Question

With QuickBooks Online, administrators can create accounts for non-administrators through the user interface (for example, they can create "time-tracking only" users, which have access to time-tracking tools but nothing else).

Is it possible for these users to authenticate with an app which is owned by the administrator in order to make API calls?

In our testing, when a non-administrator tries to connect via OAuth, they get the following error:

Only administrators can buy apps in the company...

Is it not possible to make API calls on behalf of non-administrators?

Was it helpful?

Solution

You're confusing two topics / talking about two separate things here:

  • thing 1 - CONNECTING to a third-party app

  • thing 2 - MAKING API CALLS from a third-party app

Only an administrator can connect to a third-party app.

Once you're connected though, there is no user account involved at all. Your app makes API calls to do whatever, and it doesn't involve an actual user account in any way, shape, or form. Your third-party app can do whatever the heck it wants, regardless of what users you have or who is logged in or anything else.

Remember - the way OAuth works (or should work, if you've implemented it correctly) is that you only connect your app ONCE, and store the OAuth credentials. Your app can then make whatever calls it wants at any time with no user-interaction required what-so-ever using those tokens.

So, to answer your questions:

Is it possible for these users to authenticate with an app which is owned by the administrator in order to make API calls?

If the app is owned by the administrator (e.g. the administrator already connected/signed up for the app) then you are already authenticated, and being authenticated has nothing at all to do with any individual user.

In our testing, when a non-administrator tries to connect via OAuth, they get the following error:

This is the connection process - it is a one-time process to get the OAuth credentials, after which you have can do whatever you want with the API, regardless of what users exist or even if anyone is logged in or anything else.

Is it not possible to make API calls on behalf of non-administrators?

Again, API calls have nothing to do with user accounts. The administrator makes the initial connection to get the OAuth tokens, and then after that the API can do anything without any interaction or relationship with any user what-so-ever.

Once you have those tokens (again, a one-time process) then you can do whatever you want with the API.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top