Start free trial

Authentication

All DayZero API requests require a Bearer token in the Authorization header and a business context header.

Obtaining a Token

Generate an API token from your DayZero dashboard under Settings > API Tokens.

Tokens follow the format dz_... and can be scoped with optional expiration (1–365 days).

Making Authenticated Requests

Every request needs two headers:

bash
curl "https://api.ondayzero.com/api/v1/businesses" \
  -H "Authorization: Bearer dz_your_token_here" \
  -H "x-business-id: YOUR_BUSINESS_ID"
Header Required Description
Authorization Yes Bearer dz_... token
x-business-id Yes UUID of the business context
x-user-email No Email for audit trail

Token Limits

  • Maximum 10 active tokens per user
  • Tokens can be revoked at any time from the dashboard
  • Optional expiration between 1 and 365 days

OAuth 2.0

DayZero also supports OAuth 2.0 for third-party integrations:

bash
POST /api/v1/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=AUTH_CODE&redirect_uri=YOUR_REDIRECT

See the oauth section of the API Reference for full details.

AI Assistants (MCP)

The DayZero MCP server (https://api.ondayzero.com/mcp) lets AI assistants like Claude and Cursor interact with your accounting data through OAuth 2.1:

  1. The client discovers auth requirements via /.well-known/oauth-protected-resource.
  2. It registers via dynamic client registration and opens a browser to /oauth2/authorize.
  3. You sign in and approve scopes on the consent page.
  4. The client exchanges the code at /oauth2/mcp/token for MCP-scoped tokens.

Important: MCP tokens and REST API tokens are separate credential types:

Credential Works on MCP Works on REST API
MCP OAuth token (type=mcp)
REST API key (type=api, dz_…)
SPA session token (type=access)

Revoke MCP-connected clients via DELETE /api/v1/oauth/grants/{grant_id}. REST API keys are revoked separately from Settings → Developers.

See the MCP Server guide for setup, scopes, and troubleshooting.