QuickBooks Online OAuth bridge

Public site. Internal bookkeeping integration.

drews-books is a narrow operational service that connects QuickBooks Online companies, stores encrypted tokens, refreshes them safely, and exposes a clean server-side token path for the bookkeeping app.

View success page QuickBooks Online

What this service does

Connect companies

Start an Intuit OAuth flow, validate state server-side, and bind the connection to a QBO realm_id.

Persist encrypted tokens

Access and refresh tokens are encrypted before storage, and raw token values never belong in logs or UI.

Refresh and disconnect safely

Token lifecycle operations stay on the server and fail closed when a connection is inactive.

Public vs protected

/ and /success are public informational pages.
/api/qbo/callback remains public because Intuit must be able to reach it.
Operator pages and sensitive routes are intended to stay behind edge auth from day one.
The downstream bookkeeping app should use getValidAccessToken(realmId) rather than rolling its own refresh logic.

Current implementation status: route/service layers and operator pages are in place; browser-flow verification is the current UI milestone.

Security posture

Secrets stay server-side
Intuit client secret and token exchange logic never belong in the browser.
Encrypted at rest
Stored access and refresh tokens are encrypted with AES-256-GCM before persistence.
Protected operator surfaces
Connect, disconnect, admin, refresh, and status surfaces should fail closed without operator identity headers.