Yes, Quickbooks is free to use.

How do I install Quickbooks?

Quickbooks is a local plugin. Install it using npm package: @mindstone/mcp-server-quickbooks and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What credentials does Quickbooks need?

Quickbooks requires the following credentials or environment variables: QUICKBOOKS_CLIENT_ID, QUICKBOOKS_CLIENT_SECRET, QUICKBOOKS_REFRESH_TOKEN, QUICKBOOKS_REALM_ID, QUICKBOOKS_ENVIRONMENT, QB_ALLOW_PROD_WRITES. You can find setup instructions on the server detail page.

What AI apps work with Quickbooks?

Quickbooks uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Quickbooks MCP Server

by Mindstone

Business ToolsLow Risk9.6MCP RegistryLocal

Free

Server data from the Official MCP Registry

QuickBooks Online MCP server: invoices, bills, customers, vendors, employees, and accounts

About

QuickBooks Online MCP server: invoices, bills, customers, vendors, employees, and accounts

Security Report

9.6

Low Risk9.6Low Risk

Valid MCP server (1 strong, 1 medium validity signals). 1 code issue detected. No known CVEs in dependencies. ⚠️ Package registry links to a different repository than scanned source. Imported from the Official MCP Registry. 2 finding(s) downgraded by scanner intelligence.

14 files analyzed · 2 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

file_system

Check that this permission is expected for this type of plugin.

What You'll Need

Set these up before or after installing:

Intuit Developer app client IDOptional

Environment variable: QUICKBOOKS_CLIENT_ID

Intuit Developer app client secretRequired

Environment variable: QUICKBOOKS_CLIENT_SECRET

OAuth 2.0 refresh tokenRequired

Environment variable: QUICKBOOKS_REFRESH_TOKEN

QuickBooks company (realm) IDOptional

Environment variable: QUICKBOOKS_REALM_ID

sandbox or productionOptional

Environment variable: QUICKBOOKS_ENVIRONMENT

Set to exactly 1 to enable mutating tools (secure-by-default; required since 0.3.0)Optional

Environment variable: QB_ALLOW_PROD_WRITES

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-mindstone-mcp-server-quickbooks": {
      "env": {
        "QUICKBOOKS_REALM_ID": "your-quickbooks-realm-id-here",
        "QB_ALLOW_PROD_WRITES": "your-qb-allow-prod-writes-here",
        "QUICKBOOKS_CLIENT_ID": "your-quickbooks-client-id-here",
        "QUICKBOOKS_ENVIRONMENT": "your-quickbooks-environment-here",
        "QUICKBOOKS_CLIENT_SECRET": "your-quickbooks-client-secret-here",
        "QUICKBOOKS_REFRESH_TOKEN": "your-quickbooks-refresh-token-here"
      },
      "args": [
        "-y",
        "@mindstone/mcp-server-quickbooks"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

mcp-servers

Source-available MCP servers by Mindstone. Works with any MCP host — Claude Desktop, Cursor, Rebel, and others.

Browse all 35 connectors with their version, auth model, and tool count at the catalogue site (regenerated from each connector's STATUS.json on every push).

Connectors

Connector	Description
apple-shortcuts	Run and list Apple Shortcuts on macOS via the `shortcuts` CLI
browser-automation	Headless browser control via accessibility snapshots — navigate, fill forms, click, and screenshot pages via the agent-browser CLI
elevenlabs	Generate speech, music, and sound effects, browse voices, and transcribe audio via the ElevenLabs API
email-imap	Read, search, send, and manage emails through IMAP and SMTP
fathom	List and search meetings, view details, read transcripts, and manage teams via Fathom AI
freshdesk	Manage helpdesk tickets, search support requests, reply to customers, and add internal notes
gamma	Create AI-powered presentations, documents, webpages, and social posts via Gamma
google-analytics	Discover GA4 accounts and properties, explore the live schema, and run reports via the Google Analytics API
google-workspace	Read, search, and send across Gmail, Calendar, Drive, Docs, Sheets, Slides, Contacts, and Comments with host-orchestrated OAuth and per-account on-disk credentials
hubspot	Manage HubSpot CRM — contacts, companies, deals, tickets, leads, tasks, notes, properties, lists, workflows, knowledge base, and files — with multi-account, host-orchestrated OAuth
humaans	Query employee profiles, job roles, time-away requests, and company info via Humaans HR
kling	Generate AI videos from text descriptions or images via Kling AI
microsoft-calendar	List, create, update, and respond to Outlook calendar events, check free/busy, and list calendars; reuses the cohort's host-orchestrated Microsoft 365 OAuth surface
microsoft-files	List, search, upload, download, share, and read OneDrive files via Microsoft Graph; reuses the cohort's host-orchestrated Microsoft 365 OAuth surface
microsoft-mail	List, search, read, send, reply, forward, draft, move, and delete Outlook email; owns the cohort's host-orchestrated Microsoft 365 OAuth surface
microsoft-sharepoint	Discover sites, browse libraries, read pages and lists, search content, and mutate SharePoint files/lists with incremental Sites.Read.All consent
microsoft-teams	List and read Teams chats, send chat messages, list teams and channels, and read presence; reuses the cohort's host-orchestrated Microsoft 365 OAuth surface
mixmax	Manage sequences, send tracked emails, use templates, and monitor engagement via Mixmax
nano-banana	Generate and edit images using Google Gemini's AI capabilities
napkin	Generate professional visuals — diagrams, infographics, and illustrations — from text via Napkin AI
office	Read and edit Word documents, Excel workbooks, and PowerPoint presentations from desktop Microsoft 365 via an Office Add-in sidecar
openai-image	Generate and edit images via OpenAI's `gpt-image-2` — sharp text rendering, multilingual support, and four quality levels
outreach	Manage prospects, sequences, accounts, tasks, and mailings via the Outreach sales engagement API
pandadoc	Create, send, and manage documents, templates, and e-signatures via PandaDoc
quickbooks	Manage invoices, bills, customers, vendors, employees, and accounts in QuickBooks Online
replit-ssh	Read, write, list, and check files on Replit projects over SSH/SFTP, with one-shot SSH key + config setup on the operator's machine
retell-ai	Place voice-agent phone calls, manage agents and LLM prompts, and discover voices via the Retell AI API
runway	Generate AI video, images, audio, speech, and sound effects via Runway ML
salesforce	Manage accounts, contacts, opportunities, leads, tasks, users, and custom objects via the Salesforce API
servicenow	Manage incidents, change requests, users, and knowledge base articles in ServiceNow
slack	Multi-workspace Slack — channels, messages, threads, reactions, users, files, bookmarks, and scheduled messages via the Slack Web API, with host-orchestrated OAuth
talentlms	Manage users, courses, groups, branches, enrolments, and assessments in TalentLMS
vanta	Read and manage compliance posture in Vanta — vulnerabilities, tests, controls, evidence, resources, people, vendors, documents, and compliance summary
workday	Query workers, profiles, and organizations in Workday HCM
zendesk	Manage tickets, macros, users, and views in Zendesk Support

Quick Start

Each server builds independently:

cd connectors/<name>
npm install
npm run build

Or run directly via npx (once published):

npx -y @mindstone/mcp-server-zendesk

Moving from @mindstone-engineering/? Every server has been republished under the shorter @mindstone/ npm scope. The legacy @mindstone-engineering/mcp-server-* packages still install but are marked deprecated. See MIGRATION.md for the consumer one-liner and the deprecation timeline.

See each server's README for configuration and host setup instructions. Some connectors require additional environment variables to opt into specific behaviour (e.g. QB_ALLOW_PROD_WRITES for QuickBooks production writes, MCP_WORKSPACE_PATH for sandboxed file reads, BROWSER_AUTOMATION_ALLOW_EVAL for browser-automation script eval) — see the per-connector READMEs for the full list.

Security & Hardening

This monorepo follows a defence-in-depth posture for tool-call hosts. Highlights include:

Workflow safety. GitHub Actions workflows are env-fy'd against script injection (CWE-94), every action is pinned to a commit SHA (kept current by Dependabot), and each job is granted a least-privilege permissions: block. Publish is split into a build job (does the install/test/pack with no publish credentials) and a publish job (downloads the packed tarball, runs only npm publish --ignore-scripts --provenance under OIDC trusted publishing, gated by the npm-publish environment). The publish job invokes NO third-party JS — tsc, vitest, lifecycle scripts, etc. all run upstream, away from id-token: write. See docs/security/AUDIT_FOX-3319_tanstack_supply_chain.md for the supply-chain threat model and docs/security/BRANCH_PROTECTION.md for required GitHub settings.
Release-age cool-down. The repo-level .npmrc sets min-release-age=7 (days), so CI refuses to install dependency versions published in the last week. This blocks the "same-day malicious re-publish" path that ships post-npm audit-clean PRs into a release tag.
Reproducible release tarballs. Releases are currently published manually under the @mindstone/ npm scope from a wave-lead's machine, behind a human approval gate (see docs/PUBLISH_APPROVAL_PROCESS.md). Provenance attestations are not produced for manual publishes, but the tarball shasum is human-verifiable: check out mindstone/mcp-servers at the release tag and run npm pack — the resulting tarball must match the one on the npm registry. See MIGRATION.md for the consumer verification one-liner.
OpenSSF Scorecard. The repo runs the OpenSSF Scorecard weekly via .github/workflows/scorecard.yml. The report is generated by a third party from the source tree, so every claim above (action pinning, branch protection, token usage, dependency hygiene) is independently checked rather than just asserted here. The current score is shown by the badge at the top of this README.

Recommendations for consumers

These connectors are published as plain npm packages. The strongest single thing you can do to protect yourself from a future supply-chain compromise of any npm package (these or otherwise) is to use a client that does not run lifecycle scripts by default:

pnpm (pnpm install / pnpm dlx) — does not execute postinstall/prepare hooks unless explicitly allowlisted via onlyBuiltDependencies. pnpm v11+ also defaults to a 24-hour minimumReleaseAge cool-down.
bun (bunx) — same default, no lifecycle scripts unless allowlisted.
npm — if you must use npm, set min-release-age=7 and ignore-scripts=true in your global ~/.npmrc. Requires npm v11.10+ for min-release-age.

None of our published packages need postinstall to function, so disabling lifecycle scripts in your installer of choice is safe.

Untrusted-content envelopes. External content from email, helpdesk, and ticketing systems (email-imap, freshdesk, zendesk) is wrapped in <untrusted-content source="..."> envelopes with close-tag breakout escaping, so an LLM host can recognise and refuse instruction-injection attempts.
Workspace sandboxing. File-uploading connectors (nano-banana, pandadoc, elevenlabs) constrain reads to MCP_WORKSPACE_PATH (or os.tmpdir()) with canonical-prefix containment that handles symlinked roots like /tmp → /private/tmp.
Secure-by-default writes. Production-impacting writes (QuickBooks invoices/bills/customers/vendors) require an explicit QB_ALLOW_PROD_WRITES=1 opt-in env var; outreach prospect-enrolment and mixmax sequence-recipient tools carry destructiveHint: true so hosts surface confirmation prompts.
SSRF & path traversal. Download connectors (napkin, runway) enforce host allow-lists, manual-redirect handling, and symlink-safe write paths under a configurable root.
Loopback OAuth bind. Connectors with local OAuth callback servers (salesforce, outreach) hard-code 127.0.0.1, ignoring any MCP_OAUTH_BIND_HOST override.
E.164 validation. Outbound phone-call tools (retell-ai) reject non-E.164 numbers before any upstream API call.

For per-connector security notes, see each connector's README.

To report a vulnerability, please see SECURITY.md.

Licence

Each connector is licensed under FSL-1.1-MIT — see the LICENSE file in each connector directory for details.

Reviews

No reviews yet

Be the first to review this server!

More Business Tools MCP Servers

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

mcp-creator-python

Free

by mcp-marketplace · Developer Tools

Create, build, and publish Python MCP servers to PyPI — conversationally.

MarkItDown

Free

by Microsoft · Content & Media

Convert files (PDF, Word, Excel, images, audio) to Markdown for LLM consumption

Quickbooks MCP Server

About

Security Report

Findings (2)

Permissions Required

What You'll Need

How to Install

Documentation

mcp-servers

Connectors

Quick Start

Security & Hardening

Recommendations for consumers

Licence

Reviews

No reviews yet

More Business Tools MCP Servers

Toleno

mcp-creator-python

MarkItDown

mcp-creator-typescript

FinAgent

Google Workspace MCP