Granular Data Scopes

  Date Updated: Nov 2025

What are Granular Data Scopes?

When your app requests consent from a user, it will specify a set of scopes for the endpoints it needs access to. These scopes are shown to the user, clearly explaining what data your app will be able to access.

Give customers better consent and control over sensitive areas.

With MYOB’s granular data scopes, you request only the minimum access needed for each feature—nothing more. This gives your customers clearer consent and tighter control over sensitive areas like banking and payroll.

As you roll out features, our security-focused API follows least-privilege best practices and supports adding permissions over time via re-consent.

What will my customer see when reconsenting?

Once you make the necessary changes within your authorisation process, when the customer next requests an access token they will be sent through MYOB's consent flow that requires an admin to approve consent to a single ledger.

How do I make these changes?

If your app is non-interactive, this change means that you will need to ask your MYOB customer to reconsent via your portal/gateway. This will require you to redirect the customer through the MYOB consent flow. For interactive apps, once you have identified what scopes are needed you can prompt your MYOB customer on their next login via the below codes. 

https://secure.myob.com/oauth2/account/authorize?client_id=[YOUR API KEY]&redirect_uri=[URL_ENCODED_REDIRECT_URI]&response_type=code&scope=[SME_SCOPES]

Note: The redirect URI must match the url you entered when registering for your API Key and must be URL ENCODED.

If you require consent from the user, then use the following: secure.myob.com login page here:
https://secure.myob.com/oauth2/account/authorize?client_id=[YOUR API KEY]&redirect_uri=[URL_ENCODED_REDIRECT_URI]&response_type=code&scope=[SME_SCOPES]&prompt=consent

Note: The redirect URI must match the url you entered when registering for your API Key and must be URL ENCODED.

Note: The scopes must be space separated and the complete list can be found here. Only request the scopes that include the endpoints that your app will be using.

Once the User has authorised your app to access their company file they will be returned to your REDIRECT URL with a ?code= and ?businessId= in the URL. You will use the code in the next step to get an access token and the businessId as the cf_uri that you will use in subsequent calls to the API.

Note: The returned Code expires in 2-5 minutes since its generation.

Available Granular Data Scopes

Scopes sme-general-ledger sme-sales sme-timebilling sme-inventory sme-contacts-customer sme-contacts-supplier sme-contacts-personal sme-contacts-employee sme-banking sme-purchases sme-payroll sme-company-settings sme-company--file

API

Support

Social

Developer News

MYOBapi logo

Copyright © 2020 MYOB Technology Pty Ltd