Overview
As of 1 September 2026, MYOB is strengthening its app ecosystem by upgrading integration endpoints to enhance data privacy and security. These changes will affect all API keys as of 1 September 2026, and alter how you obtain and use Company File GUIDs (businessId). This guide outlines the correct OAuth2.0 authentication flow, including all required parameters and adjustments needed for compliant integration.
Key Changes
- The legacy
GET https://api.myob.com/accountright/endpoint no longer returns a list of company files. - The legacy
CompanyFileOAuth scope is deprecated for all keys as of 1 September 2026. - You must extract the Company File GUID (
businessId) from the redirect URI after user authentication. - You must include the parameter
prompt=consentto ensure thebusinessIdis returned. - The user authenticating your app must be an Administrator user of the MYOB company file.
- Your API Key, Redirect URI, and Secret must match exactly what is registered in your my.myob Developer App settings.
- All redirect URI's must now be
https://. We no longer accepthttp://prefixed redirect URI's. - The endpoint
https://api.myob.com/accountright/DataScopeswill return a list of all available SME_SCOPES and all endpoints enabled with these scopes. You do not need to include a specific scope to use this endpoint. -
The legacy endpoint
https://api.myob.com/accountright/CurrentUseris now deprecated, and will return an OAuthTokenIsInvalid error.
Registering your App
Once your Developer Registration has been approved you will gain access to the "Developer Tab" within my.myob at the top of the page.
(Make sure you have selected your Developer Account from the drop down menu)
This is where you can Register your app, give it a name and create an API key & Secret.
You will also need to provide a "Redirect URL," this is the site to which the MYOB User will be redirected to after they have approved access to the database. (Note: All redirect URI's must now be secure https://. We no longer accept http:// prefixed redirect URI's.)
OAuth2.0 Authorization URL (Required Format)
https://secure.myob.com/oauth2/account/authorize ?client_id=YOUR_CLIENT_ID &redirect_uri=https://yourapp.com/redirect &response_type=code &scope=sme-company-file sme-customer sme-invoice &prompt=consent
Required Parameters
| Parameter | Description |
|---|---|
client_id |
Your registered MYOB API key. |
redirect_uri |
Where the user is redirected after authentication. Must match your app registration. |
response_type |
Always set to code. |
scope |
Use the new sme-scopes only. E.g. sme-company-file, sme-customer, etc. |
prompt=consent |
Required to return businessId and to allow re-auth for multiple company files. |
Redirect URL Parameters (Post-Auth)
After successful authentication, the user is redirected back to your app with parameters in the URL:
https://yourapp.com/redirect? code=...&scope=...&state=... &businessId=5d4b1ce0-bb9f-4f4c-9578-2b168b7295db &businessName=MYOB+Shared+Sandbox+21
Extract:
-
code: The access code that needs to be used to create access/refresh tokens. -
businessId: The GUID of the selected company file. -
businessName: Display name of the company file.
Below screenshot shows how the MYOB user would select and grant access to their company file with a list of scopes
.
Token Exchange (POST Request)
Once you receive the authorization code, exchange it for tokens:
POST https://secure.myob.com/oauth2/v1/authorize Headers: Content-Type: application/x-www-form-urlencoded Body: client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET &code=AUTHORIZATION_CODE &redirect_uri=https://yourapp.com/redirect &grant_type=authorization_code
Response will contain:
access_tokenrefresh_token-
scopeavailable for this token expires_in
Using the businessId in API Calls
All API calls must now be directed to the specific company file using the businessId:
GET https://api.myob.com/accountright/{businessId}/Customer
Authorization: Bearer {access_token}Refreshing the Access Token
When the access_token expires, use the refresh_token to obtain a new one without requiring the user to log in again:
POST https://secure.myob.com/oauth2/v1/authorize Headers: Content-Type: application/x-www-form-urlencoded Body: client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET &refresh_token=YOUR_REFRESH_TOKEN &grant_type=refresh_token
Response will contain a new:
access_tokenrefresh_tokenexpires_in
Make sure to securely store and replace the refresh token each time.
Multi-Company File Access
MYOB Admin user can only allow access to one file at a time. If your user needs to connect multiple files, they must:
- Go through the Oauth process for each company file individually
- Log in to myob, select the company file name and allow access to the file.
- The auth url must include
prompt=consentto allow file selection. - Store each resulting
businessIdseparately.
Common Pitfalls
- Forgetting
prompt=consent: leads to missingbusinessIdon redirect. - Using old scopes like
CompanyFile: these will be deprecated for ALL files as of 1 September 2026. - Expecting
/accountrightto return files: this endpoint is deprecated and will return an empty array. - Having a non-admin user approve the connection: only Administrators can authorise access to company files.
- Mismatched API key, redirect URI, or secret: must exactly match what is registered in MY.MYOB.
Related Documentation
Questions or Issues?
If you're unsure how to handle authentication or encounter errors, submit a support ticket and we’ll assist.
Comments
0 comments
Article is closed for comments.