REST API Overview

Please note: The QuickFile REST API is currently in beta and may not be available to all users. If you would like to use the new API please contact us.

Overview

Welcome to the implementation guide for the new QuickFile RESTful API. Designed to replace our legacy API, this next-generation interface provides a modern, robust, and highly efficient way to connect your applications with our online accounting software.

We have completely redesigned our integration layer to leverage cleaner, more intuitive endpoints that map logically to your accounting data. Whether you are automating invoicing, syncing bank transactions, or extracting financial reports, this new API simplifies data management, reduces development overhead, and delivers a more reliable integration experience.

Authentication

The REST API provides two methods of authentication depending on your requirements.

Personal Bearer Token
Use a personal bearer token when you are connecting to your own QuickFile account.

OAuth 2.0 Authentication
Use OAuth authentication when you are building an application that is to be consumed by other QuickFile users.

We’ll start with the personal bearer token, this is a static token you can generate in your QuickFile account and use to access your own data over the API. The personal bearer token is a quick way to get started with the API and gives you access to the data held within your account, based on the specific permission boundaries you have set. You can create a new token by heading over to the API section within your QuickFile account.

Account Settings >> Third Party Integration >> API

From here you can generate a new token and specify which endpoint groups should be available for the token. You can also set an optional expiry date if you want the token to become inactive after a set date.

IP Restrictions

By default, your token will be able to access permitted API endpoints from any origin IP. If you would prefer to isolate access to your data from a specific group of IP addresses, then this can be done by clicking on the options menu for your token and selecting IP Restrictions.

Swagger Documentation

To get a full overview of available endpoints and model schemas, please refer to our Swagger documentation.

OAuth Authentication for Partner Applications

If you are developing an integration that is intended to read and write data to other QuickFile accounts then you must integrate with our OAuth 2.0 authentication flow. If you only want to access your own data then use the personal bearer token approach detailed above.

This can be broken down into several key steps:

  1. Create - Configure a new partner application in our partner API section. Make a note of the client ID and secret (note: the secret will only be revealed once).
  2. Authorise - Direct users to the OAuth Authorise endpoint in QuickFile to allow users to connect to your application.
  3. Exchange - Once your user has reviewed the scopes and granted access to their account they will be redirected to your designated URL where you must exchange the code for an access and refresh token. Store these tokens securely in your user database.
  4. Connect - Connect to the customer’s data over the API using the JWT formatted access token.

We’ll expand on these steps below.

Create a new Application

First you need to register your application in QuickFile. Here you will give your application a name and description along with the required scopes and redirect URIs.

Application Name
A short name for your application that will be visible to users when they provide consent.

Description
A brief description of what the application does, this will also be visible on the consent screen.

Redirect URIs
Here you will provide a whitelist of redirect URIs that we will redirect the user to once consent has been granted.

Requested Scopes
The key areas your application will access. It is recommended to only request the minimum scopes needed for the core functionality of your application. A list of valid scopes is provided below:

invoices
clients
suppliers
purchases
reports
payments
banks
ledgers
projects
documents
journals

Once your application has been registered you will see a confirmation screen with your client ID and secret. The secret will only be revealed once, so make sure to make a note of them. You will need these credentials when authorising users for your application.

Authorisation Flow

Now you have your application set up you can start onboarding users. To do this you will need to redirect the user to the authorisation endpoint.

GET: https://www.quickfile.co.uk/oauth/authorize?
client_id={your_client_id}
&redirect_uri={a_whitelisted_redirect_uri}
&scope={list_of_scopes_space_delimited}
&state={custom_state_identifier}

Note: As QuickFile accounts are located on their own sub-domains, the user will be presented with an interim page that asks the user to provide their account sub-domain before proceeding.

We will present details of your application to the end-user and allow them to approve or deny consent. Once the user has approved consent we will redirect the user back to your designated redirect URI, passing a one-time code and any state parameter supplied to the authorisation endpoint.

Token Exchange

The code parameter is a one-time, short-expiry identifier that must be exchanged for an access and refresh token. This can be achieved with the following request.

POST: https://www.quickfile.co.uk/oauth/token?
grant_type=authorization_code
client_id={your_client_id}
&code={code_passed_to_redirect_uri}
&secret={your_secret}

You should then receive a response as follows:

{
    "access_token": "######.#######.####",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "############",
    "scope": "invoices purchases clients suppliers reports"
}

The access_token is a signed JWT token that has a lifetime of 1 hour (3,600 seconds). The token can reach a length of 1,000 characters so you must provision your database or storage column accordingly, accounting for secondary encryption.

Connecting to the API

Once you have your access_token you can connect to the API by setting this as a bearer token in the authorization header e.g.

GET: https://api-beta.quickfile.co.uk/Invoices
  --header 'Authorization: {your_jwt_access_token}' \

Token Refresh

All access tokens are issued with a lifetime of 1 hour. When an access token expires you must request a new token from the OAuth token endpoint as follows:

POST: https://www.quickfile.co.uk/oauth/token?
grant_type=refresh_token
client_id={your_client_id}
&refresh_token={your_clients_refresh_token}

In the response you will receive a new access_token and refresh_token presented in the same structure as defined earlier in the token exchange request.

Important Note: With every new access_token the refresh_token will also be rotated. It is important that you capture this new refresh_token and update it in your local storage to avoid the application from falling out of sync.

Rate Limiting

The REST API implements general rate limiting alongside rolling 24-hour, account-level limits. This ensures that the API remains responsive and stable for all users. We recommend avoiding large bursts of parallel requests to reduce the likelihood of hitting active rate limits.

A default rolling 24-hour request limit of 5,000 is applied to all tokens. If you require a higher limit, please contact us with details about your application and the reason for the limit increase.

You can monitor your daily request limit and usage by referring to the following response headers returned by the API:

- X-RateLimit-Limit: 5000 
- X-RateLimit-Remaining: 3256