API Documentation

OAuth FAQ

Frequently Asked Questions Related to Oauth at Billit

Why OAuth?

Security incidents and fraud are rising fast. E-invoices must be protected. OAuth 2.0 adds security by:

  • Using access tokens instead of passwords
  • Limiting scope and lifetime of access
  • Preventing password sharing with third parties
  • Reducing the risk if a token or app is compromised

When do I need OAuth?

  • Required: Using the Billit API
  • Not required: SFTP integrations or direct login to the MyBillit portal

Logging in to MyBillit

Normal user login to the portal does not change when OAuth is active.


Sandbox vs Production

  • Sandbox and Production have separate client_id and client_secret
  • Credentials are not interchangeable

Finding your PartyID

  • PartyID must be retrieved via the Account EndPoint:

API Key - Only allowed for non-commercial integrations.

A non-commercial integration is a personal integration developed and used exclusively by an individual or organization to automate their own administration. It is not shared, distributed, sold, or otherwise made available to third parties, and it has no commercial purpose or business model attached.

Do not share your API-key with others, Billit will never ask for your API key.



Redirect URI

  • A redirect URI is always required
  • Can be https://localhost/... or another fixed URI
  • Multiple redirect URIs are supported
  • Dynamic redirect URIs are not supported

Why an initial login?

The first login collects user identity and consent. Tokens are issued based on this context.


Supported - Not Supported OAuth Flows

  • Supported: Authorization Code Flow (with refresh tokens) → for user-facing apps
  • Not supported: Client Credentials Flow → for server-to-server integrations

Token lifetime & refresh

  • Access tokens are valid for 60 minutes
  • Always refresh before expiry using the refresh token
  • If expired, request a new access token with no user interaction

User login frequency

  • Users log in once to authorize
  • After that, refresh tokens keep the API connection alive

Revoked tokens

If a token is revoked:

  • The user removed your app’s access to their Billit account
  • Your app must request authorization again

Redirect URI changes

If you need to update your redirect URI:

  • Contact Billit Support to change it in your client registration

Key rules

  • 🔑 Tokens expire in 60 minutes
  • 🔄 Refresh tokens keep sessions alive
  • 🔒 No password sharing, only token-based access
  • 🛑 Dynamic redirect URIs are not supported