Security requirements

Before you can list your app on the QuickBooks App Store, it will be reviewed to ensure it meets the following security requirements and complies with the Intuit Developer Terms. This is in addition to meeting our technical and marketing requirements.

The security review starts once your app passes the technical review.

Following the initial security review, developers must remediate any critical, high or medium priority issues before they can be published on the app store. For ongoing compliance reviews, these issues should be fixed within 2 weeks of notification by Intuit.

Apps listed on the QuickBooks App Store must continue to meet these requirements after publication. All apps list on the app store, and any app with over 500 connections, will be reviewed by Intuit on an annual basis, or more frequently at Intuit’s discretion, to ensure they continue to meet our required technical and security standards.


Note: The average time it takes for an app to complete its initial security review is about 7 days. This can vary depending on the issues found during the review process.
App server configuration

Ensure your server configuration meets the following requirements:

Attack vulnerability

During the security test, Intuit will ensure that your app is secure against the following vulnerabilities. Test accordingly and resolve any issues prior to submitting your app for review:

QuickBooks data usage

These tests verify that your app meets Intuit’s requirements for handling QuickBooks data:

Verify that all app session cookies have the following attributes set:

OAuth token management

Verify that your app meets these requirements for OAuth 2.0 token management:

Once a user completes the OAuth authorization workflow:

In addition to the above requirements, refer to these best practices for handling OAuth 2.0 tokens within your app.

Sensitive information

Web application endpoints that receive sensitive customer information and/or authentication tokens in URL parameters must not return HTML content via an HTTP Response Body. This is to prevent sensitive customer information from being accidentally leaked to 3rd parties in the subsequent HTTP Referer request headers.

Instead, the web application endpoints should implement a 302 Found redirect. This is particularly important when application end points are handling authentication tokens.

User Credentials

Your storage of user credentials (e.g., username, password, account numbers, etc.), must comply with Intuit’s Password Policy. Only developers with prior written approval from Intuit may store user credentials used to access end user data from another source (e.g., the end user’s financial institution).

In the event we expressly allow you to store user credentials locally within your Developer Application, ensure that (i) the account ID is unique for that end user; (ii) the password is a minimum of 8 characters in length; (iii) 128-bit SSL is used when transferring any password or Account ID over the internet; and (iv) the password is not stored in plain text and is one-way hashed via SHA-256 (or better) and stored only as hashed values.

Security scans and audits

Consistent with our Intuit Developer Terms, you are required to:

*Intuit reserves the right to question or reject scan results that an app provides. If that occurs, you must either allow us to conduct the scans described above, or conduct a new scan sufficient to show compliance with our Intuit Developer Terms.