Sage Intacct's API exclusively uses XML over HTTPS to a single endpoint: https://api.intacct.com/ia/xml/xmlgw.phtml — there is no REST/JSON API; all requests and responses are XML.
Construct an authentication XML block for every request containing 'login' with 'userid', 'companyid', and 'password', or use 'sessionid' auth after obtaining a session token via an initial authentication call.
To obtain a session ID (recommended for multi-call efficiency), send an XML request with 'getAPISession' function in the 'authentication' block; extract the 'sessionid' from the response and use it in subsequent requests instead of password auth.
Each API request is wrapped in a standard XML envelope: '<request><control>...</control><operation><authentication>...</authentication><content><function controlid="...">...</function></content></operation></request>' — the 'controlid' is your idempotency key.
For multi-entity companies, include 'locationid' in the authentication block to specify which entity you are operating against; omitting it targets the top-level entity.
Read objects with 'readByQuery' function (supports WHERE clause filtering) or 'read' function (by key); create records with 'create' function containing the object type and fields as XML child elements.
Known gotchas
Every Sage Intacct API call requires either password credentials or a session token in the request body itself — there is no stateless bearer token model; applications that assume token-based stateless HTTP auth must be rearchitected to embed credentials or session tokens in each XML payload.
Session tokens expire after a period of inactivity (typically 30 minutes); long-running batch processes that pause between calls will receive session expired errors mid-batch — implement session renewal logic or use password auth for batch processes.
Sage Intacct's XML API has object-specific quirks: some objects use different function names than expected, field names are camelCase in some objects and UPPERCASE in others, and required vs. optional fields are inconsistently documented — always test with a minimal payload and add fields incrementally.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp