Header Fields


Authentication is made by two header fields, the first one is Client-Secret and the second one is Access-Token.


To determine which integration that’s making the API request we use Client-Secret, this is a unique and secret key that the integration only uses against Fortnox API.


We also need to know which user that did the API request and from which Fortnox account. This is determined by the header field Access-Token.


For you to retrieve the Access-Token you first need to get an Authorization-Code from your user. This key is given to the user when they add the integration in Fortnox.

When you got the Authorization-Code, you will need to make a request to Fortnox API together with your Client-Secret to retrieve the Access-Token for that specific user.

Type of content

Fortnox API supports both JSON and XML. You will need to use the header fields Content-Type and Accept to specify which type you use.

The value for these header fields should be either application/json or application/xml depending on which you use.

For requests where the content is a file, like in archive or inbox, a special content-type is used, this type is multipart/form-data. The header field “accept” should still be either JSON or XML, this specifies in which format you want the return data to be in.


This is an example of how the header should look with all the header fields filled in correctly.

Accept: application/xml
Access-Token: 605de498-486c-ae9f-b740-119cd660badf
Client-Secret: 2a5OUpaWhz
Content-Type: application/xml
Accept: application/json
Access-Token: 605de498-486c-ae9f-b740-119cd660badf
Client-Secret: 2a5OUpaWhz
Content-Type: application/json