← Back to Skills Marketplace
Intuit-quickbook
by
Simon-Pierrre Boucher
· GitHub ↗
· v1.0.1
· MIT-0
51
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install quickbook
Description
Production-grade integration and automation with the QuickBooks Online API. Covers OAuth 2.0 authentication, accounting entities (Customers, Invoices, Paymen...
README (SKILL.md)
QuickBooks Online API Skill
This skill provides production-grade workflows, JSON schemas, and code patterns for integrating with the QuickBooks Online (QBO) REST API (v3) and the QuickBooks Payments API (v4).
Base URLs
| Environment | Accounting API Base URL |
|---|---|
| Sandbox | https://sandbox-quickbooks.api.intuit.com |
| Production | https://quickbooks.api.intuit.com |
All requests require the header Authorization: Bearer \x3Caccess_token> and Accept: application/json.
Reference Guides
Detailed schemas and code implementations are in the references/ folder. Load them as needed:
| File | When to Read |
|---|---|
references/authentication.md |
OAuth 2.0 flow, token exchange, token refresh, distributed locking |
references/accounting_entities.md |
Customer, Invoice, Payment, Bill, JournalEntry CRUD payloads |
references/webhooks.md |
CloudEvents v1.0 payload, HMAC-SHA256 signature verification, async queue pattern |
references/queries_and_errors.md |
IDS-QL syntax, pagination, SQL injection prevention, exponential backoff |
references/ai_and_mcp.md |
QuickBooks MCP server deployment, LangGraph agent state machines |
Core Workflows
Workflow 1: OAuth 2.0 Token Lifecycle
[User clicks "Connect to QuickBooks"]
|
v
[Redirect to Intuit Authorization URL]
|
v
[User grants consent → receives ?code=...]
|
v
[POST /oauth2/v1/tokens/bearer (code exchange)]
|
v
[Store access_token (60 min) + refresh_token (100 days)]
|
v
[On 401 → POST /oauth2/v1/tokens/bearer (refresh grant)]
Critical: Encrypt both tokens at rest with AES-256-GCM. Use a distributed lock (e.g., Redis Redlock) to prevent concurrent refresh races.
Workflow 2: Robust Entity Update (SyncToken / Error 2030)
QuickBooks uses optimistic locking. Every entity carries a SyncToken. If another process updated the entity since your last read, the API returns error 2030 (Stale Object).
[POST update with local SyncToken]
|
+----+----+
| |
200 OK 400 / 2030
| |
[Done] [GET entity → get new SyncToken]
|
[Merge changes]
|
[POST update again]
Workflow 3: Asynchronous Webhook Processing
QuickBooks requires an HTTP 200 OK response within 3 seconds.
[Incoming POST from Intuit]
|
v
[1. Verify HMAC-SHA256 signature] ← raw bytes only, never parsed JSON
|
v
[2. Push raw payload to message queue (SQS / RabbitMQ / Redis)]
|
v
[3. Return HTTP 200 immediately]
|
v
[4. Background worker processes event]
API Quick Reference
Accounting Entities
| Entity | Endpoint | Methods |
|---|---|---|
| Customer | /v3/company/\x3CrealmId>/customer |
POST (create), POST (update sparse), GET |
| Vendor | /v3/company/\x3CrealmId>/vendor |
POST, GET |
| Invoice | /v3/company/\x3CrealmId>/invoice |
POST, GET, DELETE (void) |
| Payment | /v3/company/\x3CrealmId>/payment |
POST, GET |
| Bill | /v3/company/\x3CrealmId>/bill |
POST, GET |
| CreditMemo | /v3/company/\x3CrealmId>/creditmemo |
POST, GET |
| JournalEntry | /v3/company/\x3CrealmId>/journalentry |
POST, GET |
| Account (CoA) | /v3/company/\x3CrealmId>/account |
POST, GET |
| Item | /v3/company/\x3CrealmId>/item |
POST, GET |
| Deposit | /v3/company/\x3CrealmId>/deposit |
POST, GET |
| Transfer | /v3/company/\x3CrealmId>/transfer |
POST, GET |
Reports API
| Report | Endpoint | Key Params |
|---|---|---|
| Profit & Loss | /v3/company/\x3CrealmId>/reports/ProfitAndLoss |
start_date, end_date, accounting_method |
| Balance Sheet | /v3/company/\x3CrealmId>/reports/BalanceSheet |
date, accounting_method |
| General Ledger | /v3/company/\x3CrealmId>/reports/GeneralLedgerDetail |
start_date, end_date, columns |
| A/R Aging | /v3/company/\x3CrealmId>/reports/AgedReceivables |
report_date, aging_method |
Reports cell limit: 400,000 cells per response. Enforce a maximum 6-month date range per request to avoid timeouts.
Payments API (v4)
| Operation | Endpoint |
|---|---|
| Tokenize card | POST https://api.intuit.com/quickbooks/v4/payments/tokens |
| Create charge | POST https://api.intuit.com/quickbooks/v4/payments/charges |
| Refund charge | POST https://api.intuit.com/quickbooks/v4/payments/charges/\x3Cid>/refunds |
Batch Operations
Bundle up to 30 independent operations into a single POST request:
POST /v3/company/\x3CrealmId>/batch
Change Data Capture (CDC)
Retrieve all changed entities since a given timestamp:
GET /v3/company/\x3CrealmId>/cdc?entities=Customer,Invoice&changedSince=2026-05-31T00:00:00Z
Production Checklist
Before going live, verify:
- OAuth tokens encrypted at rest (AES-256-GCM).
- Distributed lock on token refresh (no concurrent refresh races).
- Exponential backoff with jitter on all API calls (handles
HTTP 429, 100 req/min limit). - IDS-QL inputs sanitized (escape single quotes to prevent injection).
- Reports date range capped at 6 months per request.
- Webhook signature verified on raw bytes before any JSON parsing.
- Webhook handler responds
HTTP 200within 3 seconds (async queue pattern). - PCI-DSS: raw card numbers never stored; use tokenization endpoint only.
Usage Guidance
Install only if you are prepared to treat it as high-impact financial automation guidance. Use sandbox first, store QuickBooks secrets outside committed config files, restrict OAuth scopes, require human approval for payments or posting actions, set transaction limits, and replace the query-string sanitization guidance with a stricter allowlisted query builder.
Capability Tags
Capability Assessment
Purpose & Capability
The stated purpose is coherent with QuickBooks API integration, OAuth, webhooks, reports, payments, and MCP automation, but the capability surface includes high-impact financial actions such as charges, refunds, invoice updates, and bill payment.
Instruction Scope
The instructions are mostly purpose-aligned, but the AI/MCP bill-payment workflow lacks explicit human approval, limits, audit requirements, or rollback guidance, and the IDS query guidance recommends weak string sanitization for user-controlled query input.
Install Mechanism
The submitted skill itself is markdown-only with no executable scripts or hidden install steps; it does direct users to clone and install an external Intuit MCP server, which is user-directed and related to the stated purpose.
Credentials
QuickBooks client secrets, refresh tokens, realm IDs, and optional webhook verifier tokens are proportionate for the integration, but they are highly sensitive and the MCP example shows credentials placed directly in a configuration block without enough secret-handling warnings.
Persistence & Privilege
The artifact does not create persistence itself, but it relies on long-lived QuickBooks refresh tokens and a user-run MCP/server workflow; token lifetime and encryption are disclosed in the documentation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install quickbook - After installation, invoke the skill by name or use
/quickbook - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Added new documentation files: ai_and_mcp.md, authentication.md, queries_and_errors.md, and webhooks.md in the references directory.
- Expanded reference coverage to include topics like AI/MCP integration, authentication workflows, robust query/error handling, and webhook processing.
- No changes to the public API, environment variables, or core workflow logic.
- Improved internal documentation structure for easier onboarding and advanced QuickBooks API use cases.
v1.0.0
Initial public release of QuickBooks Online API integration skill.
- Provides production-grade integration with QuickBooks Online (QBO) and Payments APIs.
- Supports OAuth 2.0 authentication, accounting entities (Customers, Invoices, Payments, Bills, Journal Entries), webhooks, Reports API, Payments API, IDS query language, Change Data Capture, and batch operations.
- Includes detailed workflow guides for OAuth token management, optimistic locking (SyncToken/Error 2030), and asynchronous webhook processing.
- Enforces best practices: token encryption, distributed locking, API rate handling, input sanitization, secure webhook validation, and PCI compliance.
Metadata
Frequently Asked Questions
What is Intuit-quickbook?
Production-grade integration and automation with the QuickBooks Online API. Covers OAuth 2.0 authentication, accounting entities (Customers, Invoices, Paymen... It is an AI Agent Skill for Claude Code / OpenClaw, with 51 downloads so far.
How do I install Intuit-quickbook?
Run "/install quickbook" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Intuit-quickbook free?
Yes, Intuit-quickbook is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Intuit-quickbook support?
Intuit-quickbook is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Intuit-quickbook?
It is built and maintained by Simon-Pierrre Boucher (@simonpierreboucher02); the current version is v1.0.1.
More Skills