API Access Credentials
Requesting API Access Credentials
To obtain your Client ID and Client Secret, you must submit a formal access request through the COUNT API Access Request Form.
How to Request Access
-
Visit the COUNT API Access Request Form
-
Fill in the required details:
What Happens After You Submit
Once your request is reviewed and approved by the COUNT team, you will receive:
-
Client ID — A unique identifier for your application, used in the
x-client-idheader for API requests. -
Client Secret — A private key used to sign all API requests via HMAC-SHA256. This must be kept secure and never exposed on the client side.
-
Redirect URI Configuration — Your specified callback URL will be registered for the OAuth authorization flow.
Important: Do not begin development against production endpoints until you have received your approved credentials. You can review the API documentation at developers.getcount.com while waiting for approval.
Required Headers
Every authenticated API request must include the following headers:
| Header | Description |
| x-client-id | Your partner Client ID |
| x-timestamp | Current Unix timestamp (seconds) |
| x-signature | HMAC-SHA256 signature (see below) |
| Content-Type | application/json |
| Authorization | Bearer (required for data endpoints only) |
Computing the HMAC Signature
The signature is an HMAC-SHA256 hash, using your Client Secret as the key, applied to a base string with the following format:
:::
Four components, separated by colons:
| Component | Description |
| METHOD | HTTP method in uppercase: GET, POST, PUT, PATCH |
| path | The endpoint path without the /partners prefix (e.g., /chart-of-accounts, /grant-access-token) |
| timestamp | The same Unix timestamp sent in the x-timestamp header |
| bodyHash | SHA-256 hash of the JSON request body (for POST, PUT, PATCH). Empty string for GET requests. |
Important: The colon separators are always present, even when bodyHash is empty. A GET request base string ends with a trailing colon.
Examples
POST request (e.g., exchanging an authorization code):
Base string: POST:/grant-access-token:1772571261:a1b2c3d4e5f6…
Where the body hash is computed as:
SHA-256(JSON.stringify(requestBody))
GET request (e.g., fetching chart of accounts):
Base string: GET:/chart-of-accounts:1772571261:
Note the trailing colon — bodyHash is an empty string, but the colon separator remains.
Code Example (Node.js)
const crypto = require('crypto');function signRequest({ method, path, timestamp, body, clientSecret }) {let bodyHash = '';if (['POST', 'PUT', 'PATCH'].includes(method)) {bodyHash = crypto.createHash('sha256').update(JSON.stringify(body)).digest('hex');}const baseString = `${method}:${path}:${timestamp}:${bodyHash}`;return crypto.createHmac('sha256', clientSecret).update(baseString).digest('hex');}// GET exampleconst signature = signRequest({method: 'GET',path: '/chart-of-accounts', // NOT /partners/chart-of-accountstimestamp: Math.floor(Date.now() / 1000),body: null,clientSecret: 'your_client_secret'});// POST exampleconst signature = signRequest({method: 'POST',path: '/grant-access-token',timestamp: Math.floor(Date.now() / 1000),body: { grantType: 'authorization_code', code: 'abc123' },clientSecret: 'your_client_secret'});Common Mistakes
-
Using the full URL path (
/partners/chart-of-accounts) instead of the relative path (/chart-of-accounts) -
Omitting the trailing colon on GET requests
-
Including
client_idorclient_secretin the request body (these should only be in headers / used for HMAC) -
Hashing the body for GET requests instead of using an empty string
Prerequisites Checklist
Before submitting the form, make sure you have:
-
A clear understanding of your integration use case
-
Reviewed the COUNT API documentation
-
A callback/redirect URI ready for your OAuth flow
-
An estimated timeline for your integration launch
On this page
- API Access Credentials