Date: 2026-04-29 Product: Moss (getmoss.com) -- Spend Management Platform by Nufin GmbH, Berlin Purpose: Evaluate Moss's API capabilities for Orcha integration
Moss is NOT an ERP or accounting system. It is a spend management platform that handles:
Moss sits upstream of the ERP -- it captures, codes, and approves expenses, then exports the pre-accounted data to the customer's actual accounting/ERP system (DATEV, SAP, NetSuite, Business Central, etc.).
Implication for Orcha: Moss is not a target system where Orcha would push invoices into. Rather, Moss is a competing or complementary system to parts of what Orcha does (invoice capture, OCR, pre-accounting). The integration question is: can Orcha read data from Moss, or does it make sense for Orcha to sit alongside Moss in a customer's workflow?
| Capability | Public API | Via SFTP | Via DATEV | Via CSV | Verdict |
|---|---|---|---|---|---|
| Read expenses (cards, invoices, reimbursements) | YES (GET /v1/expenses) |
YES (scheduled) | N/A | YES | Available now |
| Read suppliers | YES (mentioned in docs) | N/A | N/A | N/A | Available now |
| Read users | YES (mentioned in docs) | N/A | N/A | N/A | Available now |
| Read accounting dimensions | YES (mentioned in docs) | N/A | N/A | N/A | Available now |
| Read bank accounts | YES (mentioned in docs) | N/A | N/A | N/A | Available now |
| Write/create expenses | YES (POST /v1/expenses) |
N/A | N/A | N/A | Available now (scope: write) |
| Update expenses | YES (PATCH /v1/expenses) |
N/A | N/A | N/A | Available now (scope: write) |
| Push invoices into Moss | Email inbox / Upload | N/A | N/A | N/A | UI/email only -- not via API |
| Export to ERP/accounting | Native integrations | YES | YES (official partner) | YES (custom templates) | Available now |
| Webhooks | Mentioned on apitracker | N/A | N/A | N/A | Uncertain -- needs verification |
| Trigger/manage approvals | NOT via API | N/A | N/A | N/A | Not available |
Overall assessment: Moss has a REST API focused on reading and updating expense data with accounting attributes. It is primarily an export-oriented platform (Moss -> ERP). The API does not appear to support pushing invoices into Moss programmatically -- invoices enter via email inbox or UI upload. For Orcha, Moss is more of a peer system than a target ERP.
| API | Base URL | Purpose |
|---|---|---|
| Moss Public API v1 | https://public-api.getmoss.com/v1/ |
Core API: expenses, suppliers, users, dimensions, bank accounts |
| Developer Portal | https://developers.getmoss.com/ |
Documentation hub |
| API version | v1 (current: 1.17.3) | Backward-compatible evolution |
| Method | Details |
|---|---|
| OAuth 2.0 Client Credentials | Primary method |
| Token endpoint | POST {server_url}/oauth2/token with grant_type=client_credentials |
| Credentials | Key ID (kid_...) + Secret Key (sk_...) generated by admin in Settings |
| Token format | JWT with embedded user/scope info |
| Token lifetime | 3600 seconds (1 hour) |
| Scope | Access | Rate Limit |
|---|---|---|
| read | GET endpoints only | 180 requests/minute |
| write | GET + POST + PATCH | 20 requests/minute |
Rate limit headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-RateLimit-Scope. HTTP 429 with Retry-After on exceeded.
| Resource | Endpoint | Methods | Description |
|---|---|---|---|
| Expenses | /v1/expenses |
GET, POST, PATCH | Card transactions, invoices, reimbursements with accounting attributes |
| Suppliers | /v1/suppliers (inferred) |
GET | Supplier directory |
| Users | /v1/users (inferred) |
GET | User management |
| Accounting Dimensions | /v1/dimensions (inferred) |
GET | Cost centers, departments, custom dimensions |
| Bank Accounts | /v1/bank-accounts (inferred) |
GET | Bank account information |
Note: The developer portal explicitly mentions these resources but only /v1/expenses is shown as a concrete URL. The exact paths for other resources need to be confirmed from the full API reference (which appears to require developer portal access). The apitracker.io listing also mentions "webhooks management API" but this is unconfirmed.
Offset-based: page and page_size parameters. Response metadata includes totalPages, totalItems, hasMore.
RFC 9457 Problem Details: type, title, detail, pointer, status, instance.
Confidence: MEDIUM -- Write operations exist but are limited in scope.
| Operation | Method | Available? | Notes |
|---|---|---|---|
| Create expense records | POST | YES | Via write scope (20 req/min) |
| Update expense records | PATCH | YES | Partial updates |
| Upload invoice to Moss | POST | UNCERTAIN | Not documented in public API overview; invoices enter via email/upload UI |
| Create suppliers | POST | UNCERTAIN | Not confirmed in documentation |
| Create dimensions | POST | UNCERTAIN | Not confirmed in documentation |
| Trigger approval | N/A | NO | Not exposed via API |
| Execute payment | N/A | NO | Not exposed via API |
Key finding: The API appears designed primarily for reading expense data and updating accounting attributes (cost centers, account codes, tax rates) on existing records, then exporting. It is NOT designed as an inbound invoice-push API.
| Platform | Moss Connector? | Notes |
|---|---|---|
| Celigo | NO | Not found in marketplace |
| Workato | NO | Not listed |
| Zapier | NO | No native connector |
| Make.com | NO | Not listed |
| n8n | NO | No native or community node |
| Chift | NO | Not in unified API |
No iPaaS connectors exist for Moss. Moss's integration strategy is built around native connectors to specific ERPs (DATEV, NetSuite, Business Central, SAP Business One, Xero, etc.) and CSV/SFTP exports.
Moss has built-in connectors for:
| ERP/Accounting | Connection Type | Sync Direction |
|---|---|---|
| DATEV | API (official partner) | Bidirectional |
| Oracle NetSuite | API | Bidirectional |
| Xero | API | Bidirectional |
| Exact Online | API | Bidirectional |
| AFAS Profit | API | Bidirectional |
| Microsoft Business Central | API | Bidirectional |
| SAP Business One | API | Bidirectional |
| Poool | API | Bidirectional |
| QuickBooks Online | API | Bidirectional |
| Exact Globe | API | Bidirectional |
| Addison | CSV | Export |
| BMD | CSV | Export |
| Diamant | CSV | Export |
| Lexware | CSV | Export |
| Sage 50/200 | CSV | Export |
| SAP R3/ECC | CSV | Export |
| Sesam | CSV | Export |
| Twinfield | CSV | Export |
Moss connects to 30+ HR systems for user management sync (Workday, SAP SuccessFactors, BambooHR, Personio, etc.).
| Question | Answer |
|---|---|
| Is API included in base subscription? | Unclear -- not explicitly stated. API keys created in Settings by admins |
| Separate API module/license? | No separate API license mentioned. Likely part of paid plans |
| Per-API-call costs? | None documented |
| Which plans include API? | Paid plans (free plan limited to 3 users/20 invoices) |
| ERP add-on needed? | Yes, for advanced ERP integrations (e.g., DATEV Rechnungswesen 2-way sync) |
| Component | Details |
|---|---|
| Free plan | Up to 3 users, unlimited cards, up to 20 invoices/month, basic approval flows |
| Paid plans | Unlimited users & cards, advanced approval flows, accounting integrations |
| Pricing model | Single platform fee + variable fee based on transaction volume |
| No per-user charges | Flat fee regardless of user count |
| Modules | Corporate Cards, Employee Reimbursements, Accounts Payable |
| Add-ons | Advanced Controlling, Procurement, ERP, AI-Powered Accounting |
| Estimated cost | ~USD 6,000-9,000/year (avg. ~USD 7,400/year based on third-party data) |
read (180 req/min) or write (20 req/min)Moss and Orcha have overlapping functionality in the AP workflow:
| Capability | Moss | Orcha |
|---|---|---|
| Invoice capture (OCR) | YES (AI-powered) | YES (core product) |
| Invoice data extraction | YES | YES (core product) |
| Pre-accounting (account coding) | YES (AI-powered) | YES (core product) |
| Cost center assignment | YES | YES |
| Approval workflows | YES (multi-step) | Depends on customer |
| Payment processing | YES (SEPA, international) | NO |
| Corporate cards | YES | NO |
| Employee reimbursements | YES | NO |
| Push to ERP | YES (native connectors) | YES (via integration) |
Scenario A: Orcha reads from Moss API (Export Orcha-processed data into Moss)
Scenario B: Orcha replaces Moss for invoice processing
Scenario C: Orcha and Moss coexist, both push to ERP
Scenario D: Orcha reads expense data from Moss for analytics/reconciliation
| Orcha Need | Moss Support | Endpoint(s) | Confidence | Notes |
|---|---|---|---|---|
| Sync chart of accounts | PARTIAL | Dimensions endpoint (read) | MEDIUM | Moss syncs FROM ERP, not the source of truth |
| Sync cost centers/dimensions | YES (read) | /v1/dimensions (inferred) |
MEDIUM | Dimensions configured in Moss or synced from ERP |
| Sync contacts/suppliers | YES (read) | /v1/suppliers (inferred) |
MEDIUM | Supplier directory |
| Push incoming invoices | NO | N/A | HIGH | Invoices enter via email/upload only, not API |
| Push outgoing invoices | N/A | N/A | N/A | Not Moss's domain |
| Attach documents | NO | N/A | HIGH | Not exposed in API |
| Manage approvals | NO | N/A | HIGH | Not exposed in API |
| Track status changes | PARTIAL | /v1/expenses (polling) |
MEDIUM | Can read expense status but no webhooks confirmed |
| Read expense data | YES | /v1/expenses |
HIGH | Core API capability |
| Write accounting attributes | YES | PATCH /v1/expenses |
HIGH | Update cost centers, accounts, tax rates |
Unlike traditional ERPs (SAP, NetSuite, DATEV, Scopevisio), Moss is a spend management tool that competes with rather than receives data from Orcha's invoice processing pipeline.
Customer uses Moss for cards/reimbursements + Orcha for AP: Both push independently to ERP. No Moss API integration needed -- just coordinate with the customer's ERP.
Customer wants Orcha to enrich Moss expense data: Use Moss API read scope to pull expenses, enrich with Orcha's extraction data, then PATCH back accounting attributes. This is a niche use case.
Analytics/reconciliation: Pull Moss expense data into Orcha's reporting for a unified spend view.
| Approach | Cost | Complexity | Value | Verdict |
|---|---|---|---|---|
| Direct REST API (read expenses) | EUR 0 | Low | Low-Medium | Only if customer needs unified spend view |
| SFTP (read Moss exports) | EUR 0 | Low | Low | Simpler than API for batch reads |
| No integration (coexist independently) | EUR 0 | None | N/A | Most likely scenario |
| Orcha replaces Moss AP module | N/A | N/A | High | Customer decision, not an integration task |
For most customers using both Moss and Orcha: no integration is needed. Orcha should focus on pushing data to the customer's actual ERP/accounting system (which Moss also connects to). The two tools coexist at the same layer of the stack.
If a specific customer requests Moss integration, the API read scope provides clean access to expense data for analytics or reconciliation purposes.
Context: Supplementary research for a German defense-sector customer who currently uses Pleo (cards), DATEV (accounting) and Orcha (AP). They want to replace Pleo. Updated priorities: (1) employee credit cards must be excellent, (2) good mobile receipt-capture app, (3) strong read+write API for Orcha, (4) prefers NOT prepaid — wants a charge card / credit line, not a pre-funded wallet. Methodology and table format follow the Qonto-vs-Pleo master assessment (§1).
| Dimension | Finding |
|---|---|
| Prohibited-business / AUP exclusion | The current German T&C carries NO defense/arms exclusion. Nufin GmbH T&C v11.0 (INT-de, 1 Jan 2025) and v10.1 (EEA-de, 1 Sep 2024) contain only generic clauses: services for "internal business purposes" only (§9.1), no illegal/fraudulent activity (§21.1), and sanctions/embargo compliance — UN, EU, Germany, UK, US (§21.2). No industry list naming arms, weapons, military or defense. Caveat: the older UK T&C (Nufin v2.4, Dec 2022, issued via PayrNet/Transact Payments) explicitly listed "arms trading" among prohibited activities (§3.2). That clause was dropped when Moss moved to its own BaFin licence. So Moss had an arms exclusion historically; the current German contract does not. Silence is not written permission — onboarding is still discretionary under KYB + Mastercard scheme rules. |
| Data residency | Strong. Customer data hosted exclusively in the EU on Google Cloud Platform, sole processing region Frankfurt, Germany. "Developed and hosted in Germany." Best-in-class of the vendors assessed (better than Qonto's AWS Paris, better than Pleo's unspecified "EEA"). |
| Security certifications | ISO/IEC 27001:2022 certified — platform-wide (not scoped to e-invoicing like Qonto's). DORA-compliant. BaFin-regulated e-money institution. No SOC 2, no BSI C5 found. PCI-DSS not stated on the security page but is implicit for a direct Mastercard issuer. |
| Licence holder / card issuer / BIN | Moss GmbH itself holds a BaFin e-money licence and is a direct Mastercard principal member — it issues its own card BIN. No third-party BIN sponsor in the German setup (unlike the legacy Transact Payments Malta arrangement, migrated away from July 2024). Funds safeguarded in escrow at Deutsche Bank. This removes the "stacked third-party issuer policy" risk. Relevant tailwind: Deutsche Bank has publicly and aggressively expanded into defense financing in 2025 (dedicated deals team, EIB defense-SME liquidity partnership, backing the proposed Defence Security & Resilience Bank) — so the safeguarding bank is defense-friendly. |
| Verdict | AMBER. No written exclusion in the current German contract, German data residency, platform-wide ISO 27001, own BaFin licence, defense-friendly safeguarding bank. Better posture than Qonto (RED for arms) and arguably cleaner than Pleo (whose AUP is fully opaque). Not GREEN because: (a) the historical UK arms exclusion shows Moss's risk appetite can swing, (b) onboarding remains discretionary, (c) no BSI C5. Recommend written pre-clearance from Moss compliance before committing — same gate as every other vendor. |
Moss is the most directly competitive vendor in the researched set — more so than Qonto or Pleo.
The original conclusion holds, with nuance. The public API is actively developed — changelog shows 33 releases between v1.0.0 (9 Feb 2026) and v1.18.0 (13 May 2026). That cadence is the real change since the original doc: this is no longer a static minimal API.
| Orcha need | READ | WRITE | Notes |
|---|---|---|---|
| Expenses (card txns, invoices, reimbursements) | YES GET /v1/expenses |
YES POST / PATCH |
Write scope = create + update accounting attributes. 20 req/min. |
| Suppliers | YES | YES — create + update (added 2026) | New since original doc. |
| Dimensions / dimension items | YES | YES — create + update (added 2026) | New since original doc. |
| Bank accounts + balances | YES (incl. balances) | NO | New balance + bank-transaction-search endpoints added 2026. |
| Departments / teams | YES | NO | New read endpoints 2026. |
| Payment terms | YES | NO | New 2026. |
| Expense files / attachments | YES — find + download files | NO upload | Can pull receipt files out; cannot push invoice PDFs in. |
| Cards | NO endpoint | NO | No card-management API — issuing/limits not API-accessible. |
| Invoice ingestion | NO | NO | Invoices still enter only via email inbox / UI upload. |
| Webhooks | Not in changelog — still unconfirmed/absent | — | No real-time push; polling only. |
Net: Moss has meaningfully expanded write coverage on reference data (suppliers, dimensions) — Orcha can now sync those bidirectionally. But the two things Orcha would most want are still missing: no invoice/attachment upload (can't push invoices into Moss via API) and no card API. Read side is solid; write side is limited to expense accounting attributes + reference data. No webhooks. Verdict vs the customer's "very good read+write API" priority: partial — better than the original doc implied, still short of full read/write CRUD, and notably weaker than Qonto's API.
Funding model — directly addresses the customer's "not prepaid" priority:
Cards & mobile app UX — per G2 / Capterra / Trustpilot reviews: