Register as a developer

First of all you’ll need to register as a developer with Fortnox. To register, you just need to fill out this form.

We will return to you with a sandbox account in Fortnox together with a Client-Id and a Client-Secret. These values will later on be used to authenticate the integration against Fortnox API.

The Client-Id and the Client-Secret is unique for your integration. The Client-Secret paired with an Access-Token is the unique key that gives access to a Fortnox account.

Connect your integration

In Fortnox you now have to connect your integration to your Fortnox account.

You’ll find all connected integrations at the page “Administrate users” in Fortnox under the section “Integrations”.

You are also able to add new integrations here by pressing the button “Add integration”.

Administrate users
Add integration

A window will pop up where you have the possibility to search for your integration by name or paste in your Client-Id.

A public integration will always be searchable by both the name of the integration and by using the Client-Id. A private integration will only be searchable using the Client-Id.

Select your integration and press the button “Save”.

A new window will pop up with a code called “API code”, this is an Authorization-Code. The Authorization-Code is used to retrieve the final Access-Token.

Authorisation code

Each Fortnox account need both a unique Authorization-Code and a unique Access-Token. That means that your integration needs to be able to manage a unique set of keys for every Fortnox account that is connected.

Retrieving your Access-Token

To retrieve your Access-Token you use the Authorization-Code and your Client-Secret. Any request to the API using this combination of header fields will return an Access-Token.

An Access-Token can only be retrieved once with every Authorization-Code, multiple requests with the same Authorization-Code will make both the Authorization-Code and the Access-Token invalid. The Access-Token does not have a time-limit.

An example of a request to retrieve an Access-Token is shown below.

curl -X "GET" "" \
     -H "Authorization-Code: abc34276-4e0c-2sf6-21a1-e373d27c61fd" \
     -H "Client-Secret: 8aGfU66pWhz" \
     -H "Content-Type: application/json" \
     -H "Accept: application/json"

 $clientSecret = 'RuZAT6e9cJ';
 $authorizationCode = '463627b5-57bb-413e-bfb9-514909976b72';
 $initUrl = '';
 $headers[] = 'Client-Secret: ' . $clientSecret;
 $headers[] = 'Authorization-Code: ' . $authorizationCode;
 $headers[] = 'Accept: application/json';
 $headers[] = 'Content-Type: application/json';

 $curl = curl_init();
 curl_setopt($curl, CURLOPT_URL, $initUrl);
 curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
 curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);

 $curl_response = curl_exec($curl);
 print $curl_response;

Making the first request

Now when you got your Access-Token, you will be able to make requests against the API.

These request is authorized with the Access-Token and the Client-Secret.

curl -X "GET" "" \
     -H "Access-Token: 3f08d038-f380-4893-94a0-a08f6e60e67a" \
     -H "Client-Secret: 8aGfU66pWhz" \
     -H "Content-Type: application/json" \
     -H "Accept: application/json"