=https://yourapp.com/redirect
  &response_type=code
  &scope=sme-company-file sme-customer sme-invoice
  &state=12345
  &prompt=consent

✅ Always use prompt=consent when:

• You want to guarantee the businessId is returned
• The same user is connecting more than one company file to your app

🌐 Example

After redirect, your full URL might look like:

https://yourapp.com/redirect?
code=...
&scope=...
&state=...
&businessId=5d4b1ce0-bb9f-4f4c-9578-2b168b7295db
&businessName=MYOB+Shared+Sandbox+21

You should extract and store the businessId from this URL.
It is required for all subsequent API calls such as:

GET https://api.myob.com/accountright/{businessId}/Customer

✅ Summary

• Do not rely on /accountright to return a file list anymore.
• Use the businessId returned after OAuth login — this is your Company File GUID.
• Each authentication only grants access to one Company File (the one selected by the user).
• If the user needs to authorise multiple files, they must repeat the login process with prompt=consent included.
• ✅ Always include prompt=consent to ensure proper file selection and GUID return.

🔗 Need Help?

• Company File GUIDs – Post March 2025
• OAuth2.0 Authentication Guide
• Full Scope List

If you’re unsure about your company file access or need help, submit a support ticket here and we’ll assist.submit a support ticket here and we’ll assist.