How to pull Intuit Business Credit Card data

Every charge on an Intuit Business Credit Card lands in two places at once: the cardholder's Intuit account, and — per the app's own description — automatically in their QuickBooks Online books. That second copy is convenient for the cardholder and a trap for anyone building a sync, because the same transaction now exists in two systems with two clocks. The card is issued by WebBank and runs on Mastercard, per the app description and Intuit's card page, so the account-side record is a real card ledger: posted and pending charges, statement cycles, per-cardholder spend, a cash-back accrual, and an available credit line. Reaching that ledger cleanly, under the account owner's authorization, is the job this page describes.

Bottom line: the richest, most complete view of this card is the authenticated account itself, not the downstream copy in the books. So for most clients we reconstruct the app's own session and read its endpoints, then offer a consent-based aggregation path for teams that want a flow which keeps working when the front end shifts. Both are below, with the trade-offs spelled out.

What the card account actually holds

These are the surfaces the app exposes to a signed-in cardholder, mapped to where they originate and what an integrator typically does with each.

Data domain	Where it comes from in the app	Granularity	What you'd do with it
Balance & available credit	"Review your balance" and "check your available credit line"	Account-level, near real-time	Utilization monitoring, treasury dashboards
Transactions	"Track all spending" and "see pending transactions"	Per charge, posted and pending, tagged to a cardholder	Expense sync, reconciliation, anomaly checks
Statements & billing	"Pay your bill" and AutoPay setup	Per billing cycle	Statement reconciliation, AP automation
Cardholders & limits	"Add cardholders" and spend controls	Per cardholder, with limit	Access audits, spend-policy enforcement
Rewards ledger	"Track rewards" — the 2% and 5% cash-back accrual the listing advertises	Accrual and statement-credit records	Rewards reconciliation, accrual reporting
Card controls state	Freeze / unfreeze and the Google Pay token	Per card	Fraud and lifecycle workflows

Authorized ways into the data

Three routes genuinely apply to this card. Each is described by what it reaches, how durable it is, and what we set up to run it. Access is arranged with you during onboarding — a consenting business account or a sandbox to build against — not something you have to clear before we start.

1. Protocol analysis of the authenticated session

We reconstruct the Intuit account login and its token chain, then map the JSON calls behind balance, transactions, statements, cardholders and rewards. This reaches the full account ledger, including pending charges the books-side copy doesn't carry yet. It is the most complete record. Durability is medium — a portal redesign can move endpoints, which is why we keep a change detector in the maintenance path so a redesign surfaces as a failing check rather than silent drift.

2. Consent-based aggregation

QuickBooks' own bank connections run through aggregators such as Plaid and Finicity, per Intuit's bank-connection docs, and the same consent-driven rails can surface this card's transaction feed under the cardholder's authorization. This route trades some field richness for stability: it survives front-end changes well and gives you a normalized transaction stream. We handle the consent capture, scope and refresh.

3. Native data paths

The portal offers statement and transaction export, and the card already mirrors every charge into QuickBooks Online. For a client already living in QuickBooks, reading the data where it lands in the books is a low-effort path — with the caveat that it lags the account and lacks pending detail. We treat it as a backfill and cross-check, not the live source.

What we'd actually recommend: for a business that wants its own service to read this card, build route 1, because the account endpoints carry the cleanest and most complete record — pending and posted charges, statement cycles, per-cardholder spend. Where a client wants a consent flow that shrugs off front-end churn, we add route 2 alongside it and reconcile the two against the QuickBooks copy.

What we hand back

Concrete artifacts, scoped to this card's surfaces:

An OpenAPI/Swagger spec covering the account's balance, transactions, statements, cardholders and rewards endpoints.
A protocol and auth-flow report: the Intuit account session, its OAuth-style token exchange, refresh behaviour, and the MFA/biometric gate the app uses.
Runnable source for the key reads — Python or Node.js — including pagination over the transaction feed and pending-to-posted reconciliation.
Automated tests against recorded fixtures, so a portal change shows up as a red test.
Interface documentation an engineer can hand to a teammate.
Compliance and data-retention guidance: consent records, logging, and how long card data is kept.

A worked read of the transactions feed

Illustrative shape — endpoint and field names are confirmed during the build against a consenting account. It pulls posted and pending charges for one account, handles a 401 with a token refresh, and pages through the cursor.

# Reads posted + pending charges for one Intuit Business Credit Card account.
import requests

BASE = "https://api.<intuit-card-host>/v1"   # resolved during protocol analysis

def fetch_transactions(session_token, account_id, cursor=None):
    headers = {
        "Authorization": f"Bearer {session_token}",   # from the Intuit account session
        "Accept": "application/json",
    }
    params = {"accountId": account_id, "status": "posted,pending", "limit": 100}
    if cursor:
        params["cursor"] = cursor

    r = requests.get(f"{BASE}/card/transactions",
                     headers=headers, params=params, timeout=30)
    if r.status_code == 401:
        session_token = refresh_session(session_token)   # token / MFA refresh
        return fetch_transactions(session_token, account_id, cursor)
    r.raise_for_status()

    body = r.json()
    for txn in body["transactions"]:
        yield {
            "id":         txn["id"],
            "posted_at":  txn.get("postedDate"),     # null while pending
            "merchant":   txn["merchant"]["name"],
            "amount":     txn["amount"]["value"],
            "currency":   txn["amount"]["currency"],
            "state":      txn["status"],             # pending | posted
            "cardholder": txn.get("cardholderId"),   # which employee charged it
            "mcc":        txn.get("mcc"),
        }

    if body.get("nextCursor"):
        yield from fetch_transactions(session_token, account_id, body["nextCursor"])

The state and cardholderId fields are the two that matter most here. Without them you can't tell a pending duplicate from a real charge, or one employee's spend from the account total.

Where teams put it to work

Expense-ledger sync. Pull posted and pending charges per cardholder on a schedule, normalize, and feed an internal expense system without waiting on the nightly QuickBooks mirror.
Utilization monitor. Read balance and available credit line, alert when utilization crosses a threshold you set, well before the statement closes.
Cardholder audit. Enumerate cardholders and their limits, reconcile against an HR roster, and flag a card that belongs to someone who has left.
Rewards check. Read the cash-back accrual and statement-credit records and reconcile them against the 2% and 5% categories the card advertises.

Because this card belongs to a business and its authorized cardholders, the dependable basis for reaching the data is the account owner's own consent — captured, scoped, time-bound, and logged, with revocation honoured. We work under that consent, minimize what we pull to the fields a use case needs, and keep records of who consented to what. NDAs are signed where a client wants them.

The CFPB's Section 1033 personal-financial-data-rights work is the forward-looking piece, not the present-day rule: enforcement has been enjoined and the rule is back with the agency for reconsideration, per the CFPB's own compliance page and reporting on the stay. We don't build against it as if it were settled, and consumer-data thresholds in that rulemaking don't govern a business-card build. It shapes where US data access may head; the cardholder's authorization is what makes the work lawful today.

Engineering notes for an Intuit card build

Two things about this specific card change how we scope the work, both handled on our side:

The account-cardholder-transaction hierarchy. A business account can carry several cardholders, each with a distinct limit and spend. We model that tree explicitly so a child cardholder's view is never mistaken for the account total, and so per-employee reporting is correct from the first sync.
The QuickBooks mirror. Charges flow into QuickBooks Online automatically, so a naive sync double-counts. We track which charges already mirrored and reconcile pending rows to their posted versions, so the integration adds what the books don't already have rather than duplicating it.
Session lifecycle. The Intuit account session uses token expiry behind an MFA and biometric gate. We design refresh and re-auth so the sync doesn't stall silently, and we arrange the test account or sandbox with you so the build runs against real session behaviour.

Cost, and how the work runs

Delivery on an Intuit card build runs one to two weeks once we have a consenting account or sandbox to work against. Source code is yours from $300, billed only after we deliver and you've confirmed it works — runnable reads for balance, transactions, statements, cardholders and rewards, plus the OpenAPI spec, the auth-flow report, the tests, and the interface docs. If you would rather not host anything, the same coverage is available as a pay-per-call hosted API with no upfront fee: you call our endpoints and pay only for the calls you make. Tell us the card and what you need from its data on the contact page and we'll scope it back to you.

What the app screens show

Store screenshots used while mapping the surfaces above. Tap to enlarge.

Intuit Business Credit Card app screen 1

Intuit Business Credit Card app screen 2

Intuit Business Credit Card app screen 3

Intuit Business Credit Card app screen 4

Intuit Business Credit Card app screen 5

Intuit Business Credit Card app screen 6

Intuit Business Credit Card app screen 7

Intuit Business Credit Card app screen 8

What we checked

Mapping done in June 2026 against the app's store listings, Intuit's card and bank-connection material, and current reporting on US data-rights rulemaking. Primary sources:

Reviewed June 2026 by OpenBanking Studio's integration desk.

Same category, neutral context — useful when a client wants one card normalized today and a wider spend stack unified later.

Brex — corporate cards and spend management; transactions, receipts and multi-entity spend sit behind an authenticated account.
Ramp — corporate card and expense platform; transaction-level spend, virtual cards and approval records are held server-side.
BILL Spend & Expense (formerly Divvy) — a credit line with budget controls; transaction and budget data live behind a login.
Rho — banking, corporate cards and treasury in one platform; balances and card spend held per entity.
Mercury — business banking with cards; balances, transactions and statements behind an authenticated account.
Bluevine — small-business checking and credit; balances, payments and transaction history server-side.
American Express Business — Blue Business Cash and Plus cards; statements, charges and rewards behind a card account.
Chase Ink Business — Ink cards; transactions, statements and rewards inside Chase's authenticated portal.
Capital One Spark — Spark business cards; spend, statements and rewards behind a login.
Relay — business banking built around QuickBooks and Xero; balances and transactions held per account and synced to the same books.

Questions integrators ask about this card

Can the integration separate one cardholder's spend from the whole account?

Yes. The card models an account that can carry several cardholders, each with its own limit, so we map the account-to-cardholder-to-transaction hierarchy and keep per-employee spend distinct from the account total.

How are pending transactions handled so a charge isn't counted twice?

Pending charges can change in amount or merchant before they post, so we reconcile each pending row to its posted version, and we track the charges that already mirrored into QuickBooks Online so the sync doesn't duplicate what the books received.

What authorizes reaching this card's data in the United States?

The account owner's own consent, captured and logged. The CFPB's Section 1033 personal-financial-data-rights work is still in flux, with enforcement enjoined and the rule back with the agency, so we treat it as where US rules may head rather than as settled law that authorizes the build.

Can you hand back a normalized feed our QuickBooks-linked tooling can read?

Yes. We normalize the card's transactions, statements, cardholders and rewards into one schema your books-side tooling can consume, delivered as runnable source or a hosted endpoint in one to two weeks.

Intuit Business Credit Card — app profile

The official Intuit Business Credit Card app lets a cardholder activate the card, set up the account, view balance and available credit, track posted and pending spend, pay the bill, turn on AutoPay from a linked bank account, add cardholders, and freeze or unfreeze the card. Biometric login is supported. The card can be added to Google Pay from within the app. Per the listing, every transaction mirrors into QuickBooks Online automatically, and the card advertises 2% cash back on purchases and 5% on Intuit software such as QuickBooks, TurboTax and Mailchimp, applied as statement credits. The card is issued by WebBank and runs on Mastercard. The Android package id is com.intuit.iccsmb, per its Google Play listing; it is also listed on the App Store. App names, marks and the rewards terms above are as the vendor states them.

Mapping reviewed 2026-06-15.