Headers

  Date Updated: Oct 2021

With the two APIs (desktop and online) we have worked hard to keep the differences between them at bay. All our endpoints and calls are the same, making it really easy to have apps work in either environment. The only thing you need to tweak between the two are the headers you set to talk to the apis.

Online & oauth

HeaderTakes
Authorization:Bearer [OAUTH_ACCESS_TOKEN]
x-myobapi-cftoken:[Base64Encode(username:password)]
x-myobapi-key:[dev_key]
x-myobapi-version:v2
Accept-Encoding:gzip,deflate

accept-encoding: is recommended to compress the data returned from the server reducing download size

This isn't a required header during Postman collection environment connection as it's pre-coded to auto capture tokens.

An example of this could look like:


Authorization: Bearer [OAUTH_ACCESS_TOKEN]
x-myobapi-cftoken: ABCta353c5R6YXRvcjo=
x-myobapi-key: [API_KEY_HERE]
x-myobapi-version: v2

Note: 'ABCta353c5R6YXRvcjo=' in above is example only, replace with your OWN credentials

Working locally?

HeaderTakes
Authorization:Basic [Base64Encode(username:password)]
Or  x-myobapi-cftoken:[Base64Encode(username:password)]
x-myobapi-key:[dev_key]
x-myobapi-version:v2

An example using the Authorization header:


Authorization: Basic ABCta353c5R6YXRvcjo=
x-myobapi-version: v2

The recommended method is this example using the x-myobapi-cftoken: header:


x-myobapi-cftoken: ABCta353c5R6YXRvcjo=
x-myobapi-version: v2

Note: 'ABCta353c5R6YXRvcjo=' in above is example only, replace with your OWN credentials

If-None-Match and HTTP Etag

Compare ETag for current version of a resource

ETag is returned across all our endpoints as part of the response headers and can be used in conjunction with If-None-Match as a way to check if a collection list or individual resource has changed.

The Etag response header looks like ETag: "-1674987083"

To query this through our request headers, pass like so If-None-Match: "-1674987083"

If the collection or individual resource hasn't been modified based on the request made, 304 Not Modified with an empty body is returned, if the resource has been modified 200 success code along with the resource is returned.

If-Modified-Since

If-Modified-Since for contact collection

The If-Modified-Since request-header is used to make conditional calls to our contact endpoints checking if the requested contact resource has not been modified since the time specified in this field.

To query this through our request headers, pass like so: If-Modified-Since: Fri, 21 Mar 2020 02:51:32 GMT

If the contact resource hasn't been modified based on the request made, 304 Not Modified with an empty body is returned, if the resource has been modified 200 success code along with the resource is returned.

Note: condititonal calls are only valid for an individual contact resource with the date format HTTP-date.

The Company files

Accessing with 'Username | Password'

Each company file in MYOB AccountRight has the ability to carry a username and password to authenticate the file users. When accessing the company file via the API (regardless of desktop or online) you must pass the Username and Password for the company file as a Base 64 Encoded string - this is known as Basic Authentication. Many languages have a function called Base64Encode(Useranme:Password).

Note: you must put a : between the username and password.

The desktop accepts the company file (cf) credentials in base64 encoding in either the basic Authorization header, or a customer x_myobapi_cftoken header.

The cloud requires three elements in the header with the basic Authentication header carrying the OAuth token, the x_myobapi_cftoken taking the company file credentials in base64 encoding and the x_myobapi_key taking the developer key

Resources

Need a little more help with Authentication? Check out some of these handy online resources.