QuickBooks Online MCP Server
Community QuickBooks Online MCP server with full CRUD for invoices, bills, customers, vendors, and accounting
Score Breakdown
Server Info
- Package
- @qboapi/qbo-mcp-server
- Registry
- npm
- Repository
- qboapi/qbo-mcp-server
- Maintainer
- IntuitVendor
- Category
- Finance & Payments
- Tags
- accountinginvoicesquickbooks
- Last Scanned
- 7 Apr 2026
Findings
8 issuesAuthentication & Identity
HIGHNo per-request auth - requires instance-per-user
OAuth 2.0 via intuit-oauth SDK. If refresh token is not provided, initiates a local browser-based OAuth flow on localhost:8000. Tokens are persisted to the .env file on disk (security concern: writes secrets to filesystem). Stdio transport only. For multi-tenant deployment, the platform must spawn a separate server instance per user.
Add HTTP/SSE transport to accept per-request Authorization headers, or implement the MCP OAuth spec.
Tool Schema Quality
HIGHRequired fields missing on 1 write operations
Write tools without required field declarations: delete_customer.
Add required arrays to all write/delete tool schemas.
MEDIUMOnly 10 of 50 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
CRITICALDangerous execution surface: delete_customer uses z.any() for idOrEntity parameter
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
LLM Safety
MEDIUM5 tool descriptions are too vague
Short or generic descriptions make tool selection unreliable.
Expand descriptions with specific actions, data types, and side effects.
Data Exposure
LOWNo field selection on responses
Responses return full records rather than projected fields.
Implement field selection to return only relevant fields.
Maintenance & Trust
LOWCommunity-maintained by qboapi (community)
No official vendor backing.
Seek vendor verification.
HIGH18 dependency vulnerabilities (3 critical, 9 high)
npm audit found 3 critical and 9 high severity CVEs.
Run `npm audit fix` and update vulnerable dependencies.
Tools
50 total| Name | Description | Risk |
|---|---|---|
| create_account | Create a chart-of-accounts entry in QuickBooks Online. | write |
| create_bill_payment | Create a bill payment in QuickBooks Online. | write |
| create-bill | Create a bill in QuickBooks Online. | write |
| create_customer | Create a customer in QuickBooks Online. | write |
| create_employee | Create an employee in QuickBooks Online. | write |
| create_estimate | Create an estimate in QuickBooks Online. | write |
| create_invoice | Create an invoice in QuickBooks Online. | write |
| create_item | Create an item in QuickBooks Online. | write |
| create_journal_entry | Create a journal entry in QuickBooks Online. | write |
| create_purchase | Create a purchase in QuickBooks Online. | write |
| create-vendor | Create a vendor in QuickBooks Online. | write |
| delete_bill_payment | Delete (make inactive) a bill payment in QuickBooks Online. | admin |
| delete-bill | Delete a bill in QuickBooks Online. | admin |
| delete_customer | Delete (make inactive) a customer in QuickBooks Online. | admin |
| delete_estimate | Delete (void) an estimate in QuickBooks Online. | admin |
| delete_journal_entry | Delete (make inactive) a journal entry in QuickBooks Online. | admin |
| delete_purchase | Delete (make inactive) a purchase in QuickBooks Online. | admin |
| delete-vendor | Delete a vendor in QuickBooks Online. | admin |
| get_bill_payment | Get a bill payment by Id from QuickBooks Online. | read |
| get-bill | Get a bill by ID from QuickBooks Online. | read |
| get_customer | Get a customer by Id from QuickBooks Online. | read |
| get_employee | Get an employee by Id from QuickBooks Online. | read |
| get_estimate | Get an estimate by Id from QuickBooks Online. | read |
| get_journal_entry | Get a journal entry by Id from QuickBooks Online. | read |
| get_purchase | Get a purchase by Id from QuickBooks Online. | read |
| get-vendor | Get a vendor by ID from QuickBooks Online. | read |
| read_invoice | Read a single invoice from QuickBooks Online by its ID. | read |
| read_item | Read a single item in QuickBooks Online by its ID. | read |
| search_accounts | Search chart-of-accounts entries using criteria. | read |
| search_bill_payments | Search bill payments in QuickBooks Online that match given criteria. | read |
| search_bills | Search bills in QuickBooks Online that match given criteria. | read |
| search_customers | Search customers in QuickBooks Online that match given criteria. | read |
| search_employees | Search employees in QuickBooks Online that match given criteria. | read |
| search_estimates | Search estimates in QuickBooks Online that match given criteria. | read |
| search_invoices | Search invoices in QuickBooks Online using criteria (maps to node-quickbooks findInvoices). | read |
| search_items | Search items in QuickBooks Online using criteria (maps to node-quickbooks findItems). | read |
| search_journal_entries | Search journal entries in QuickBooks Online that match given criteria. | read |
| search_purchases | Search purchases in QuickBooks Online that match given criteria. | read |
| search_vendors | Search vendors in QuickBooks Online that match given criteria. | read |
| update_account | Update an existing chart-of-accounts entry in Quickbooks. | write |
| update_bill_payment | Update a bill payment in QuickBooks Online. | write |
| update-bill | Update a bill in QuickBooks Online. | write |
| update_customer | Update an existing customer in QuickBooks Online. | write |
| update_employee | Update an employee in QuickBooks Online. | write |
| update_estimate | Update an estimate in QuickBooks Online. | write |
| update_invoice | Update an existing invoice in Quickbooks by ID (sparse update). | write |
| update_item | Update an existing item in Quickbooks by ID (sparse update). | write |
| update_journal_entry | Update a journal entry in QuickBooks Online. | write |
| update_purchase | Update a purchase in QuickBooks Online. | write |
| update-vendor | Update a vendor in QuickBooks Online. | write |
Deploy QuickBooks Online MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow