QuickBooks Online app assessment questionnaire
Guidance on completing Intuit's app assessment process
Introduction
All apps that intend to access QuickBooks Online production data must fill in a questionnaire as part of Intuit's app assessment process. Many of its questions require you to provide information about your organization and your app's use case.
However, some questions relate to Codat's integration with QuickBooks Online. We have provided guideline responses for such questions below. They are highlighted in bold.
Questionnaire
To access the questionnaire, navigate to Keys and credentials in your app's detailed view and toggle the environment to Production. Provide general app details in App details, then switch to the Compliance tab and click Start questionnaire.
App details
This section has several questions related to Codat. We provided detailed answers to the highlighted the responses you should choose in bold.
- Review your Intuit Developer Portal Profile and verify your email
This question should be answered by the app's developer.
- Add your app's end-user license agreement and privacy policy
This question should be answered by the app's developer.
- Add your app's host domain, launch URL, and disconnect URL
This question should be answered by the app's developer based on the guidelines provided below.
-
Host domain: the URL of the domain host of your website or app.
-
Launch URL: Initial URL for your app's authorization flow. If using Hosted Link, provide the generic LinkLink The authorization flow that allows end users to connect their accounting, banking, or commerce platforms to your application via Codat. URL from the Codat Portal.
-
Disconnect URL: LinkLink The authorization flow that allows end users to connect their accounting, banking, or commerce platforms to your application via Codat. to the process for deauthorizing the app's access to QBO. This can be the URL of the Unlink connection endpoint or a linkLink The authorization flow that allows end users to connect their accounting, banking, or commerce platforms to your application via Codat. to your website or app instead.
- Select at least one category for your app
This question should be answered by the app's developer.
- Tell us about any regulated industries that use your app
This question should be answered by the app's developer.
- Tell us where your app is hosted
As Codat interacts directly with QBO, the app's developer needs to include Codat's IPs and hosting locations as well as their own. Review our QBO integration reference for Codat's hosting details.
Compliance
General questions
There are no questions related to Codat in this section. Developers can answer all questions according to their own circumstances.
Lending
This section will only appear in your questionnaire if you confirmed that you are a lender earlier in the process. If you are not a lender, skip this section.
If you are a lender and don't see these questions in your questionnaire, go back to the Production Settings screen in the QuickBooks developer dashboard and ensure the Lending checkbox is ticked before proceeding.
There are no questions related to Codat in this section. Developers can answer all questions according to their own circumstances.
App information
This section has several questions related to Codat. We highlighted the responses you should choose in bold.
- Which of the following is true about your app? (At least one option must be checked)
| Option | Response |
|---|---|
| a | You built your app from scratch and wrote the code that lets it interact with Intuit APIsAPI A set of rules and protocols that allows different software applications to communicate with each other. Codat provides APIs for accessing financial data from accounting, banking, and commerce platforms. and data |
| b | You used another platform or tool to build and code your app |
| c | Your app act as a platform that lets other app developers (outside your team or companyCompany In Codat, a company represents your customer's business entity. Companies can have multiple connections to different data sources.) integrate with QuickBooks |
| d | You require your app users to create an additional app or profile on the Intuit Developer platform in order to use your app |
| e | You were asked to create this app in order to get credentials/keys to be used on another platform that integrates with QuickBooks |
After selecting option B, provide these answers to the follow-on questions:
| Question | Response |
|---|---|
| What's the name of the platform or tool? | Codat |
| Provide a linkLink The authorization flow that allows end users to connect their accounting, banking, or commerce platforms to your application via Codat. to the platform or tool’s website | www.codat.io |
| Describe how your app interacts with the platform | We access our integration to QuickBooks Online via Codat’s APIAPI A set of rules and protocols that allows different software applications to communicate with each other. Codat provides APIs for accessing financial data from accounting, banking, and commerce platforms. |
- What platform(s) does your app utilize and make APIAPI A set of rules and protocols that allows different software applications to communicate with each other. Codat provides APIs for accessing financial data from accounting, banking, and commerce platforms. calls from? (Select all that apply)
This question should be answered by the app's developer.
- How does your app interact with Intuit product data?
This question should be answered by the app's developer.
- Are you building a private app for your team or business? Or do you plan to make it publicly available?
| Option | Response |
|---|---|
| a | We're building a private app |
| b | We plan to make our app publicly available |
After selecting option B, provide an estimated number of QuickBooks Online users you expect to connect.
- Which types of QuickBooks Online users can use your app?
| Option | Response |
|---|---|
| a | Any admin of the QuickBooks Online companyCompany In Codat, a company represents your customer's business entity. Companies can have multiple connections to different data sources. |
| b | Any user of the QuickBooks Online companyCompany In Codat, a company represents your customer's business entity. Companies can have multiple connections to different data sources. |
- Does your app integrate with platforms other than Intuit?
This question should be answered by the app's developer.
Authorization and authentication
This section has several questions related to Codat. We highlighted the responses you should choose in bold.
- Have you tested connecting, disconnecting, and reconnecting your app with a sandbox or non-production companyCompany In Codat, a company represents your customer's business entity. Companies can have multiple connections to different data sources.?
This question should be answered by the app's developer. Testing the app is a mandatory requirement and Intuit will reject the app if you provide No as a response.
- How often does your app refresh access tokens?
| Option | Response |
|---|---|
| a | Every time it makes an APIAPI A set of rules and protocols that allows different software applications to communicate with each other. Codat provides APIs for accessing financial data from accounting, banking, and commerce platforms. call |
| b | Only when access tokens expire |
| c | More than once a day |
| d | Daily |
| e | Weekly |
| f | Other - specify a timeframe |
- Does your app retry authorization and authentication requests that have failed?
| Option | Response |
|---|---|
| a | Yes |
| b | No |
- If your app encounters an authorization and authentication error, do you ask customers to reconnect to your app?
| Option | Response |
|---|---|
| a | Yes |
| b | No |
- Did you use the Intuit discovery document to get the latest endpoints required in the OAuth2.0 flow?
| Option | Response |
|---|---|
| a | Yes |
| b | No |
- Can your app handle the following scenarios? (yes/no)
| Scenario | Response |
|---|---|
| Errors due to expired access tokens | Yes |
| Errors due to expired refresh tokens | Yes |
| Invalid grant errors | Yes |
| CSRF errors | Yes |
- Does your app rely on the OAuth playground or other offline tools to get access or refresh tokens?
| Option | Response |
|---|---|
| a | Yes |
| b | No |
APIAPI A set of rules and protocols that allows different software applications to communicate with each other. Codat provides APIs for accessing financial data from accounting, banking, and commerce platforms. usage
This section has several questions related to Codat. We highlighted the responses you should choose in bold.
- Which of the broad APIAPI A set of rules and protocols that allows different software applications to communicate with each other. Codat provides APIs for accessing financial data from accounting, banking, and commerce platforms. categories does your app use? (multiple choice)
| Category | Response |
|---|---|
| Accounting APIAPI A set of rules and protocols that allows different software applications to communicate with each other. Codat provides APIs for accessing financial data from accounting, banking, and commerce platforms. | Yes |
| Payments APIAPI A set of rules and protocols that allows different software applications to communicate with each other. Codat provides APIs for accessing financial data from accounting, banking, and commerce platforms. | No |
| Payroll APIAPI A set of rules and protocols that allows different software applications to communicate with each other. Codat provides APIs for accessing financial data from accounting, banking, and commerce platforms. | No |
Codat does not integrate with the Payments or Payroll APIsAPI A set of rules and protocols that allows different software applications to communicate with each other. Codat provides APIs for accessing financial data from accounting, banking, and commerce platforms..
- How often does your app call our APIsAPI A set of rules and protocols that allows different software applications to communicate with each other. Codat provides APIs for accessing financial data from accounting, banking, and commerce platforms. for each customer? (multiple choice)
This question should be answered by the app's developer.
Accounting APIAPI A set of rules and protocols that allows different software applications to communicate with each other. Codat provides APIs for accessing financial data from accounting, banking, and commerce platforms.
This section will appear in the questionnaire once you select Accounting APIAPI A set of rules and protocols that allows different software applications to communicate with each other. Codat provides APIs for accessing financial data from accounting, banking, and commerce platforms. in the previous set of questions.
- Which customer-facing version of QuickBooks Online is your app designed for? (Select all that apply)
| Version | Response |
|---|---|
| Simple Start | No |
| Essentials | Yes |
| Plus | Yes |
| Advanced | Yes |
- Users often change versions of QuickBooks Online. This means they may get access to new features, or lose certain features, at any time. Can your app handle situations where users gain or lose access to version-specific features?
| Option | Response |
|---|---|
| a | Yes |
| b | No |
After selecting option A, provide this answer to the follow-on question:
| Question | Response |
|---|---|
| Tell us how you plan to handle this situation | For gains in features, there is no impact to the end user. For loss of features, error messages are generated where permissions for the required features are missing. |
- Does your app utilize any of the following features? (Select all that you've verified and thoroughly tested)
| Feature | Response |
|---|---|
| Multi-currency | Yes |
| Sales tax - For QuickBooks companies in the United States | Yes |
| Sales tax - For QuickBooks companies outside of the United States | Yes |
| None of the above | N/A |
- Do you use webhooksWebhook An automated notification sent from Codat to your application when specific events occur, such as when data syncs complete or connections change status. for your app?
| Option | Response |
|---|---|
| a | Yes |
| b | No |
Codat doesn't use QuickBooks Online webhooksWebhook An automated notification sent from Codat to your application when specific events occur, such as when data syncs complete or connections change status., although we have our own webhook service.
- Do you use the CDC operation for your app?
| Option | Response |
|---|---|
| a | Yes |
| b | No |
After selecting option A, provide these answers to the follow-on questions:
i. Why do you use the CDC operation?
| Option | Response |
|---|---|
| a | Using webhooksWebhook An automated notification sent from Codat to your application when specific events occur, such as when data syncs complete or connections change status. doesn't give me the information I need |
| b | Querying specific entities doesn't give me the information I need |
| c | Other (Tell us why you use the CDC operation) |
After selecting option C, provide this additional information:
Codat uses CDC to queue syncsSync The process of fetching the latest data from a connected data source. Syncs can be triggered manually or run automatically on a schedule. for changes in specific endpoints (customers and refund receipts)
ii. How often do you poll the CDC service?
| Option | Response |
|---|---|
| a | Weekly |
| b | Daily |
| c | Hourly |
| d | More than once an hour |
| e | Other - specify a timeframe |
After selecting option E, provide this additional information:
Adhoc on requests for new data.
Error handling
- Have you tested if your app can handle APIAPI A set of rules and protocols that allows different software applications to communicate with each other. Codat provides APIs for accessing financial data from accounting, banking, and commerce platforms. errors, including syntax and validation errors?
| Option | Response |
|---|---|
| a | Yes |
| b | No |
- Does your app capture the value of the
intuit_tid fieldfrom response headers?
| Option | Response |
|---|---|
| a | Yes |
| b | No |
- Does your app have a mechanism for storing all error information in logs that can be shared for troubleshooting purposes, if required?
| Option | Response |
|---|---|
| a | Yes |
| b | No |
- Do you provide a way for customers to contact you for support from within your app?
This question should be answered by the app's developer.
Security
- Has your companyCompany In Codat, a company represents your customer's business entity. Companies can have multiple connections to different data sources. ever had a security breach that required notification to customers or government agencies/authorities?
This question should be answered by the app's developer.
- Do you have a security team that regularly assesses vulnerabilities and risks for your app?
This question should be answered by the app's developer.
- Are the client ID and client secret for your app stored securely (i.e. not hardcoded within your app or displayed in browser console logs)?
| Option | Response |
|---|---|
| a | Yes |
| b | No |
- Does your app use multi-factor authentication?
This question should be answered by the app's developer.
- Does your app use Captcha for authentication?
This question should be answered by the app's developer.
- Does your app use WebSocket?
This question should be answered by the app's developer.
- Once a customer's Intuit data is in your system, do you allow it to be used by or shown to anyone other than that customer?
This question should be answered by the app's developer.