Create a Company API Token
Pennylane’s Company API uses bearer tokens to authenticate requests.
Each token identifies your company and grants access to specific resources through defined scopes (permissions).
Use this guide to create, manage, and securely use your Company API tokens when integrating your own tools with Pennylane.
Before You Get Started
To create and manage API tokens, you must:
- Have an Essential plan or higher,
- Have admin access to the company workspace - available to Executive, Internal Accountant, and External Accountant roles.
About Company API Tokens
Before creating your first token, here’s what you need to know about how Company API tokens work.
- A token is always linked to one company.
- A company can have multiple tokens, each with its own scopes and expiration date.
In practice, you might want to create several tokens when:
- You need to grant different access levels to separate users or integrations.
- You manage multiple companies in Pennylane - each company requires its own token.
Generating a Token
To generate a Company API token:
(1) Log in to your Pennylane Firm account.
(2) In the Accounting section, go to Settings > Connectivity > Developers.
(3) Click Generate an API Token.
(4) Enter a Token Name.
Tip: Name your token after its purpose (e.g., “CRM sync” or “Invoice automation”).
(5) Under API V2, choose the permissions:
- Read only — retrieve data
- Read and write — create or update data
(6) Choose an expiration date: 1 month, 6 months, 12 months, or Unlimited.
(7) Click Generate Token.
(8) Copy your token immediately** — it will only be displayed once.
(9) Confirm that you have saved it securely, then click Continue.
Tokens are not stored in Pennylane and cannot be retrieved later. If lost, you must generate a new one.
TroubleshootingIf you don’t see the Developers tab in your company settings:
- 🔒 You may not have the right permissions > check with your company admin (only Executives and Accountants can access this tab).
- 💼 Your company may be on a Starter plan > you’ll need to upgrade to an Essential plan or higher.
Managing and Revoking Tokens
From the Developers tab, you can view and manage all existing tokens:
- Token name
- Scopes granted
- Creation and expiration dates
- Last used
To revoke a token, click Delete next to it.
Once deleted, it immediately loses access to the API.
Token deletion is irreversible. Any integration using that token will stop working until a new one is generated and configured in its place.
Using Multiple Tokens
Each token is independent and applies only its own scopes and expiration settings.
If several tokens exist, the API enforces the scopes of the token used in the request.
Example:
- Token A: read-only access
- Token B: read-and-write access
> Using Token A for a write request returns
403 Forbidden.
Tip: It is recommended to create separate tokens for each app or environment to isolate permissions and reduce risk.
Using Your Token
Once your Company API token has been generated, you can use it to authenticate your API requests.
Include your token in the Authorization header of every API request.
curl https://app.pennylane.com/api/external/v2/me \
-H "Authorization: Bearer <YOUR_COMPANY_API_TOKEN>"Example JSON Response
{
"user": {
"id": 479693,
"first_name": "Paul",
"last_name": "SMITH",
"email": "[email protected]",
"locale": "en"
},
"company": {
"id": 172916,
"name": "My Company Name",
"reg_no": "sandbox-172916"
}
}This response confirms that:
- Your token is valid.
- The API correctly identifies both your user and your company context.
If you receive an error:
401 Unauthorized> The token is missing or invalid.403 Forbidden> The token doesn’t include the required scope.404 Not Found> The endpoint doesn’t exist (check your base URL).
Best Practices
✅ Store tokens securely (e.g., secrets manager).
✅ Rotate tokens periodically.
✅ Never share tokens publicly or in version control.
✅ Revoke unused tokens to minimize risk.
For a full list of available permissions, see the Understanding V2 Scopes.
Updated 7 days ago