OAuth 2.0 redirect endpoint for QuickBooks Online. Intuit redirects the browser here with code, state, and realmId after authorization. The handler decodes tenantId and csrf from the base64url state parameter, exchanges the code for access and refresh tokens, stores credentials in the tenant secret qbo_credentials keyed by realmId, and redirects back to /msp/settings with qbo_status=success or qbo_status=failure and an error code. The route returns redirects rather than JSON from the handler. Like the connect route, it is not currently listed in apiKeySkipPaths, so middleware may reject real Intuit callbacks that do not include x-api-key.
Query parameters
codestringOptional
OAuth 2.0 authorization code returned by Intuit. Required unless Intuit sends an error parameter.
statestringOptional
Base64url-encoded JSON containing tenantId and csrf generated by the connect endpoint.
realmIdstringOptional
QuickBooks company/realm ID returned by Intuit.
errorstringOptional
OAuth error returned by Intuit when authorization fails or is denied.
Response codes
307
Redirect to the MSP settings integrations page. Success redirects with qbo_status=success; failures redirect with qbo_status=failure and an error such as qbo_error, missing_params, invalid_state, csrf_mismatch, config_error, token_exchange_failed, or callback_processing_error. The handler returns no JSON body.
401
Middleware-level API-key rejection can occur before the OAuth callback handler runs.