Resources/The Agent API Atlas/Finance/FreshBooks

Everything an AI agent can do with the FreshBooks API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints39
AuthenticationOAuth 2.0
Last updated23 June 2026
Orientation

How the FreshBooks API works.

The FreshBooks API is how an app or AI agent works with a FreshBooks account: creating and sending an invoice, recording a payment, adding a client, logging an expense, or tracking time on a project. Access is granted through an OAuth 2.0 access token carrying granular scopes, in the form user:invoices:read or user:clients:write, that set which resources a call can read or write. A change can emit an event that FreshBooks delivers to a registered callback, and accounting calls and project or time calls are keyed by two separate identifiers for the same login.

39Endpoints
9Capability groups
17Read
22Write
20Permissions
Authentication
FreshBooks authenticates with OAuth 2.0. A user authorizes the app at auth.freshbooks.com, the app exchanges the returned code for a Bearer access token and a refresh token, and the access token is sent on each call. The access token is short-lived; the refresh token is single-use, and only one is valid per user per application at a time, so each refresh issues a new one.
Permissions
Scopes are granular, in the form user:: where action is read or write, across objects like invoices, clients, expenses, estimates, payments, projects, and time_entries. user:profile:read is added to every app by default. A call missing the right scope returns a 403 that names the scopes provided and the scopes required, so each agent can be granted only the resources and the read or write level it needs.
Two identifiers
The path uses two different identifiers depending on the API. Accounting endpoints, like invoices, clients, expenses, and payments, are keyed by accountId. The Projects and Time Tracking endpoints are keyed by businessId. Both are read from the identity endpoint /auth/api/v1/users/me, where each business membership carries its own id and account_id, and the two are not interchangeable.
Data model
FreshBooks runs a single current Accounting API with no dated version in the path, alongside separate Projects and Time Tracking APIs. Most accounting resources are deleted by a soft delete, setting vis_state to 1 on an update rather than a DELETE call, while taxes, projects, and time entries support a real DELETE. A change can emit an event to a registered webhook callback.
Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to FreshBooks determines what it can reach. There is a route for making calls and a route for receiving events, and each is governed by the access token behind it and the permissions that token carries.

Ways to connect

REST API

The REST API takes and returns JSON at https://api.freshbooks.com, with the Accounting API under /accounting/account/ and the Projects and Time Tracking APIs under /projects/business/ and /timetracking/business/. The two identifiers are different values, both read from the identity endpoint /auth/api/v1/users/me. A call authenticates with an OAuth 2.0 Bearer access token.

Best forConnecting an app or AI agent to FreshBooks.
Governed byThe OAuth access token and the scopes it carries.
Docs ↗

Webhooks (callbacks)

FreshBooks POSTs an event to a registered callback URI when something changes, using noun.verb events like invoice.create and payment.create. A callback is registered through the events API, then confirmed by returning a verification code, and that code is the secret used to check the HMAC-SHA256 signature on each delivered event.

Best forReceiving FreshBooks events at an app or AI agent.
Governed byThe verification code on the registered callback.
Docs ↗
Authentication

OAuth 2.0 (authorization code)

FreshBooks uses the OAuth 2.0 authorization-code flow. A user authorizes the app at auth.freshbooks.com, the app exchanges the returned code at the token endpoint for a Bearer access token and a refresh token, and the access token is sent on each call. The access token is short-lived; the refresh token lives until used, is single-use, and only one is valid per user per application at a time.

TokenOAuth 2.0 Bearer access token
Best forServer-side and agent access to a FreshBooks account.
Docs ↗
Capability map

What an AI agent can do in FreshBooks.

The FreshBooks API is split into areas an agent can act on, like invoices, clients, expenses, estimates, payments, projects, and time entries. Each area has its own methods and its own read and write permission, and a write can record money received or send a document to a client.

Endpoint reference

Every FreshBooks API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

MethodEndpointWhat it doesAccessPermissionVersion

Invoices

Methods for creating, sending, and managing invoices in the Accounting API.5

Read-only. Keyed by accountId, the account identifier from the identity endpoint.

Acts oninvoice
Permission (capability)user:invoices:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Read-only.

Acts oninvoice
Permission (capability)user:invoices:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

A core write; can be set to email the invoice to the client.

Acts oninvoice
Permission (capability)user:invoices:write
VersionAvailable since the API’s base version
Webhook eventinvoice.create
Rate limitStandard limits apply
SourceOfficial documentation ↗

Deleting an invoice is done here too, by setting vis_state to 1 (a soft delete) rather than a DELETE call.

Acts oninvoice
Permission (capability)user:invoices:write
VersionAvailable since the API’s base version
Webhook eventinvoice.update
Rate limitStandard limits apply
SourceOfficial documentation ↗

FreshBooks more commonly soft-deletes by updating vis_state to 1 on the PUT call.

Acts oninvoice
Permission (capability)user:invoices:write
VersionAvailable since the API’s base version
Webhook eventinvoice.delete
Rate limitStandard limits apply
SourceOfficial documentation ↗

Clients

Methods for working with the people and businesses an account bills.4

Read-only. Clients live under the users path in the Accounting API.

Acts onclient
Permission (capability)user:clients:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Read-only.

Acts onclient
Permission (capability)user:clients:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

A core write.

Acts onclient
Permission (capability)user:clients:write
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Clients are deleted through this PUT by setting vis_state to 1, not a DELETE call.

Acts onclient
Permission (capability)user:clients:write
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Expenses

Methods for recording and managing expenses.4

Read-only.

Acts onexpense
Permission (capability)user:expenses:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Read-only.

Acts onexpense
Permission (capability)user:expenses:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

A core write.

Acts onexpense
Permission (capability)user:expenses:write
VersionAvailable since the API’s base version
Webhook eventexpense.create
Rate limitStandard limits apply
SourceOfficial documentation ↗

Expenses are soft-deleted through this PUT by setting vis_state to 1.

Acts onexpense
Permission (capability)user:expenses:write
VersionAvailable since the API’s base version
Webhook eventexpense.update
Rate limitStandard limits apply
SourceOfficial documentation ↗

Estimates

Methods for quotes and proposals sent before an invoice.4

Read-only.

Acts onestimate
Permission (capability)user:estimates:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Read-only.

Acts onestimate
Permission (capability)user:estimates:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

A core write; can be sent to the client.

Acts onestimate
Permission (capability)user:estimates:write
VersionAvailable since the API’s base version
Webhook eventestimate.create
Rate limitStandard limits apply
SourceOfficial documentation ↗

Estimates are soft-deleted through this PUT by setting vis_state to 1.

Acts onestimate
Permission (capability)user:estimates:write
VersionAvailable since the API’s base version
Webhook eventestimate.update
Rate limitStandard limits apply
SourceOfficial documentation ↗

Payments

Methods for recording payments applied to invoices.4

Read-only.

Acts onpayment
Permission (capability)user:payments:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Read-only.

Acts onpayment
Permission (capability)user:payments:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Marks money as received against an invoice and can change the invoice status to paid.

Acts onpayment
Permission (capability)user:payments:write
VersionAvailable since the API’s base version
Webhook eventpayment.create
Rate limitStandard limits apply
SourceOfficial documentation ↗

Payments are soft-deleted through this PUT by setting vis_state to 1.

Acts onpayment
Permission (capability)user:payments:write
VersionAvailable since the API’s base version
Webhook eventpayment.update
Rate limitStandard limits apply
SourceOfficial documentation ↗

Items & Taxes

Methods for reusable line items and tax rates.4

Read-only. Items use the billable_items scope object, not an items scope.

Acts onitem
Permission (capability)user:billable_items:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Granted by the billable_items write scope.

Acts onitem
Permission (capability)user:billable_items:write
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Read-only.

Acts ontax
Permission (capability)user:taxes:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Taxes support a real DELETE, unlike most accounting resources.

Acts ontax
Permission (capability)user:taxes:write
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Projects

Methods for projects in the Projects API, keyed by business rather than account.5

Read-only. The Projects API is keyed by businessId, a different identifier from the accountId used by accounting endpoints.

Acts onproject
Permission (capability)user:projects:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Read-only.

Acts onproject
Permission (capability)user:projects:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

A core write in the Projects API.

Acts onproject
Permission (capability)user:projects:write
VersionAvailable since the API’s base version
Webhook eventproject.create
Rate limitStandard limits apply
SourceOfficial documentation ↗

A write in the Projects API.

Acts onproject
Permission (capability)user:projects:write
VersionAvailable since the API’s base version
Webhook eventproject.update
Rate limitStandard limits apply
SourceOfficial documentation ↗

The Projects API uses a real DELETE, unlike accounting soft deletes.

Acts onproject
Permission (capability)user:projects:write
VersionAvailable since the API’s base version
Webhook eventproject.delete
Rate limitStandard limits apply
SourceOfficial documentation ↗

Time Tracking

Methods for logged time in the Time Tracking API, keyed by business.5

Read-only. The Time Tracking API is keyed by businessId, like the Projects API.

Acts ontime_entry
Permission (capability)user:time_entries:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Read-only.

Acts ontime_entry
Permission (capability)user:time_entries:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Logged time can feed billing through projects and invoices.

Acts ontime_entry
Permission (capability)user:time_entries:write
VersionAvailable since the API’s base version
Webhook eventtime_entry.create
Rate limitStandard limits apply
SourceOfficial documentation ↗

A write in the Time Tracking API.

Acts ontime_entry
Permission (capability)user:time_entries:write
VersionAvailable since the API’s base version
Webhook eventtime_entry.update
Rate limitStandard limits apply
SourceOfficial documentation ↗

The Time Tracking API uses a real DELETE.

Acts ontime_entry
Permission (capability)user:time_entries:write
VersionAvailable since the API’s base version
Webhook eventtime_entry.delete
Rate limitStandard limits apply
SourceOfficial documentation ↗

Events & Callbacks

Methods for registering and verifying webhook callbacks.4

Read-only.

Acts oncallback
Permission (capability)user:events:read
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

FreshBooks then sends a verification code to the callback URI, which must be confirmed before events flow.

Acts oncallback
Permission (capability)user:events:write
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

The verification code doubles as the secret used to check the HMAC-SHA256 signature on delivered events.

Acts oncallback
Permission (capability)user:events:write
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗

Stops events being sent to that callback URI.

Acts oncallback
Permission (capability)user:events:write
VersionAvailable since the API’s base version
Webhook eventNone
Rate limitStandard limits apply
SourceOfficial documentation ↗
No endpoints match those filters.
Webhooks

Webhook events.

FreshBooks can notify an app when something happens in an account, like an invoice being created or a payment being recorded. It registers a callback, sends a verification code to confirm the receiver, then POSTs an event so an integration learns about activity without polling.

EventWhat it signalsTriggered by
invoice.createAn invoice was created on the account./accounting/account//invoices/invoices
invoice.updateAn invoice was changed, including being soft-deleted by a visibility-state change./accounting/account//invoices/invoices/
invoice.deleteAn invoice was deleted./accounting/account//invoices/invoices/
expense.createAn expense was recorded on the account./accounting/account//expenses/expenses
expense.updateAn expense was changed./accounting/account//expenses/expenses/
estimate.createAn estimate was created on the account./accounting/account//estimates/estimates
estimate.updateAn estimate was changed./accounting/account//estimates/estimates/
payment.createA payment was recorded against an invoice./accounting/account//payments/payments
payment.updateA payment was changed./accounting/account//payments/payments/
project.createA project was created./projects/business//project
project.updateA project was changed./projects/business//project/
project.deleteA project was deleted./projects/business//project/
time_entry.createA time entry was logged./timetracking/business//time_entries
time_entry.updateA time entry was changed./timetracking/business//time_entries/
time_entry.deleteA time entry was deleted./timetracking/business//time_entries/
No events match that search.
Rate limits & pagination

Rate limits, pagination & request size.

FreshBooks meters how fast an app can call and returns an HTTP 429 when a caller goes too fast. It does not publish a fixed per-minute number, so an integration backs off and retries when it is told to slow down.

Request rate

FreshBooks throttles callers and returns an HTTP 429 (HTTP_RATE_LIMITED) when a caller sends requests too quickly. It does not publish a fixed per-minute number in the developer docs, and the limit is enforced on the server and can vary, so an integration treats a 429 as the signal to slow down rather than relying on a stated ceiling. The response indicates the caller should pause before sending more calls.

Pagination

List endpoints page with page and per_page query parameters. Requesting page 0 returns page 1, and requesting past the last page returns an empty list. Search filters cover equals, in, like, between, datetime in ISO 8601, and boolean matching, and related data is pulled in with explicit includes rather than returned by default.

Request size

per_page is silently capped at 100, so a single page returns at most 100 records and larger datasets are read across multiple pages.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

StatusCodeMeaningWhat to do
401UnauthorizedNo authentication token was provided, or it is invalid or expired.Send a valid Bearer access token, and refresh it with the refresh token if it has expired.
403AccessDenied (errno 1003)The token is valid but lacks the scope or permission the call needs. A scope error names the scopes provided and the scopes required.Re-authorize the app with the missing scope, like user:invoices:write, then retry.
404UnknownResource (errno 1012)The resource in the URL does not exist or is not visible to this user, account, or business.Check the id, and confirm the accountId or businessId in the path matches the resource.
422RequiredField (errno 1001)Validation failed, for example a required field is missing. The response names the errno and a message.Read the errno and message, fix the request body, and resend.
429HTTP_RATE_LIMITEDToo many requests arrived too quickly and the caller was throttled.Pause and retry with backoff, honoring any Retry-After signal before sending more calls.
500Server errorAn error on the FreshBooks side. It is rare.Retry with backoff, and contact FreshBooks support if it persists.
Versioning & freshness

Version history.

FreshBooks runs a single current Accounting API with no dated version string in the path. Changes ship through release notes rather than a pinned version, so an integration tracks the changelog instead of a version header.

Version history

What changed, and when

Latest versionCurrent
CurrentCurrent version
Current FreshBooks API

FreshBooks runs a single current Accounting API with no dated version string in the path, alongside separate Projects and Time Tracking APIs keyed by businessId. New features and changes ship through FreshBooks release notes rather than a pinned version, so integrations track the changelog rather than a version header.

What changed
  • Granular OAuth scopes in the form user:: across resources like invoices, clients, expenses, payments, projects, and time entries.
  • Webhook callbacks deliver noun.verb events with HMAC-SHA256 signature verification.
  • Reporting improvements across 2025 and 2026, including added filters, collapsible headers, and drill-down into transactions on core reports.
    • 2025
    2025 changes and updates

    A year of additive changes shipped through release notes, with no path version change.

    What changed
    • Manual bank connections added for transaction reconciliation.
    • Reporting enhancements, including added filters and transaction drill-down on core reports.
    • Payroll enhancements, including dismissing and rehiring employees.

    There is no version to pin; track the release notes for changes.

    FreshBooks changes and updates ↗
    Questions

    FreshBooks API, answered.

    What is the difference between accountId and businessId?+
    They are two different identifiers and cannot be swapped. The Accounting API, covering invoices, clients, expenses, and payments, is keyed by accountId. The Projects and Time Tracking APIs are keyed by businessId. Both come from the identity endpoint /auth/api/v1/users/me, where each business membership lists its own id (the businessId) and account_id (the accountId).
    How do OAuth scopes work in FreshBooks?+
    Scopes are granular and take the form user::, where action is read or write, for example user:invoices:read or user:clients:write. An app requests the scopes it needs at authorization, and user:profile:read is added by default. A call without the needed scope returns a 403 that lists the scopes provided and the scopes required.
    How do I delete a record?+
    Most accounting resources, including invoices, clients, expenses, estimates, and payments, are not deleted with a DELETE call. They are soft-deleted by sending a PUT update that sets the visibility state field vis_state to 1, which hides the record while keeping it. Taxes, projects, and time entries do support a real DELETE.
    Does FreshBooks publish a rate limit?+
    FreshBooks throttles callers and returns an HTTP 429 with HTTP_RATE_LIMITED when requests come too fast, but it does not state a fixed per-minute number in the developer docs. The limit is enforced on the server and can vary, so an integration should treat a 429 as the cue to back off and retry rather than rely on a published ceiling.
    How do FreshBooks webhooks work?+
    An app registers a callback for an event, named noun.verb such as invoice.create or payment.create, through the events API. FreshBooks then sends a verification code to the callback URI, which the app confirms with a PUT. After that, FreshBooks POSTs each matching event, and the verification code is the secret used to check the HMAC-SHA256 signature on the request.
    Is the FreshBooks API versioned?+
    The current Accounting API has no dated version string in its path, so there is no version header to pin. Changes are communicated through FreshBooks release notes rather than versioned cut-overs, so an integration tracks the changelog for new fields and behavior instead of upgrading a version.
    How long do access tokens last?+
    The access token is short-lived and is refreshed with the refresh token. The refresh token does not expire on its own, but it is single-use and only one is valid per user per application at a time, so each refresh returns a new access token and a new refresh token that replaces the old one.
    Related

    More finance API guides for agents

    Stripe

    52 endpoints
    View guide

    Chargebee

    38 endpoints
    View guide

    Razorpay

    36 endpoints
    View guide

    Recurly

    35 endpoints
    View guide

    Square

    35 endpoints
    View guide

    BILL

    34 endpoints
    View guide
    What is Bollard AI?

    Control what every AI agent can do in FreshBooks.

    Bollard AI sits between a team's AI agents and FreshBooks. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.

    • Set read, write, or full access per agent, never a shared FreshBooks token.
    • Denied by default, so an agent reaches only what has been explicitly allowed.
    • Every call recorded in plain English: who, what, where, and the decision.
    Control FreshBooks access in BollardBrowse all APIs
    FreshBooks
    Bookkeeping Agent
    View invoices ResourceOffReadFull use
    Record payments ActionOffReadFull use
    Clients ResourceOffReadFull use
    Per-agent access, set in Bollard AI, not in FreshBooks