OAuth FAQ
Frequently Asked Questions Related to Oauth at Billit
Why OAuth?
Security incidents and fraud are rising fast. E-invoices must be protected. OAuth 2.0 adds security by:
- Using access tokens instead of passwords
- Limiting scope and lifetime of access
- Preventing password sharing with third parties
- Reducing the risk if a token or app is compromised
When do I need OAuth?
- Required: Using the Billit API
- Not required: SFTP integrations or direct login to the MyBillit portal
Logging in to MyBillit
Normal user login to the portal does not change when OAuth is active.
- Production: https://my.billit.eu
- Sandbox: https://my.sandbox.billit.eu
Sandbox vs Production
- Sandbox and Production have separate
client_id
andclient_secret
- Credentials are not interchangeable
Finding your PartyID
- PartyID must be retrieved via the Account EndPoint:

API Key - Only allowed for non-commercial integrations.
A non-commercial integration is a personal integration developed and used exclusively by an individual or organization to automate their own administration. It is not shared, distributed, sold, or otherwise made available to third parties, and it has no commercial purpose or business model attached.
Do not share your API-key with others, Billit will never ask for your API key.

Redirect URI
- A redirect URI is always required
- Can be
https://localhost/...
or another fixed URI - Multiple redirect URIs are supported
- Dynamic redirect URIs are not supported
Why an initial login?
The first login collects user identity and consent. Tokens are issued based on this context.
Supported - Not Supported OAuth Flows
- Supported: Authorization Code Flow (with refresh tokens) → for user-facing apps
- Not supported: Client Credentials Flow → for server-to-server integrations
Token lifetime & refresh
- Access tokens are valid for 60 minutes
- Always refresh before expiry using the refresh token
- If expired, request a new access token with no user interaction
User login frequency
- Users log in once to authorize
- After that, refresh tokens keep the API connection alive
Revoked tokens
If a token is revoked:
- The user removed your app’s access to their Billit account
- Your app must request authorization again
Redirect URI changes
If you need to update your redirect URI:
- Contact Billit Support to change it in your client registration
Key rules
- 🔑 Tokens expire in 60 minutes
- 🔄 Refresh tokens keep sessions alive
- 🔒 No password sharing, only token-based access
- 🛑 Dynamic redirect URIs are not supported
Updated 1 day ago