Start QuickBooks Online OAuth flow

Browser-navigated endpoint that initiates the QuickBooks Online OAuth 2.0 authorization flow. The handler resolves tenant context with createTenantKnex, reads qbo_client_id from app secrets, generates a random CSRF value, embeds {tenantId, csrf} as base64url JSON in the state parameter, and redirects to Intuit at appcenter.intuit.com/connect/oauth2. The CSRF value is currently logged but not persisted, and the callback currently treats CSRF as valid. The route is not currently listed in apiKeySkipPaths, so middleware may require x-api-key before the browser can reach the handler.

Response codes

302

Redirect to Intuit OAuth authorization URL. Location includes client_id, response_type=code, QuickBooks accounting scope, redirect_uri, and encoded state. The handler returns no JSON body.

401

Tenant context is missing in the handler, or x-api-key is missing at middleware before the handler runs.

500

QBO client ID is not configured, or an unexpected error occurred while constructing the authorization redirect.

GET /api/integrations/qbo/connect

cURL

curl -X GET "https://algapsa.com/api/integrations/qbo/connect" \
  -H "X-API-Key: $ALGA_API_KEY"

TypeScript

const response = await fetch("https://algapsa.com/api/integrations/qbo/connect", {
  method: "GET",
  headers: {
    "X-API-Key": "$ALGA_API_KEY",
  }
});
const data = await response.json();

using var client = new HttpClient();
using var request = new HttpRequestMessage(HttpMethod.Get, "https://algapsa.com/api/integrations/qbo/connect");
request.Headers.TryAddWithoutValidation("X-API-Key", "$ALGA_API_KEY");
var response = await client.SendAsync(request);
var body = await response.Content.ReadAsStringAsync();