Skip to content
Reach API Reference
/
/
Get User Information

Reach API (1.0.3)

API specification for accessing financial data and reporting for financing companies. By implementing this specification, your API will serve as the data source for ReachApp, enabling all ReachSpec features with customizable configurations.

Reach pulls data from your API in two ways: on-demand sync (when a user clicks the sync button in ReachApp, Reach immediately calls your API endpoints to fetch the latest data) and nightly sync (Reach automatically performs scheduled data synchronization during off-hours to keep data current without interfering with customer workflows).

For authentication, OAuth 2.0 is used both for user sign-in and for API requests. Reach sends OAuth 2.0 access tokens in the Authorization: Bearer <token> header with every API request. Your API is responsible for validating these tokens and deciding whether to authenticate the request. Reach does not enforce authentication requirements - that decision is entirely up to your implementation.

Download OpenAPI description
openapi.json
openapi.yaml
Languages
Servers
Mock server
https://developer.reachreporting.com/_mock/openapi
http://localhost:{port}
API Base URL
https://{baseUrl}

Authentication

Endpoints for OAuth 2.0 authentication and authorization flows. We follow the OAuth 2.0 specification (RFC 6749).

High-Level Authentication Flow:

  1. Get Authorization Code: Users are redirected to your authorization endpoint (/oauth2/authorize) where they authenticate and grant access.
  2. Exchange for Tokens: Reach exchanges the authorization code for an access token and refresh token at your token endpoint (/oauth2/token).
  3. Token Lifetime: Access tokens have a limited lifetime specified by the expires_in field (in seconds) returned in the token response.
  4. Refresh Tokens: When an access token expires, Reach uses the refresh token to obtain a new access token without requiring user re-authentication.
  5. API Requests: Reach sends the access token in the Authorization: Bearer <token> header with every API request.

Client Credentials: The client ID and client secret provided to Reach are expected to not expire (at least for now).

Operations

OAuth discovery document

Request

Retrieves OAuth 2.0 discovery document with authorization server configuration.

curl -i -X GET \
  https://developer.reachreporting.com/_mock/openapi/auth/oauth-discovery

Responses

Successful operation

Bodyapplication/json
issuerstring

The issuer URL of the authorization server

Example: "https://reachreporting.com"
authorization_endpointstring

The URL of the authorization endpoint

Example: "https://reachreporting.com/oauth2/authorize"
token_endpointstring

The URL of the token endpoint

Example: "https://reachreporting.com/oauth2/token"
grant_types_supportedArray of strings

The OAuth 2.0 grant types supported by the authorization server

Example: ["authorization_code","refresh_token"]
response_types_supportedArray of strings

The response types supported by the authorization server

Example: ["code"]
scopes_supportedArray of strings

The OAuth 2.0 scopes supported by the authorization server

Example: ["openid","profile","email","phone","read:company"]
token_endpoint_auth_methods_supportedArray of strings

The client authentication methods supported by the token endpoint

Example: ["client_secret_post"]
Response
application/json
{
  "issuer": "https://reachreporting.com",
  "authorization_endpoint": "https://reachreporting.com/oauth2/authorize",
  "token_endpoint": "https://reachreporting.com/oauth2/token",
  "grant_types_supported": [
    "authorization_code",
    "refresh_token"
  ],
  "response_types_supported": [
    "code"
  ],
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "phone",
    "read:company"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post"
  ]
}

OAuth Authorization Endpoint

Request

Initiates the OAuth authorization flow. This endpoint redirects the user to an authorization page where they can grant or deny access. After user interaction, they are redirected back to the client's redirect_uri with an authorization code in the URL parameters.

Query
response_typestringrequired

The response type, must be "code" for authorization code flow

Value"code"
client_idstringrequired

The client identifier

redirect_uristring(uri)required

The redirect URI where the authorization code will be sent

scopestring

Space-separated list of OAuth scopes.

  • openid: Required for OpenID Connect
  • profile: Access to user profile information
  • email: Access to user email address
  • phone: Access to user phone number
  • read:company: Access to company information
statestring

State parameter should be a JSON object stringified, then base64 encoded, then URI encoded. Contains any application-specific data.

curl -i -X GET \
  'https://developer.reachreporting.com/_mock/openapi/oauth2/authorize?response_type=code&client_id=string&redirect_uri=http%3A%2F%2Fexample.com&scope=string&state=string'

Responses

Successful authorization

Bodyapplication/json
codestring

Authorization code

statestring

State parameter returned from request

Response
application/json
{
  "code": "string",
  "state": "string"
}

OAuth Token Endpoint

Request

Exchanges authorization code for access and refresh tokens.

Bodyapplication/x-www-form-urlencodedrequired
grant_typestringrequired

The grant type

Enum"authorization_code""refresh_token"
codestring

The authorization code received from the authorization endpoint (required when grant_type is authorization_code)

redirect_uristring(uri)

The same redirect URI used in the authorization request (required when grant_type is authorization_code)

client_idstringrequired

The client identifier

client_secretstringrequired

The client secret

refresh_tokenstring

The refresh token (required when grant_type is refresh_token)

curl -i -X POST \
  https://developer.reachreporting.com/_mock/openapi/oauth2/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d grant_type=authorization_code \
  -d code=string \
  -d redirect_uri=http://example.com \
  -d client_id=string \
  -d client_secret=string \
  -d refresh_token=string

Responses

Successful token exchange

Bodyapplication/json
access_tokenstring

The access token

token_typestring

The token type

Value"Bearer"
expires_ininteger

Token expiration time in seconds

scopestring

Space-separated list of granted OAuth scopes

refresh_tokenstring

Refresh token for obtaining new access tokens

Response
application/json
{
  "access_token": "string",
  "token_type": "Bearer",
  "expires_in": 0,
  "scope": "string",
  "refresh_token": "string"
}

Get User Information

Request

Retrieves authenticated user information and list of accessible companies.

curl -i -X GET \
  https://developer.reachreporting.com/_mock/openapi/oauth2/user-info

Responses

Successful operation

Bodyapplication/json
Idstring
Emailstring
FirstNamestring
LastNamestring
CompanyDetailsArray of objects(CompanyDetails)
Response
application/json
{
  "Id": "string",
  "Email": "string",
  "FirstName": "string",
  "LastName": "string",
  "CompanyDetails": [
    { … }
  ]
}

Company Information

Endpoints for retrieving basic company information and metadata.

This data helps Reach identify and configure the company within the platform. The fiscal month end is particularly important as it determines how Reach aligns reporting periods and calculates year-to-date figures.

Operations

Reference Data

Endpoints for accessing reference data such as chart of accounts, budgets, classes, and departments.

Reference data defines the structure and organization of financial information:

  • Chart of Accounts: The list of all accounts used for recording transactions (e.g., Cash, Accounts Receivable, Revenue, Rent Expense). This forms the foundation of all financial reporting.
  • Budgets: Named budget scenarios that contain planned/forecasted figures. Customers may have multiple budgets (e.g., "2025 Operating Budget", "Conservative Forecast").
  • Classes: Segments used to categorize transactions across the business (e.g., by product line, project, or region). Not all companies use classes.
  • Departments: Organizational units for tracking income and expenses by team or function (e.g., Sales, Marketing, Engineering). Not all companies use departments.

Reach uses this reference data to structure reports and allow customers to filter and slice their financial data.

Operations

Metrics

Endpoints for retrieving non-financial metrics and operational KPIs.

Non-financial metrics are quantitative measures that aren't derived from the general ledger but are useful for business analysis. Examples include:

  • Headcount or FTE count
  • Units sold or produced
  • Customer count or subscriber count
  • Square footage or other capacity metrics
  • Any custom KPIs tracked in your system

These metrics can be used alongside financial data in Reach dashboards to calculate ratios (e.g., revenue per employee) or provide operational context.

Operations

Financial Statements

Endpoints for accessing financial statements including profit and loss, balance sheet, and cash flow statements.

These endpoints return the core financial data that powers Reach's reporting, forecasting, and analysis features:

  • Profit and Loss (P&L): Shows revenues, expenses, and net income over a period. Values represent activity during each month.
  • Balance Sheet: Shows assets, liabilities, and equity at a point in time. Values represent ending balances for each month.
  • Cash Flow Statement: Shows cash movements categorized by operating, investing, and financing activities. Values represent cash changes during each month.

All endpoints support optional filtering by budget, class, and department to enable segment-level reporting.

Operations

Usage

Endpoints provided by Reach for partners to view usage information. Partners do not need to implement these endpoints.

Use these endpoints to monitor adoption and understand how your customers are using the integration.

Operations