Back to Browse
Free
Server data from the Official MCP Registry
MCP server for QuickBooks Online — accounts, customers, invoices, bills, and reports.
About
MCP server for QuickBooks Online — accounts, customers, invoices, bills, and reports.
Security Report
4.8
Use Caution4.8High RiskThis QuickBooks Online MCP server demonstrates solid security practices with proper authentication mechanisms, credential isolation through AsyncLocalStorage, and safe API handling. The codebase is well-structured with clear separation of concerns. Minor code quality issues around input validation and error handling exist but do not indicate security vulnerabilities. Permissions are appropriately scoped to the server's purpose of interfacing with QBO APIs. Supply chain analysis found 3 known vulnerabilities in dependencies (2 critical, 0 high severity).
7 files analyzed · 9 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
Permissions Required
This plugin requests these system permissions. Most are normal for its category.
What You'll Need
Set these up before or after installing:
QuickBooks Online OAuth2 client ID from the Intuit developer app
Environment variable: QBO_CLIENT_ID
QuickBooks Online OAuth2 client secretRequired
Environment variable: QBO_CLIENT_SECRET
OAuth2 refresh token for the connected QuickBooks companyRequired
Environment variable: QBO_REFRESH_TOKEN
QuickBooks Online company (realm) ID
Environment variable: QBO_REALM_ID
QuickBooks API environment: 'sandbox' or 'production'
Environment variable: QBO_ENVIRONMENT
Transport mode for the server. Set to 'stdio' for local CLI use; the image defaults to 'http' for gateway hosting.
Environment variable: MCP_TRANSPORT
Credential source: 'env' reads vars locally, 'gateway' expects header injection from the WYRE MCP Gateway.
Environment variable: AUTH_MODE
Log verbosity: debug, info, warn, error
Environment variable: LOG_LEVEL
How to Install
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-wyre-technology-qbo-mcp": {
"env": {
"AUTH_MODE": "your-auth-mode-here",
"LOG_LEVEL": "your-log-level-here",
"QBO_REALM_ID": "your-qbo-realm-id-here",
"MCP_TRANSPORT": "your-mcp-transport-here",
"QBO_CLIENT_ID": "your-qbo-client-id-here",
"QBO_ENVIRONMENT": "your-qbo-environment-here",
"QBO_CLIENT_SECRET": "your-qbo-client-secret-here",
"QBO_REFRESH_TOKEN": "your-qbo-refresh-token-here"
},
"args": [
"-y",
"@wyre-technology/qbo-mcp"
],
"command": "npx"
}
}
}Documentation
View on GitHubFrom the project's GitHub README.
QuickBooks Online MCP Server
Model Context Protocol (MCP) server for the QuickBooks Online Accounting API. Exposes 130+ tools across 22 QBO entities plus 10 financial reports for Claude and other MCP-compatible clients.
One-Click Deployment
Note on registry auth: This server depends only on public npm packages, so the Cloudflare and DigitalOcean cloud builders install its dependencies anonymously — no token is required for one-click deploy. (If a future release adds a private
@wyre-technology/*dependency, you would supply a GitHub PAT withread:packagesas a build variable —NODE_AUTH_TOKENfor Cloudflare Workers, a build-timeGITHUB_TOKENsecret for DigitalOcean.)Installing the published package: The released package is published to the GitHub Packages npm registry, which requires authentication on every install (even for public packages). To install it, authenticate npm to
npm.pkg.github.comwith a GitHub PAT that hasread:packages:export NODE_AUTH_TOKEN=$(gh auth token) npm install @wyre-technology/qbo-mcp
Quick Start
Prerequisites
- Node.js >= 20
- QuickBooks Online OAuth2 app credentials (requires an Intuit developer account)
Install and Build
npm install
npm run build
Run (stdio mode)
QBO_ACCESS_TOKEN=your-access-token QBO_REALM_ID=your-realm-id npm start
Run (HTTP mode)
MCP_TRANSPORT=http QBO_ACCESS_TOKEN=your-access-token QBO_REALM_ID=your-realm-id npm start
The server listens on http://0.0.0.0:8080/mcp by default.
Docker
docker build -t qbo-mcp .
docker run -p 8080:8080 \
-e MCP_TRANSPORT=http \
-e QBO_ACCESS_TOKEN=your-access-token \
-e QBO_REALM_ID=your-realm-id \
qbo-mcp
Environment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
QBO_ACCESS_TOKEN | Yes (env mode) | — | QuickBooks Online OAuth2 access token |
QBO_REALM_ID | Yes (env mode) | — | QuickBooks Online company (realm) ID |
QBO_ENV | No | production | API environment: production or sandbox |
MCP_TRANSPORT | No | stdio | Transport type: stdio or http |
MCP_HTTP_PORT | No | 8080 | HTTP server port |
MCP_HTTP_HOST | No | 0.0.0.0 | HTTP server bind address |
AUTH_MODE | No | env | Auth mode: env or gateway |
Authentication
The server does not handle the OAuth flow — it consumes a pre-obtained access token. Two modes:
env mode (default). Token comes from QBO_ACCESS_TOKEN. Single tenant.
gateway mode. Token comes from per-request HTTP headers, isolated through AsyncLocalStorage so concurrent requests never share credentials. Set AUTH_MODE=gateway and send:
| Header | Required | Description |
|---|---|---|
X-Qbo-Access-Token | Yes | OAuth2 access token |
X-Qbo-Realm-Id | Yes | Company (realm) ID |
X-Qbo-Environment | No | production or sandbox (defaults to production) |
When QBO rejects the access token, the server returns an MCP error whose text begins with the literal prefix QBO_UNAUTHORIZED:. The intended contract is that the gateway detects this prefix, refreshes the OAuth token, and retries the request.
Sandbox Testing
Set QBO_ENV=sandbox (env mode) or X-Qbo-Environment: sandbox (gateway mode) to target Intuit's sandbox API at https://sandbox-quickbooks.api.intuit.com instead of production. Unrecognized values fail loudly (no silent fallback to production).
Available Tools
Tools are organized by domain. Call qbo_navigate with a domain name (e.g. customers, vendors, bills) to discover the tools in that domain. All tools are always callable — navigation is a discovery aid, not a prerequisite.
Entities (config-driven, 116 tools across 22 entities)
Each entity exposes some subset of list, get, create, update, search. Transactional entities support startDate/endDate filtering on the list operation. Updates are sparse and require the current SyncToken from a prior get.
Sales workflow
qbo_customers_*— list, get, create, searchqbo_invoices_*— list (Paid/Unpaid/Overdue status filter), get, create, sendqbo_estimates_*— list, get, create, updateqbo_sales_receipts_*— list, get, create, updateqbo_credit_memos_*— list, get, create, updateqbo_refund_receipts_*— list, get, create, updateqbo_payments_*— list, get, create
Purchase workflow
qbo_vendors_*— list, get, create, update, searchqbo_bills_*— list, get, create, update, searchqbo_bill_payments_*— list, get, create, updateqbo_vendor_credits_*— list, get, create, updateqbo_purchases_*— list, get, create, update (point-of-sale expenses)qbo_purchase_orders_*— list, get, create, update
Bank & money movement
qbo_deposits_*— list, get, create, updateqbo_transfers_*— list, get, create, updateqbo_journal_entries_*— list, get, create, update (balanced debit/credit)
Products & accounts
qbo_items_*— list, get, create, update, search (products and services)qbo_accounts_*— list, get, create, update, search (chart of accounts)
Classification & terms
qbo_classes_*— list, get, create, update, searchqbo_departments_*— list, get, create, update, searchqbo_terms_*— list, get, create, update, search (Net 30, etc.)qbo_payment_methods_*— list, get, create, update, search
Tax & company
qbo_tax_codes_*— list, get, search (read-only)qbo_tax_rates_*— list, get, search (read-only)qbo_company_info_*— list, get (read-only singleton)
People & time
qbo_employees_*— list, get, create, update, searchqbo_time_activities_*— list, get, create, update (billable time)
Attachments
qbo_attachables_*— list, get, create, update (metadata only; file upload uses a separate QBO endpoint)
Reports (10 tools)
qbo_reports_profit_and_lossqbo_reports_balance_sheetqbo_reports_cash_flowqbo_reports_trial_balanceqbo_reports_general_ledgerqbo_reports_aged_receivablesqbo_reports_aged_payablesqbo_reports_customer_salesqbo_reports_customer_balanceqbo_reports_vendor_expenses
Legacy expense tools (backwards compatibility)
qbo_expenses_list_purchases, qbo_expenses_get_purchase, qbo_expenses_list_bills, qbo_expenses_get_bill remain available. New work should use the dedicated qbo_purchases_* and qbo_bills_* tool families, which add create/update/search.
Testing
npm test # unit suite — fast, no credentials needed
npm run test:integration # hits a real QBO sandbox; skipped without creds
The integration suite calls one read tool per entity tier (customers, vendors, accounts, items, journal entries, company info) against Intuit's sandbox API. It only runs when both QBO_SANDBOX_ACCESS_TOKEN and QBO_SANDBOX_REALM_ID are present in the environment. CI wires these from the matching repo secrets and skips the job (with a clear notice) when they're absent — so dependabot/fork PRs don't fail.
License
Apache-2.0
Reviews
No reviews yet
Be the first to review this server!
More Developer Tools MCP Servers
Fetch
Freeby Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
80.0K
Stars
4
Installs
5.3
Security
No ratings yet
Local
Toleno
Freeby Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
137
Stars
508
Installs
8.0
Security
4.8
Local
mcp-creator-python
Freeby mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.
-
Stars
68
Installs
10.0
Security
4.6
Local