Handling Bills and Expenses for NetSuite, QuickBooks, Xero, and Exact Online

Apideck Documentation Page

Data Scopes Guide for Accounting Connectors

Control which fields your application can access via the unified API. Data Scopes enforce field-level permissions on READ & WRITE operations, improving security and performance.

Note: Data Scopes are available for both HRIS and Accounting APIs. This guide covers the Accounting API. For HRIS, see the HRIS Data Scopes Guide.

Why Data Scopes

When you integrate accounting data, you rarely need every field. An invoice management app doesn't need supplier bank account details. A reporting dashboard doesn't need customer tax IDs.

Data Scopes solve this:

  • Request only what you need - Connectors that support field selection will only fetch specified fields from downstream APIs
  • Enforce least privilege - Your application cannot access fields outside the configured scope
  • Simplify compliance - Document exactly which financial data your integration touches

When a connector doesn't support native field filtering, Apideck strips non-scoped fields from the response before returning data. Your app never sees them.

How It Works

Data Scopes operate at two levels:

  • Application level: You define which fields your app can request across all consumers. Configure this in the Apideck dashboard.
  • Consumer level: Each consumer must grant access to scoped fields before their connection becomes active. If you expand the scope later, consumers must re-consent.

Enabling Data Scopes

Accounting data scopes configuration
Accounting data scopes configuration
  1. Go to Configuration > Data Scopes in your Apideck dashboard
  2. Select Accounting from the Enabled APIs list
  3. Toggle Enable data scopes
  4. Expand a resource to see available fields
  5. Check the fields you need for Read and/or Write operations
  6. Click Save Changes

The field list shows only fields supported by your enabled connectors. If you don't see a field, enable more connectors first.

Example: Building an Invoice Dashboard

Say you're building an invoice tracking dashboard. You need invoice metadata and line items, but not sensitive supplier or customer financial details.

Configure these fields for the Invoices resource:

Invoice resources
Invoice resources
  • id
  • number
  • customer (id, display_name, company_name)
  • invoice_date
  • due_date
  • status
  • total
  • balance
  • currency
  • line_items

Leave unchecked:

  • customer bank account fields
  • tax identification numbers
  • billing/shipping addresses (if not needed)
  • custom fields containing sensitive data

For the Customers resource, include only:

Customer resources
Customer resources
  • id
  • display_name
  • company_name
  • email

Leave unchecked:

  • bank_accounts
  • tax_number
  • addresses
  • notes

Now your dashboard shows invoice status and amounts without exposing sensitive financial or personal data.

Example: Expense Sync Application

Building an expense reporting tool that syncs with accounting software? You need expense details but not full supplier records.

Configure these fields for the Expenses resource:

  • id
  • transaction_date
  • account_id
  • line_items (description, total_amount, tracking_categories)
  • memo
  • currency

Leave unchecked:

  • supplier bank details
  • payment account numbers
  • internal reference fields
Scope confirmation after saving changes
Scope confirmation after saving changes
Accounting data scopes access
Accounting data scopes access
Grant scopes and save changes
Grant scopes and save changes

When Data Scopes are enabled, consumers see a consent screen before their connection becomes callable. This is managed through Vault:

  1. Consumer opens Vault to configure their accounting connection
  2. After authorization, they see the Requested Data Access prompt
  3. The prompt lists exactly which fields your app wants to access
  4. Consumer clicks Accept to grant access, or Deny to reject

If you change the scope configuration (e.g., by adding new fields), existing consumers must re-consent before requests succeed.

Best Practices

  • Start minimal: Enable only the fields you actually use. You can always expand later.
  • Separate read and write scopes thoughtfully: You might need to read invoice totals but never write to bank account fields.
  • Consider multi-entity setups: If your users have multiple subsidiaries or locations, ensure your scopes cover the fields needed for entity selection.
  • Handle re-consent gracefully: When you expand scopes, existing consumers must re-consent before requests succeed. Build UI to guide them back to Vault.

FAQ

What if a connector doesn't support field selection? Apideck still filters the response. The connector returns all fields, but Apideck strips any fields that are not granted before sending the data to your application. Your app never sees unauthorized data.

Do Data Scopes affect write operations? Yes. Write requests containing non-granted fields are rejected with a validation error. Only include fields within your configured scope.

What about nested objects? You can scope fields within nested objects. For example, you might allow line_items.description and line_items.total_amount while excluding line_items.tax_code.

Can I use different scopes for different resources? Yes. Each resource has its own scope configuration. A reporting dashboard might have broad read scopes on Invoices but no access to Bank Accounts at all.

What happens to existing consumers when I enable Data Scopes? They must grant access before making API requests. Until they consent, the connection won't be callable.

Can consumers see which fields I'm requesting? Yes. The consent screen shows the exact fields and resources your application wants to access. Transparency is the point.