Custom API access points


ERPLY Books aims to be the world’s best accounting software. Therefore, it needs to be easily accessible and at the same time reliable and secure. In this document, you can find a full list of methods available for accessing the API – from building your custom reports to mobile applications and other integrations. 

The following options are available: 

  • Use the API with a standard access token that you can create in the UI (Settings -> API settings). Most common integrations use this token. 
  • Create an access token for mobile apps or for customized limited access points, for example. This is a handy solution for mobile apps and when you want to make a certain functionality available for a user or even for public use. 
    • Options that are available with this method: 
      • Add a timestamp when the apikey expires
      • Add IP address(es) where this apikey is available
      • Add privilege names that are accessible with this token (everything else is not accessible)
      • Add custom report ids to the report generator (then only those reports can be opened with this apikey, no other modules, no other features)
    • To use this custom apikey solution, send POST api/organization/create_apikey and add the query parameters: 
      • ip – separate by commas
      • module – separate by commas
      • validToTimestamp – time in the future until when this is valid. When empty, the default value is 7 days
      • generatorId – separate by commas
    • Add header x-organisation-id to specify the organization id (if the user in question has one organization, this is not necessary)
    • If you want to use this method for mobile apps, then you want to send the username and password as this is the input users can add in their smart device. For this you don’t need to add an API token but instead add header x-auth-up where the value is username:password in Base64
    • After you get the apikey, you can make any API queries with this key (not with an ordinary API token). This apikey should be added to the header with the name of X-API-KEY
    • NB: if a user has the email 2FA enabled, then apikey is not returned before the user authorizes login from his/her email. The user has up to 60 seconds to do it. 
  • For ERPLY POS & inventory management: Use the ERPLY Books API with the ERPLY back office session key. This is used, for example, to add embedded app functionality in the ERPLY back office without hardcoding any user’s token to the ERPLY back office. 

NB: every access point that goes to the API is limited by the organization’s rules. This means the following: 

  • by adding IP limitations to the API, these will apply to every single access point
  • If a user has 2FA enabled, then the API is still accessible (2FA must be validated if requesting create_apikey). To disable this, we recommend disabling API access to the user from user settings.