Qonto API Integration Research

Date: 2026-05-13 Product: Qonto (qonto.com) -- Pan-European neobank for SMBs, Paris (FR/DE/IT/ES/AT/BE/PT/NL) Purpose: Evaluate Qonto's API capabilities for Orcha integration -- specifically for a German customer evaluating Qonto as a Pleo alternative for employee credit cards while continuing to use Orcha for AP invoices and DATEV for accounting.

Important Context: What Qonto Actually Is

Qonto is NOT a spend management platform in the Pleo / Payhawk / Moss / Spendesk sense -- it is a licensed neobank (French EMI / payment institution, passported across the EU) that ships expense-management tooling on top of its core current-account product. The category positioning is fundamentally different from Pleo:

Layer	Pleo / Payhawk / Moss / Spendesk	Qonto
Core product	Spend management (cards bolted onto an external sponsor bank's BIN)	Business bank account (own BIN, IBANs, SEPA membership, deposit holding)
Cards	Pre-funded or credit-line cards, debit-against-customer-deposit	Mastercard debit + prepaid issued by Qonto itself
Revenue model	SaaS subscription + interchange	Banking subscription + interchange + FX + transfer fees
Receipt + expense workflow	Core product	Add-on / included in higher tiers
Approvals / mileage / per-diem	Core product	Available, but via "Expense & Spend Management" add-on
AP invoice processing	Core product (Bill Payments / Inbox)	Supplier Invoices module exists; less mature than dedicated tools

Qonto handles:

Business bank accounts with local IBANs (FR / DE / IT / ES / AT / BE / NL / PT)
Mastercard debit & prepaid cards (physical + virtual + flash one-time virtuals)
SEPA / SEPA Instant / SWIFT / international transfers
SEPA Direct Debit collections + mandates
Light expense management (receipt capture, expense reimbursements, mileage -- in higher tiers / add-on)
Light supplier invoice intake (Supplier Invoices module)
Client invoicing + quotes + credit notes (outgoing AR)
Payment terminals
Onboarding-as-a-service (Onboarding API)
Banking-as-a-service ("Qonto Embed") for partner platforms

Implication for Orcha: Qonto is a different beast than Pleo. The integration question shifts from "can we get clean expense data with full coding?" to "can we get clean card-transaction data with bank-grade fidelity, plus whatever pre-coding the customer has done in Qonto?" The customer is replacing Pleo (a spend platform) with Qonto (a bank), and accepting that some pre-accounting depth (rich approval workflows, AI category coding, mileage automation) downgrades unless they buy the Expense & Spend Management add-on. The DATEV story is what makes this an interesting move: Qonto's DATEV depth is genuinely strong because Qonto is a bank (DATEV RZ-Bankinfo, Belegbilderservice, Rechnungsdatenservice 1.0 are bank-native integrations).

1. Summary -- Capability Matrix

Capability	Public API	Via Zapier	Via Make	Via DATEV	Via CSV	Verdict
Read card transactions (real-time)	YES (webhook `transactions.created/updated` + `GET /v2/transactions`)	YES (trigger)	YES (trigger)	YES (RZ-Bankinfo daily)	YES	Available now -- real-time
Read all bank-account transactions (transfers, SDD, income, card all in one feed)	YES	YES	YES	YES	YES	Available now
Filter card-only transactions	YES (`operation_type=card`)	YES	YES	YES	YES	Available now
Read card metadata (last-4, virtual/physical, holder, limits)	YES (`GET /v2/cards` + webhook payload)	NO	NO	NO	NO	Available now
Real-time card lifecycle webhooks (created/locked/expired/etc.)	YES (10 events)	NO	NO	NO	NO	Available now
Read receipts/attachments attached to transactions	YES (`GET /v2/transactions/{id}/attachments`)	YES (trigger on update)	YES (get attachment)	YES (Belegbilderservice to DUO)	NO	Available now
Upload receipts/attachments to transactions	YES (`POST /v2/transactions/{id}/attachments`, multipart)	YES (action)	YES (action)	N/A	N/A	Available now
Read supplier invoices	YES (`GET /v2/supplier_invoices`)	NO	NO	N/A	N/A	Available now
Push/create supplier invoices	YES (`POST /v2/supplier_invoices/bulk`, multipart with PDF)	NO	NO	N/A	N/A	Available now
Read VAT / labels on transactions	YES (`includes[]=labels,vat_details`)	YES (label/VAT update triggers)	NO	YES	YES	Available now
Read employees / memberships	YES (`GET /v2/memberships`)	NO	NO	N/A	N/A	Available now
Write reference data (chart of accounts / cost centers / tax codes)	NO (no such concept in Qonto's data model)	NO	NO	YES (one-way DATEV side)	NO	Not applicable -- bank, not ERP
Read/write labels (Qonto's tag system)	Labels are read-only via Business API (`GET /v2/labels`); write via UI	NO	YES (read)	N/A	N/A	Read-only via API
Trigger approvals (expense / transfer / card requests)	YES (`request_review.write` scope: approve/decline)	NO	NO	N/A	N/A	Available now (OAuth-only)
Webhooks (event notifications)	YES (11 webhook categories: accounts, beneficiaries, cards, client_invoices, consent_revocations, memberships, organizations, payment_links, sepa_direct_debit, terminal_payments, transactions)	N/A	N/A	N/A	N/A	Available now -- HMAC-SHA256 signed, ~10 retries over 2 days

Overall assessment: Qonto has the most operationally-relevant API of any vendor researched so far for the specific Orcha use case of "read card-transaction data into our spend analytics." Three structural advantages over Pleo:

It's a bank, so transaction events are first-class -- the transactions.created webhook fires when the bank books the transaction (settle / pending-card-auth), not when a user reviews an expense in an app. No monthly-export-job gating.
API is available on all paid plans (Basic and above, from EUR 9/mo) -- no Advanced-tier gate like Pleo. Even the entry-level sole-trader Basic plan can issue API keys.
DATEV depth is genuinely deeper than any spend-management tool because Qonto is the bank, so RZ-Bankinfo (DATEV's bank-data collective service), Belegbilderservice, and Rechnungsdatenservice 1.0 are all native and bidirectional with DATEV Unternehmen Online and tax-advisor systems.

Three caveats:

Qonto is banking-first -- AI-powered expense pre-coding, dedicated approval workflows, mileage automation, and per-diem are weaker / add-on than Pleo/Payhawk. The customer needs to accept this trade-off.
Reference-data write parity is N/A -- Qonto has no chart of accounts or tax-code concept; "labels" are the only tagging primitive and are read-only via the public API. Orcha cannot sync CoA into Qonto because Qonto doesn't model CoA. This is a non-issue because DATEV does the heavy lifting anyway.
OAuth approval for sensitive scopes can take several days -- if Orcha integrates as an OAuth app for any payment-write or organisation-read scope, sensitive-scope justification is required during app registration.

2. API Landscape

API Surfaces

API	Base URL	Purpose
Business API	Prod: `https://thirdparty.qonto.com/v2` Sandbox: `https://thirdparty-sandbox.staging.qonto.co/v2`	Main API: accounts, transactions, cards, transfers, supplier invoices, client invoices, attachments, webhooks
Onboarding API	(separate; same `thirdparty.qonto.com` host with different paths)	Company onboarding / KYB / registration flow for embedded partners
Embed SDK	JS SDK on top of Business API	White-label UI components (cards, transfer flow, transaction list) for partner platforms; revenue-share model, sales-led
OAuth Authorization Server	`https://oauth.qonto.com/oauth2/auth` (auth) `https://oauth.qonto.com/oauth2/token` (token)	OAuth 2.0 authorisation code flow
Developer Portal	`developers.qonto.com` (gated SPA) and `docs.qonto.com` (public reference)	App registration, API key management, documentation
OpenAPI specs	`openapi.yml` / `openapi_v2.yml` (Business API), `onboarding_api.yml` -- linked from docs portal	Machine-readable specs
Postman collection	`postman.com/qontoteam/qonto-public-api/overview`	Public collection incl. OAuth 2.0 flow
Documentation index	`docs.qonto.com/llms.txt`	Full sitemap of the public documentation

Authentication

Qonto supports two authentication methods: API Key (per-organisation, primary for own-org integrations) and OAuth 2.0 (delegated, for third-party apps reaching multiple Qonto orgs). Most endpoints accept either; a subset (the sensitive ones) is OAuth-only.

Method	Detail
API Key	Per-organisation. Generated in Qonto web app: Integrations and Partnerships > API key > Generate. Header format: `Authorization: <login>:<secret-key>` -- a plain colon-concatenation, not Base64 Basic Auth. Static long-lived credential -- treat as production secret. Same key works against sandbox or prod depending on which web app you generate it in.
OAuth 2.0	Authorisation Code flow. Auth URL `https://oauth.qonto.com/oauth2/auth`, token URL `https://oauth.qonto.com/oauth2/token`. Bearer access tokens (1 hour TTL), refresh tokens (90 days, single-use, rotated on each refresh). Must include `offline_access` scope to receive a refresh token. CSRF `state` parameter recommended. Sensitive scopes require regulatory classification (AIS/PIS) + written justification at app registration; approval can take several days.
PSD2 QSeal certificate	Required only for third-party providers (TPPs) acting under AIS/PIS regulatory cover -- i.e. operating without a Qonto-issued OAuth client and accessing customer accounts under PSD2 statutory rights. Most integrators (including Orcha for a single-org customer use case) do NOT need this -- they use the API Key or OAuth flow as a registered Qonto developer.

Implication for the customer scenario: the customer can issue an API key from their own Qonto admin, hand it to Orcha (or to themselves via Orcha's connection wizard), and Orcha gets full read of transactions + cards + attachments + supplier-invoice push. No OAuth app registration needed, no PSD2 license needed. This is dramatically simpler than Pleo's OAuth client-credentials + scope-per-resource setup.

Rate Limits

1,000 requests per 10 seconds
10,000 requests per 10 minutes
Applied per-IP (not per-key) -- relevant for multi-customer deployments behind a shared egress
Returns HTTP 429 on exceed
Additional throttle: more than 200 requests with HTTP 401 within 1 hour also throttled (anti-brute-force)
Pagination limit: search_limit_reached HTTP 422 when results exceed 10,000 records without sufficient filters

For comparison:

Pleo: 600/min = 10/s
Payhawk: 15/s
Qonto: 100/s (1000/10s) sustained, with a 10000/10min ceiling

Qonto is roughly 7-10x more permissive on the per-second budget than Payhawk and Pleo. This matters for initial bulk sync of historical transactions on a multi-year account.

Idempotency

Qonto supports idempotent requests via the X-Qonto-Idempotency-Key header (client-generated unique value). Server caches the response and returns the cached response for duplicates, even if the body differs -- standard idempotency pattern. Used heavily on transfer creation and supplier invoice creation to avoid double-posting on retry.

API Categories (Business API)

Per the public docs index (docs.qonto.com/llms.txt):

Category	Read	Write	Notes
Organisation & Bank Accounts	`GET /v2/organization`, `GET /v2/bank_accounts`, `GET /v2/bank_accounts/{id}`	Create / update / close bank accounts	Multi-account orgs supported
Memberships	List, retrieve, get authenticated member	Create (invite)	Employees / cardholders
Teams	List	Create	For team-based card limits / permissions
Labels	List, retrieve	No public write	Read-only tag system
Transactions	`GET /v2/transactions` (filterable), `GET /v2/transactions/{id}`	N/A	Includes `card_last_digits`, FX, labels, attachments, VAT
Statements	`GET /v2/statements`	N/A	Monthly PDF statements
Cards	`GET /v2/cards`, `GET /v2/cards/{id}` (beta)	Create, update limits/options/restrictions, lock/unlock, discard, bulk create, retrieve iframe URL for PAN display, report lost/stolen	`card.read` / `card.write` scopes
SEPA Transfers	List, retrieve	Create single, bulk (up to 400), recurring, cancel	Standard write API
SEPA Beneficiaries	List	Add, trust/untrust, update	VOP (Verification of Payee) supported
Internal Transfers	--	Create (between own accounts)
External Transfers	--	Create for trusted beneficiary, create-with-new-beneficiary
International Transfers	List, retrieve, quote, eligibility, requirements, currency availability	Create transfer, manage beneficiaries	Multi-currency
SEPA Direct Debit	List collections, mandates, subscriptions	Create mandate, subscription	Both inbound (you collect from customers) and outbound (someone debits you)
Payment Links	List, retrieve, payments	Create, deactivate, manage provider connections	Stripe-like outgoing-payment-link product
Client Invoices, Quotes, Credit Notes	Full CRUD	Create, update, finalise, send email/e-invoice, mark paid, delete, cancel	AR side (outgoing invoices)
Supplier Invoices	List, retrieve	Create (bulk, multipart with PDF), mark paid, unmark paid, reject	AP side (incoming invoices) -- this is the only place where Orcha could theoretically push something into Qonto
Products	List, retrieve	Create, delete	For invoicing
Insurance Contracts	Retrieve	Create, update, manage documents
Attachments (transaction-level)	`GET /v2/transactions/{id}/attachments` (list), `GET /v2/attachments/{id}` (show), `POST /v2/transactions/{id}/attachments` (upload), `DELETE` (remove single/all)	YES	Multipart, JPEG/PNG/PDF, processed async (not visible immediately)
Attachments (standalone)	Upload, retrieve	YES	For attaching to invoices / transfers above EUR 30k
Expense Requests	List	Approve, decline, create card requests (flash, virtual), create multi-transfer requests	OAuth scopes: `request_review.write`, `request_transfers.write`, `request_cards.write`
Webhooks	List, retrieve, get supported events	Create, update, delete subscriptions	11 webhook categories
Terminals	List terminal payments, retrieve	Create terminal payments	Card-present payments via Qonto terminal
E-invoicing / Factur-X	Retrieve settings; download in Factur-X format	--	Compliance feature
IBAN Certificate	Download	--	For sharing account proof

Versioning & Deprecation

API is on v2. Public deprecation notice: legacy /v1 organisation endpoints are sunset on September 15, 2026 -- migrate to the new memberships + organisations split. Active integrations should be on /v2.

3. Write Capability Verification

Confidence: HIGH. Qonto's write surface is genuinely broad -- but it is bank-shaped, not ERP-shaped. There are no chart-of-accounts, cost-center, or tax-code resources to write because Qonto doesn't model those concepts. What Qonto does expose for write is:

Confirmed Write Endpoints

Operation	Method + Path	OAuth Scope	Confidence	Source
Create SEPA transfer	`POST /v2/sepa/transfers`	`payment.write`	HIGH	docs
Bulk-create SEPA transfers	`POST /v2/sepa/bulk_transfers` (up to 400)	`payment.write`	HIGH	docs
Create recurring SEPA transfer	`POST /v2/sepa/recurring_transfers`	`payment.write`	HIGH	docs
Cancel SEPA transfer	`POST /v2/sepa/transfers/{id}/cancel`	`payment.write`	HIGH	docs
Create internal transfer	`POST /v2/internal_transfers`	`internal_transfer.write`	HIGH	docs
Create external transfer	`POST /v2/external_transfers` (+ `/checkout`)	`payment.write`	HIGH	docs
Create international transfer	`POST /v2/international_transfers`	`international_transfer.write`	HIGH	docs
Add SEPA beneficiary	`POST /v2/beneficiaries/sepa`	`payment.write`	HIGH	docs
Trust SEPA beneficiary	`POST /v2/beneficiaries/sepa/trust`	`payment.write`	HIGH	docs
Update SEPA beneficiary	`PUT /v2/beneficiaries/sepa/{id}`	`payment.write`	HIGH	docs
Create card (virtual / flash / physical)	`POST /v2/cards`	`card.write`	HIGH	docs
Update card limits / options / restrictions / nickname	`PUT /v2/cards/{id}/...`	`card.write`	HIGH	docs
Lock / unlock card	`PUT /v2/cards/{id}/lock` / `unlock`	`card.write`	HIGH	docs
Discard card	`PUT /v2/cards/{id}/discard`	`card.write`	HIGH	docs
Bulk-create cards	`POST /v2/cards/bulk`	`card.write`	HIGH	docs
Report card lost/stolen	(dedicated endpoint)	`card.write`	HIGH	docs
Upload attachment to transaction	`POST /v2/transactions/{id}/attachments` (multipart, JPEG/PNG/PDF)	`attachment.write`	HIGH	docs + blog post + Zapier "Add Attachment" action confirms
Remove attachment from transaction	`DELETE /v2/transactions/{id}/attachments/{aid}`	`attachment.write`	HIGH	docs
Upload standalone attachment	`POST /v2/attachments`	`attachment.write`	HIGH	docs
Create supplier invoice (bulk, with PDF)	`POST /v2/supplier_invoices/bulk` (multipart)	`supplier_invoice.write`	HIGH	docs
Mark supplier invoice paid / unpaid / reject	`PUT /v2/supplier_invoices/{id}/...`	`supplier_invoice.write`	HIGH	docs
Create client invoice	`POST /v2/client_invoices`	`client_invoice.write`	HIGH	docs
Send client invoice via email / e-invoice	`POST /v2/client_invoices/{id}/send`	`client_invoice.write`	HIGH	docs
Mark client invoice paid	`PUT /v2/client_invoices/{id}/mark_paid`	`client_invoice.write`	HIGH	docs
Create / delete product	`POST` / `DELETE /v2/products`	`product.write`	HIGH	docs
Create / update / delete client	`POST` / `PUT` / `DELETE /v2/clients`	`client.write`	HIGH	docs
Create team	`POST /v2/teams`	`team.write`	HIGH	docs
Invite membership	`POST /v2/memberships`	`membership.write`	HIGH	docs
Approve / decline expense request	`POST /v2/requests/{id}/review` (approve/decline)	`request_review.write`	HIGH	docs (OAuth-only)
Create webhook subscription	`POST /v2/webhook_subscriptions`	(mgmt)	HIGH	docs
Update / delete webhook subscription	`PUT` / `DELETE /v2/webhook_subscriptions/{id}`	(mgmt)	HIGH	docs

What Cannot Be Written

Operation	Status	Notes
Create / update labels	NO public API	Labels are the only tagging primitive in Qonto; created and managed in the web UI. Read-only via API.
Create chart of accounts / cost centers / tax codes / GL accounts	N/A -- no such resource	Qonto doesn't model these. Pre-accounting is shallow. If the customer needs ledger-grade coding, DATEV is the source of truth, not Qonto.
Push existing receipts to specific transactions in bulk (with auto-match)	PARTIAL	The `skip_attachment_matcher` flag on supplier invoice creation suggests a match engine exists. For arbitrary attachment-to-tx matching, push attachment then it auto-matches in background.

Key Limitation: Pre-Accounting Depth

Even though POST /v2/transactions/{id}/attachments accepts a receipt and GET /v2/transactions?includes[]=labels,vat_details returns labels and VAT, Qonto's pre-accounting model is intentionally light: a transaction can have one or more labels, VAT details (rate + amount), and attached receipts. That is the full coding surface. There is no concept of:

Multiple distributions per transaction (split coding)
Project codes / cost centers as separate first-class objects
Tax code mapping tables
Approval-level metadata beyond the request itself

This is by design: Qonto pushes pre-accounted data into DATEV / lexoffice / sevDesk where the customer's actual accounting depth lives.

4. iPaaS & Middleware Findings

Platform	Qonto Connector?	Quality	Details
Zapier	YES (official)	Production	9 triggers (New Transaction, Updated Transaction, Transaction Updated Labels, Transaction Updated Attachments, Transaction Updated VAT, Bank Account Balance Change, New Transfer, New Bank Account, New Transaction Legacy) + 3 actions (Create Internal Transfer, Create External Transfer, Add Attachment).
Make.com	YES (official-grade)	Production	~20 modules. Triggers: Watch New Transactions, Watch Updated Transactions. Actions: Get transaction, Get/Add attachment, Create internal/external transfer, List transfers, List/Get/Create client, List/Create team, List/Get/Create membership, List/Get labels, List client invoices, List/Get credit notes, Get current organization, plus generic "Make an API Call" for custom endpoints.
n8n	YES (community)	Community-built v0.2.0 (Aug 2025)	`n8n-nodes-qonto` by Dtneo on npm/GitHub. Operations: GET transactions (filterable by IBAN/bank account ID), file uploads to transactions, internal transfers. No POST, no DELETE, no triggers, OAuth2 partially working. Community-maintained -- not production-ready for all paths.
Workato	NOT CONFIRMED	--	Not surfaced in marketplace search.
Celigo	NO	--	Not in marketplace.
Tray.io	NOT CONFIRMED	--	Not surfaced.

Zapier and Make.com both have mature Qonto connectors -- noticeably more than Pleo (Zapier-only, more limited) or Payhawk (Workato + community Make, no Zapier). For a customer who wants no-code orchestration, both Zapier and Make are reasonable starting points. The Make connector is more comprehensive (memberships + clients + teams + invoice listing) while Zapier has slightly more granular transaction-update triggers (separate label / attachment / VAT update events).

Critically: the Zapier Add Attachment and Make Add Attachment actions confirm that the POST /v2/transactions/{id}/attachments endpoint is fully usable for write-side automation -- which is the receipt-mirroring path Orcha would use to push DATEV-archived receipts back into Qonto if needed.

5. Alternative Channels

DATEV Integration (Native, Bank-Grade)

This is Qonto's single biggest differentiator versus any spend-management vendor. Because Qonto is the bank, it plugs into DATEV via DATEV's own bank-data services, not via generic spend-tool export connectors.

Qonto offers four distinct DATEV integrations for the German market, available on all plans except Basic (so: Smart EUR 19/mo and up for sole traders; Essential EUR 49/mo and up for companies):

Integration	Direction	Data	Method	Use Case
DATEV RZ-Bankinfo (DATEV-Sammelverfahren)	Qonto -> DATEV	All bank-account transactions (incl. card tx, transfers, SDD, salaries)	Daily automatic sync via DATEV's "Bank-Sammelverfahren" -- the same channel German banks use to deliver bank data into DATEV's rechenzentrum	Tax advisor accesses statements via DATEV data center without separate exports. Comparable to MT940/CAMT.053 delivery, but via DATEV's proprietary collective procedure.
DATEV Bankdatenservice via PIN/TAN	Bidirectional	Transactions + payment initiation	Daily automated via PSD2-compliant FinAPI bridge	Synchronise with DATEV Unternehmen Online; initiate payments directly from DATEV
DATEV-Belegbilderservice-Rechnungswesen	Qonto -> DATEV	Receipt images + transaction matching	Daily automatic	Digital and paper receipts uploaded in Qonto sync to DATEV Belege Online where they auto-match against transactions for booking proposals
DATEV Rechnungsdatenservice 1.0	Qonto -> DATEV	Structured invoice data (XML/JSON) + receipt images	Automatic, generates booking proposals (Buchungsvorschläge) in DATEV accounting programs	The most ERP-shaped of the four -- pre-structured data lands in DATEV ready for the tax advisor to review and post

What this means for the customer: Card transactions captured by Qonto flow into DATEV via RZ-Bankinfo daily as bank statements. Receipts attached to those transactions in Qonto (via Orcha-uploaded webhooks or manual upload) flow into DATEV Belege Online via Belegbilderservice and get auto-matched on the DATEV side. This is bank-native plumbing that Pleo / Payhawk can only approximate.

No CAMT.053 / MT940 export? Qonto does not advertise a direct CAMT.053 or MT940 file export to non-DATEV systems. The "DATEV-Sammelverfahren" channel is DATEV-specific. For non-DATEV banks, EBICS is mentioned as available on enterprise tiers but is not documented as a self-service feature.

Native ERP/Accounting Integrations

Confirmed list (non-exhaustive):

System	Connection Type	Direction	Relevance for DACH
DATEV (DUO + 4 services above)	Native	Bidirectional	Primary
Lexware Office (lexoffice)	Native API	Bidirectional	Primary (small DE businesses)
sevDesk	Native	Bidirectional	Primary (DE)
Pennylane	Native	Bidirectional	Primary FR; available in DE
Regate by Qonto	Native (Qonto-owned)	Bidirectional	French AP/AR platform Qonto acquired
Dougs	Partnership	--	Accounting firm
Notion	Zapier-driven	--	--
Google Sheets	Zapier-driven	--	--
Google Drive	Native + Zapier	Bidirectional (invoice matching)	--
Invoice Collector	Native	--	AI receipt retrieval

Qonto's marketing claims "2,000+ integrations" -- the vast majority are via Zapier / Make. Native bidirectional integrations are concentrated on the accounting / tax-advisor side, exactly what a German customer needs.

Webhooks (Real-Time Event Delivery)

Aspect	Detail
Available	YES, 11 webhook categories: accounts, beneficiaries, cards, client_invoices, consent_revocations, memberships, organizations, payment_links, sepa_direct_debit, terminal_payments, transactions
Confirmed transaction events	`transactions.created`, `transactions.updated` -- includes amount, currency, FX, side, settled_balance, operation_type, status, label, clean_counterparty_name, note, reference, settled_at, emitted_at, attachment_ids, subject_type, bank_account_id, counterparty_account_number, counterparty_bank_identifier
Confirmed card events	10 events: `cards.created`, `cards.activated`, `cards.unlocked`, `cards.locked`, `cards.nickname_updated`, `cards.options_updated`, `cards.limits_updated`, `cards.restrictions_updated`, `cards.discarded`, `cards.expired`. Payload incl. masked_pan, exp_month/year, atm/nfc/online/foreign options, daily/monthly limits, holder_id, bank_account_id, card_type, card_level, category_tags
Subscription management	`POST /v2/webhook_subscriptions` (create), `PUT` (update), `DELETE` (delete), `GET` (list/retrieve)
Delivery	HTTPS POST. Subscriber URL must ack with 2xx within 1 second or delivery is considered failed
Signature verification	HMAC-SHA256 of `{timestamp}.{raw_body}` using webhook secret; signature delivered in `X-Qonto-Signature: t={timestamp},v1={signature}` header (some older docs reference `Qonto-SHA256-Signature` -- verify current header at integration time)
Retries	Exponential backoff, ~10 retries over 2 days; after that the event is discarded. Out-of-order delivery possible -- consumer must check `event_type` and event timestamps to handle lifecycle correctly
Real-time?	YES. Card transactions fire `transactions.created` at the bank-booking event, not at user-review-in-app. For pending card auths and settled tx, the webhook is real-time.
Sandbox testing	Yes -- webhook.site can be used per docs

This is the biggest single advantage over Pleo for the customer's use case. Pleo's expense data is gated behind customer-triggered Export Jobs (typically monthly). Qonto delivers transactions via real-time webhook within seconds of the bank booking the transaction.

PSD2 / Open Banking Dimension

Qonto is a licensed payment institution and is "PSD2-regulated" -- meaning third-party providers (TPPs) holding an AISP or PISP license can access Qonto customer accounts under PSD2 statutory rights with a QSeal eIDAS certificate. However, this is a separate path from the developer-portal Business API.

For Orcha integrating with one customer's Qonto account:

The customer issues an API key (or grants OAuth) inside their Qonto org
Orcha uses that credential to access the Business API
No PSD2 / TPP / AISP / QSeal certificate required
This is the standard pattern for first-party app integrations and is much simpler than the PSD2 route

PSD2 only becomes relevant if Orcha wanted to access Qonto accounts on behalf of customers without the customer having to register Orcha as a developer app (the "open banking" path). For the customer scenario, this is not relevant.

CSV / Manual Export

Standard bank-statement PDF and CSV export available in the web app for any plan. Useful for backfill / reconciliation but not for an automated integration.

6. Licensing & Access Requirements

API Access by Plan

Qonto's API is available on all paid plans (Basic and above) with no separate API fee. This matches Payhawk's posture and is fundamentally better than Pleo's Advanced-only gating.

Customer type	Plan	Monthly (annual billing)	API?	DATEV (RZ-Bankinfo / Belegbilderservice / RDS 1.0)?	Notes
Sole trader / freelancer	Starter	EUR 0	(not documented as having API)	NO	5 transfers/mo, 1 virtual card
Sole trader / freelancer	Basic	EUR 9	YES	Limited (basic DATEV PIN/TAN sync only)	30 transfers/mo, 1 phys + 2 virt
Sole trader / freelancer	Smart	EUR 19	YES	YES	100 transfers, 2 phys + 50 virt, accountant access
Sole trader / freelancer	Premium	EUR 39	YES	YES	200 transfers, priority support
Company / team	Essential	EUR 49 (annual) / EUR 59 (monthly)	YES	YES	150 transfers, unlimited team members, 1 card, AP + AR tools, DATEV + lexoffice + 14k integrations
Company / team	Business	EUR 99 (annual) / EUR 119 (monthly)	YES	YES	500 transfers, 10 Mastercards, 9 sub-accounts, dedicated account mgr
Company / team	Enterprise	EUR 199 (annual) / EUR 249 (monthly)	YES	YES	1000 transfers, 30 Mastercards, 24 sub-accounts, CSM

For the customer scenario (German company replacing Pleo with Qonto for employee cards): Essential is the realistic entry-point. EUR 49/mo (annual) gets API + DATEV + 1 Mastercard. Additional cards (which they'll need for 30 cardholders) are added per-card -- the Enterprise plan at EUR 199/mo includes 30 cards baseline and is the right tier for a 30-cardholder team. Plus the optional Expense & Spend Management add-on if they want approval workflows + mileage + per-diem to approximate Pleo's depth.

Compared to Pleo: Pleo's Advanced plan (EUR ~109/mo for API) plus per-user fees (EUR 11-18 each) for 30 users = EUR 440-650/mo. Qonto's Enterprise at EUR 199/mo with 30 cards bundled is materially cheaper and includes the bank account itself.

Pricing Model Differences vs Pleo

Pleo: SaaS per-user + base fee + interchange. Bank account separately, no banking license.
Qonto: SaaS subscription + interchange + transfer fees + FX. Banking license included.

This is comparing apples and pears -- you're getting a bank account out of Qonto, not just a spend tool. The economics often favour Qonto for DACH SMBs because the savings from consolidating bank + cards + light expense management offset the loss of best-in-class expense pre-coding.

Customer Setup Checklist

Customer needs a Qonto Business plan -- Essential or Enterprise (depending on cardholder count) is the relevant tier for replacing Pleo
Owner/Admin role required to issue API keys -- navigate to Integrations and Partnerships > API key > Generate
Copy login and secret-key; hand to Orcha (or paste into Orcha's connection wizard)
Header format: Authorization: <login>:<secret-key> (colon-concatenated, not Base64)
(For real-time) Create webhook subscription via POST /v2/webhook_subscriptions pointing at Orcha's webhook endpoint; copy the webhook secret for HMAC-SHA256 verification
(For DATEV) Customer's tax advisor enables one or more of: RZ-Bankinfo (transactions to DATEV daily), Belegbilderservice (receipts to DATEV daily), Rechnungsdatenservice 1.0 (structured invoices). Setup via Qonto web app + MyDATEV admin rights.
(Optional) If customer wants OAuth instead of API key: Orcha registers OAuth app at developers.qonto.com, customer goes through standard OAuth consent flow. Sensitive scopes need written justification + multi-day approval.

7. Orcha-Specific Deep Dive

Critical Question Comparison: Qonto vs Pleo on the Customer's Pain Points

Pain Point with Pleo	Qonto Status	Source
Realtime transaction webhooks -- Pleo gates expense data behind customer-triggered export jobs (monthly cadence)	YES, real-time webhooks. `transactions.created` / `transactions.updated` fire at bank-booking time. 1-second ack required, HMAC-SHA256 signed, ~10 retries over 2 days. Plus 10 card-lifecycle events (`cards.created`, `cards.locked`, etc.)	docs.qonto.com webhooks setup-guide ; docs.qonto.com supported-webhooks/v1-transactions ; docs.qonto.com supported-webhooks/v1-cards
PSD2 / open banking dimension -- is the dev API the same as PSD2 access?	TWO SEPARATE SURFACES. Business API (developer portal, API key or OAuth, no license needed) is what Orcha and 99% of integrators use. PSD2 (QSeal + AIS/PIS license) is for unsponsored TPPs accessing customer accounts without app registration. For the customer's case, Business API is the only relevant surface.	docs.qonto.com general intro ; openbankingtracker.com
Card transaction granularity -- card-specific tx separate from regular bank movements? Last-4, virtual/physical flag, cardholder?	YES. Card transactions are in the same `/v2/transactions` feed, identified by `operation_type=card`. Each card tx returns `card_last_digits`. Combined with `GET /v2/cards` returning `card_level` (virtual/standard/plus/metal/flash), `card_type` (debit/prepaid), `holder_id` (membership), masked_pan, expiry, limits, options. Cards webhook events deliver these in real-time.	docs.qonto.com list-transactions ; list-cards ; cards webhook
Receipt attachment support -- can Qonto store receipts? Read them via API?	YES, fully. Qonto has a first-class Attachments resource on transactions. Upload via `POST /v2/transactions/{id}/attachments` (multipart, JPEG/PNG/PDF). Read via `GET /v2/transactions?includes[]=attachments` (returns `attachment_ids`) then `GET /v2/attachments/{id}`. Scope: `attachment.read` / `attachment.write`. Async processing -- uploaded files not immediately visible. TTL of attachment URLs not publicly documented (probe needed).	docs.qonto.com attachments ; qonto.com/en/blog attachment-automation
DATEV native integration -- bank-to-DATEV is more standard (CAMT.053, MT940); verify Qonto's DATEV-specific support	EXCELLENT. Four distinct DATEV integrations: RZ-Bankinfo (transactions via DATEV Sammelverfahren), PIN/TAN (transactions + payment initiation via PSD2/FinAPI), Belegbilderservice (receipts to DATEV Belege Online), Rechnungsdatenservice 1.0 (structured invoice data + booking proposals). All daily-automatic. Available on Smart/Essential and above. Tax advisor accesses everything in DATEV data center natively -- no separate exports. Deeper than Pleo's one-click CSV-to-DATEV-Kanzlei and arguably deeper than Payhawk's RDS 1.0 because Qonto is delivering bank data, not export data.	qonto.com/de/accounting/datev ; support-de.qonto.com Qonto-DATEV-options
API access pricing tier	API on all paid plans, including sole-trader Basic at EUR 9/mo. No Advanced-tier gate. For a 30-cardholder German company, Enterprise EUR 199/mo (annual) bundles 30 cards + 1000 transfers + DATEV + API + dedicated CSM.	qonto.com/en-de/pricing ; omr.com qonto/pricing
Reference data write capability -- vendors/CoA/cost centers	N/A. Qonto has no chart of accounts or tax-code concept. Labels exist but are read-only via the public API. This is not a gap because DATEV is the source of truth for the customer's accounting reference data, and Qonto's job is to deliver bank data + receipts into DATEV, not to mirror DATEV's coding.	docs.qonto.com labels ; cross-check with DATEV docs
Field completeness on card transactions -- amount/currency/FX, merchant (MCC, raw descriptor), category, employee, card last-4, transaction status	Transaction response includes: `amount` + `amount_cents` + `currency` + FX (`local_amount` / `local_currency`), `side`, `operation_type`, `status` (pending/declined/completed), `label` (counterparty name), `clean_counterparty_name`, `card_last_digits`, `settled_at`, `emitted_at`, `attachment_ids`, `label_ids`, `bank_account_id`, `subject_type`. MCC code is NOT directly exposed in the public transaction response -- Qonto uses MCC internally for category-based card restrictions but does not return raw MCC in the transaction API. Card `category_tags` (transport, restaurant_and_bar, etc.) are exposed on cards but represent allowed-category restrictions, not actual transaction categorisation. Employee (cardholder) accessible by joining via `holder_id` on cards endpoint.	docs.qonto.com list-transactions ; list-cards ; support qonto card spending categories
Spend coding capability -- Pleo competitor or banking-first with cards bolted on?	Banking-first. Qonto vs Pleo (per Qonto's own comparator page): "Qonto is banking-first with integrated expense tools" while "Pleo is pure expense management software." Both have receipt capture, expense approvals, mileage, per-diem -- but in Qonto these features are in the Expense & Spend Management add-on (Essential / Business / Enterprise tiers) and are less mature than Pleo's. Approval workflows exist; dedicated reviewer roles less granular than Pleo. AI category coding is shallower. For a customer who wants Pleo-grade pre-accounting + AI coding + rich approval matrices, Qonto is a downgrade. For a customer who wants real-time bank data + DATEV depth + a bank account in one product, Qonto is a major upgrade.	qonto.com/de/comparators/qonto-vs-pleo ; support qonto expense reimbursement ; support qonto mileage

Critical Question: What Role Does Qonto Play Relative to Orcha?

Qonto and Orcha do not overlap in the way Pleo / Payhawk / Moss do. Qonto's invoice handling is light (a Supplier Invoices module exists but is shallow); Orcha is the customer's AP system. The split for the customer scenario is:

Capability	Qonto (Essential / Enterprise plan)	Orcha
Business bank account + IBAN	YES (core)	NO
Card transaction capture	YES (real-time, bank-native)	NO
Card transaction pre-accounting / coding	Light (labels + VAT)	NO
Receipt capture per transaction	YES (`POST /v2/transactions/{id}/attachments`)	YES (invoice OCR)
Invoice capture (OCR)	Light (Supplier Invoices module, bulk PDF upload)	YES (core product)
Approval workflows	Add-on (Expense & Spend Management)	Depends on customer
Reimbursements (mileage / per-diem)	Add-on	NO
DATEV delivery	YES (4 native channels, bank-grade)	YES (direct integration)
Tax-advisor access	Via DATEV Belege Online + DATEV programs	Via DATEV

With the customer keeping Orcha for AP and Qonto for cards/banking, the integration value is one-directional: Qonto -> Orcha read of card transaction data for unified spend analytics. Reference-data write is not applicable (Qonto doesn't model CoA). Receipt-attachment write from Orcha -> Qonto is technically feasible (POST /v2/transactions/{id}/attachments) and arguably useful if Orcha holds receipts that should land in Qonto for DATEV-Belegbilderservice forwarding -- but the more direct path is for Orcha to push receipts to DATEV directly.

Integration Scenarios for the Customer

Scenario A: Orcha reads card transaction data FROM Qonto for unified spend analytics (PRIMARY USE CASE)

Feasibility: HIGH
Subscribe to webhook events: transactions.created, transactions.updated (transaction lifecycle) + all 10 cards.* events (card lifecycle)
On transactions.created for operation_type=card: GET /v2/transactions/{id}?includes[]=labels,attachments,vat_details for full detail incl. attachments, labels, VAT
Join to card details: GET /v2/cards?ids[]={card_ids_from_tx} for masked_pan / last-4 / card_level (virtual vs physical) / holder_id / category restrictions
Resolve holder: GET /v2/memberships/{holder_id} for employee name + email
For attachments: GET /v2/attachments/{id} returns the file or URL (probe TTL behaviour empirically)
Periodic GET /v2/transactions?updated_at_from=... reconciliation sweep to catch missed webhooks (bank-grade reliability is high but not perfect)
No invoice push back to Qonto needed for this use case

Scenario B: Orcha pushes receipts INTO Qonto for DATEV-Belegbilderservice forwarding (SECONDARY USE CASE)

Feasibility: HIGH
If Orcha holds receipts that match Qonto card transactions, POST /v2/transactions/{id}/attachments (multipart, JPEG/PNG/PDF) pushes them in
Files processed async (not immediately visible) -- Qonto's matcher runs in background
Receipts then auto-flow to DATEV Belege Online via the customer's Belegbilderservice connection daily
Caveat: this is only useful if the customer hasn't configured Orcha-to-DATEV direct (which would be the more direct path). For most customers, this is redundant.

Scenario C: Orcha pushes supplier invoices INTO Qonto for payment via card or transfer

Feasibility: POSSIBLE but typically irrelevant
POST /v2/supplier_invoices/bulk accepts multipart PDFs with idempotency keys
Qonto then handles approval + payment via the customer's Qonto bank account
For the customer scenario (Orcha = AP, DATEV = accounting, Qonto = bank), this would mean Orcha hands off payment execution to Qonto. Unusual workflow; most customers initiate payments directly from DATEV (via DATEV Bankdatenservice PIN/TAN) or from Qonto UI.

Scenario D: Orcha approves expense requests in Qonto

Feasibility: POSSIBLE (OAuth-only) but typically irrelevant
POST /v2/requests/{id}/review (approve/decline) with scope request_review.write
Useful only if Orcha is the approval system of record; uncommon configuration

Key API Differences vs Pleo

Dimension	Pleo	Qonto	Winner for the Customer's Use Case
Real-time webhooks	Partial (Svix-powered, but expense flow is export-job-gated, typically monthly)	YES (bank-booking-time, 11 categories incl. 10 card events)	Qonto
API access tier	Advanced plan (EUR 109/mo+)	All paid plans incl. Basic EUR 9/mo	Qonto
Receipt URLs	24h TTL	Not publicly documented (probe needed)	TBD (likely Qonto, since Qonto stores files for DATEV-grade retention)
Vendor / CoA / cost-center CRUD	Full first-class	N/A (not modelled)	Pleo (but moot -- DATEV is source of truth)
Spend pre-coding depth (AI categorisation, approval matrices)	Strong (core product)	Light (add-on, banking-first)	Pleo
DATEV integration depth	One-click export + CSV	Bank-native via 4 DATEV-Service channels	Qonto
Card data fidelity (last-4, virtual/physical, holder, MCC)	Available	Available except raw MCC (Qonto exposes `category_tags`)	Tie
Zapier connector	YES (4 triggers + 8 actions)	YES (9 triggers + 3 actions)	Qonto (more granular triggers)
Make connector	NO	YES (~20 modules)	Qonto
Workato connector	NO	NOT CONFIRMED	--
Auth	OAuth 2.0 client credentials	API Key (simple) + OAuth 2.0 (delegated)	Qonto (simpler)
Rate limit	600/min (10/s)	1000/10s (100/s sustained)	Qonto (10x)
Banking license / actual bank account	NO	YES (own IBAN, EMI, SEPA member)	Qonto (different category)
Mileage / per-diem automation	Strong	Available as add-on	Pleo

Receipt URL Longevity -- Action Required

As with Payhawk, the URL TTL for attachments returned by GET /v2/attachments/{id} is not publicly documented. Before committing engineering effort, probe in sandbox:

Upload an attachment via POST /v2/transactions/{id}/attachments
Fetch the attachment URL via GET /v2/attachments/{id}
Re-fetch at T+1h, T+24h, T+7d, T+30d to determine TTL
Likely outcome: long TTL or non-expiring (Qonto stores attachments for DATEV / GoBD compliance, so they need persistent retention)
If TTL is short: Orcha should mirror attachments to its own object storage at webhook time
If TTL is long / non-expiring: Orcha can rely on Qonto-hosted URLs

Orcha Integration Capability Summary

Orcha Need	Qonto Support	Endpoint(s)	Confidence	Notes
Real-time card-tx ingestion	YES (webhooks)	`Webhook Subscriptions` -> `transactions.created` (+ `cards.*` for lifecycle)	HIGH	HMAC-SHA256 signed, 1-sec ack, ~10 retries over 2 days
Full transaction detail pull	YES	`GET /v2/transactions/{id}?includes[]=labels,attachments,vat_details`	HIGH	Includes FX, label, attachment_ids, card_last_digits
Card metadata (last-4, virtual/physical, holder)	YES	`GET /v2/cards` + join via `holder_id` to `/v2/memberships`	HIGH	`card_level` distinguishes physical (standard/plus/metal) vs virtual (virtual/flash)
Raw MCC code	NO	--	HIGH	MCC used internally for restrictions; not exposed in tx response. Approximation via `clean_counterparty_name` + `label`
Real-time card lifecycle	YES	`cards.*` webhook (10 events)	HIGH	created/activated/locked/unlocked/discarded/expired/etc.
Receipt document URLs	YES	`GET /v2/attachments/{id}`	HIGH	TTL unverified -- needs probe
Receipt push to transaction	YES	`POST /v2/transactions/{id}/attachments` (multipart)	HIGH	JPEG/PNG/PDF, processed async
Read employees / memberships	YES	`GET /v2/memberships`	HIGH	Includes role, contact info
Sync chart of accounts	N/A	--	HIGH	Qonto doesn't model CoA; DATEV is source of truth
Sync cost centers	N/A	--	HIGH	Labels are read-only; cost centers live in DATEV
Sync tax codes	N/A	--	HIGH	VAT lives per-transaction (`vat_details`); rates live in DATEV
Push supplier invoices	YES	`POST /v2/supplier_invoices/bulk` (multipart, PDF)	HIGH	With idempotency_key
Approve / decline expense requests	YES (OAuth-only)	`POST /v2/requests/{id}/review`	HIGH	Scope `request_review.write`
Trigger transfer / payment	YES (OAuth-only / sensitive)	`POST /v2/sepa/transfers` etc.	HIGH	Scope `payment.write` -- sensitive scope, multi-day approval
Mark transaction as exported / processed	NO	--	MEDIUM	No "exported" flag in transaction state machine; reconcile via `updated_at` cursor instead

8. Recommended Path Forward

Assessment: Qonto is the Strongest Read-Side Integration Target of any Spend / Banking Vendor Researched So Far

For the customer scenario (DATEV + Orcha + Pleo replacement with Qonto for cards), Qonto's posture is uniquely well-aligned with how Orcha needs to operate:

Webhooks fire at bank-booking time -- no monthly export gate.
API access is included on every paid plan.
DATEV integration is bank-grade, native, and on four separate channels.
Rate limits are 7-10x more permissive than Pleo / Payhawk.
Two iPaaS connectors (Zapier, Make) for customers who prefer no-code orchestration.

The trade-off the customer accepts moving from Pleo to Qonto is shallower expense pre-coding (AI categorisation, approval matrices, mileage). For a customer whose AP coding lives in Orcha and accounting lives in DATEV, this is often a fair trade because the deep coding happens downstream of Qonto anyway.

Recommended Architecture

[Card transactions]                                        [Vendor invoices]
       |                                                          |
       v                                                          v
   Qonto (bank) -- real-time webhook + GET /v2/transactions --> Orcha (read-side: unified spend analytics)
       |                                                          |
       |                                                          |
       v                                                          v
   DATEV  <-- RZ-Bankinfo / Belegbilderservice / RDS 1.0 (Qonto-native)
   DATEV  <----------- direct push (Orcha-native) ----------------+

Read side (Qonto -> Orcha):

Subscribe webhook to transactions.created, transactions.updated, and the 10 cards.* events
On transactions.created with operation_type=card: GET /v2/transactions/{id}?includes[]=labels,attachments,vat_details -- pull amount, FX, merchant (via clean_counterparty_name), label, VAT, attachment IDs, card_last_digits
Resolve cardholder: lazy-load GET /v2/cards/{card_id} (matched by card_last_digits + bank_account_id) -> holder_id -> GET /v2/memberships/{holder_id} for employee identity
For attachments: GET /v2/attachments/{id} -- mirror to Orcha storage (default-safe pending TTL probe)
Periodic reconciliation: GET /v2/transactions?updated_at_from=<last_sync> to catch missed webhooks
Verify HMAC-SHA256 signature on every webhook with the per-subscription secret

Write side (Orcha -> Qonto):

Default case: write nothing. DATEV is the source of truth for accounting reference data; Qonto delivers bank data + receipts to DATEV via its native services; Orcha delivers invoices to DATEV directly.
Optional, advanced: if the customer wants Orcha-held receipts to flow into Qonto (for DATEV-Belegbilderservice forwarding rather than direct Orcha-to-DATEV), use POST /v2/transactions/{id}/attachments. Match by IBAN + amount + date + last-4.
Optional, advanced: if the customer wants Orcha to drive supplier invoice approval through Qonto, use POST /v2/supplier_invoices/bulk. Uncommon configuration.

When Qonto Integration Makes Sense

Customer migrates off Pleo for cards + bank account onto Qonto: All the Pleo gaps that drove the move (realtime, API tier, DATEV depth) are resolved by Qonto, with the trade-off of lighter pre-accounting.
Unified spend reporting requirement: Webhooks + full-detail GET + cards endpoint give clean read-side ingestion.
DACH SMB / Mittelstand with DATEV-using tax advisor: Qonto's four DATEV integrations are class-leading in the German market.
Customer wants to consolidate bank + cards in one tool: Qonto is the only researched vendor that is actually a bank.

What NOT to Build

Chart-of-accounts / cost-center / tax-code sync to Qonto: Qonto doesn't model these. Not possible, not needed.
Replacing Qonto's DATEV integrations: They are bank-native and operate at a layer below where Orcha would compete. Let them run.
Receipt-mirroring loops if customer already has Orcha-direct-to-DATEV: Redundant.

Architecture Decision

Approach	Cost	Complexity	Value	Verdict
Read card-tx via webhook + GET /v2/transactions + cards join	EUR 0 marginal (API free on customer's existing Qonto plan)	Low-Medium	High	Recommended for unified analytics
Mirror attachments to Orcha storage	EUR 0 marginal	Low	Medium-High	Recommended (default-safe until TTL probed)
Push Orcha-held receipts to Qonto for Belegbilderservice forwarding	EUR 0 marginal	Low	Low (DATEV-direct is cleaner)	Skip in default case
Push supplier invoices to Qonto for payment routing	EUR 0 marginal	Medium	Low for this customer (Orcha is AP)	Skip
Use Make / Zapier instead of direct API	Make/Zapier license	Lowest	Same value as direct, less control	Only if customer is already a Make/Zapier shop

Pre-Implementation Verification Needed

Before any engineering commitment:

Probe attachment URL TTL in a Qonto sandbox -- see section 7
Verify webhook signature header name (X-Qonto-Signature per current docs vs older Qonto-SHA256-Signature -- docs reference both in different pages; confirm by triggering a real webhook in sandbox)
Confirm card-tx -> card matching reliability: is card_last_digits + bank_account_id enough to uniquely match a transaction to a specific card on the cards endpoint? Or do we need a stronger key (card_id in the transaction response)? Check the transaction response in sandbox for nested card detail or card_id.
Confirm enabled DATEV channels: what is the customer's current DATEV setup -- RZ-Bankinfo only? Plus Belegbilderservice? Plus RDS 1.0? This determines whether Orcha needs to push receipts to Qonto (if Belegbilderservice is on) or directly to DATEV.
Confirm MCC absence: if MCC is a hard requirement for spend analytics, verify in sandbox there is genuinely no MCC field in the transaction response. If absent, decide whether Orcha can synthesise category from clean_counterparty_name + label.

Recommendation Summary

For the customer scenario (DATEV + Orcha + Pleo replacement with Qonto for cards): YES, integrate. The read-side path is the cleanest of any vendor researched to date -- real-time webhooks, included API, deep field coverage. The customer should be guided into Qonto's Enterprise plan (EUR 199/mo annual) for the 30-card bundle, plus the Expense & Spend Management add-on if they need approval workflows + mileage to approximate Pleo's depth.

Qonto is materially better than Pleo on the three critical gaps that prompted this evaluation:

Realtime: solved with bank-booking-time webhooks (better than Pleo's monthly export jobs)
API pricing tier: solved (included on all paid plans, including EUR 9/mo Basic for sole traders)
Receipt URLs: likely solved given Qonto's GoBD / DATEV-compliant retention obligation, but needs empirical TTL probe

Qonto is materially worse than Pleo on:

Spend pre-coding depth: AI categorisation, dedicated approval matrices, mileage, per-diem all weaker (some add-on-gated)
MCC code exposure: absent from the public transaction response (Qonto uses MCC internally for category-restricted cards but doesn't surface raw MCC to integrators)
Reference-data write surface: N/A (Qonto isn't an ERP) -- a non-issue when DATEV is source of truth, but a real gap if a customer wanted to sync coding into Qonto

Category-equivalent or banking-with-cards play? Banking-with-cards-and-light-expense-tools. Not a category-equivalent to Pleo in the strict spend-management sense. For customers who want banking + cards + DATEV depth and accept lighter pre-accounting, Qonto is the right answer. For customers who want best-in-class expense management with deep approval matrices and AI coding, Payhawk or Pleo remain better fits.

For the specific customer in scope -- who has Orcha for AP coding and DATEV as the books of record -- Qonto is the right answer, and the Qonto-to-Orcha read-side integration is high-value, low-friction, and uniquely well-supported by the bank-native real-time webhook architecture.

9. Sources

Official Documentation

Qonto API Reference Introduction (docs.qonto.com)
Qonto Documentation Index (llms.txt) -- full sitemap, primary research source
API Endpoints & Reference FAQ
API Keys & Authentication FAQ
Rate Limitations
Idempotent Requests
API Key Authentication Setup
Where can I find my API login and secret key? (Support)

OAuth 2.0 & Scopes

Endpoint References

Webhooks

Webhook Setup Guide (HMAC-SHA256, 1-second ack, retry policy)
Supported Webhooks Index
v1/transactions Webhook
v1/cards Webhook
v1/memberships Webhook
v1/payment-links Webhook
Onboarding API Webhooks

DATEV Integration (Germany)

iPaaS Connectors

Qonto on Zapier -- 9 triggers + 3 actions
Qonto on Make.com -- ~20 modules, transactions/transfers/clients/teams/memberships

Addendum 2026-05-14 -- Defense, Cannibalization, Funding Model

Supplementary research for a German defense-sector customer assessment. Customer priorities have been refined since the original doc: (1) the tool must handle employee credit cards very well, (2) needs a strong mobile receipt-capture app, (3) needs a good API for both READ and WRITE, (4) card funding model: customer prefers NOT prepaid -- i.e. wants a charge/deferred-debit facility, not a pre-funded wallet.

A. Defense-sector posture -- CONFIRMED, verdict unchanged

The prohibited-activities exclusion is confirmed from primary sources and is current. Qonto's help center "What activities are prohibited at Qonto?" page lists, verbatim, "military activities, including the sale of weapons, military vehicles, and their copies" among prohibited activities. This identical wording is published consistently across all of Qonto's regional help domains (help.qonto.com, support-fr, support-de, support-it, support-es, support-be) -- it is a group-wide policy, not a regional artifact. The same prohibited list also covers crypto/blockchain activities (mining, staking, NFT creation/marketing, wallet development, decentralised exchange, unregistered PSAN), among others.

No carve-out, exception process, or pre-clearance path is published. The prohibited-activities list is stated as an absolute exclusion. The adjacent "Can any organization open a Qonto account?" pages note only that "in some cases, additional information may be requested" during KYB -- this is routine onboarding diligence, not a defense-sector exception mechanism. There is no documented appeal, waiver, or sector-specific review route. Any defense-adjacent onboarding would therefore depend entirely on (a) the business not falling within "military activities... sale of weapons, military vehicles" as Qonto's KYB team interprets it, and (b) discretionary KYB judgement -- with no written safety net.

Data hosting / certifications -- still current:

Data residency: AWS (Paris region) plus Outscale (a French sovereign-cloud provider, SecNumCloud-certified). Both ISO 27001-certified at the infrastructure layer. France-domiciled -- unchanged.
ISO 27001: Qonto's own ISO 27001 certification remains scoped to its e-invoicing solution only (per the DGFiP requirement for e-invoicing platforms), not the banking platform as a whole. Confirmed still the case. No BSI C5, no SOC 2.
Qonto SA is ACPR-supervised; French banking-licence application still pending (filed July 2025).

Defense verdict: RED for an arms / weapons / military-vehicle business; AMBER (pre-clearance required, no formal pre-clearance path exists) for defense-adjacent non-arms businesses. Unchanged from the master assessment. The absence of any exception process actually hardens the RED edge: there is no documented mechanism by which an arms business could be onboarded compliantly, so recommending Qonto to a confirmed arms manufacturer would be steering them toward near-certain onboarding refusal or mid-contract offboarding.

B. Cannibalization risk vs Orcha -- CONFIRMED MEDIUM-HIGH, arguably hardening

The master assessment's MEDIUM-HIGH rating holds, and the 2025-2026 evidence pushes it toward the top of that band rather than the bottom.

Regate acquisition (March 2024) is fully absorbed. Qonto took on Regate's ~150-person team as a dedicated business unit building "financial tools for accountants." Regate continues to ship as "Regate by Qonto" (own apps on iOS/Android/Google Play, own marketplace listings) and the capability is being folded into Qonto's core accounting/accountant proposition -- the public framing is now an "Accountant Hub" inside Qonto that lets accounting firms access client data or integrate their existing software. Regate is no longer pitched as a standalone French product; it is the engine behind Qonto's accountant strategy.
Qonto's own Supplier Invoices product is materially deeper than the original doc credited. Per Qonto's current product pages it now does: auto-import of invoices from Gmail / cloud storage / "11K+ connected sources," AI/OCR extraction of amounts, VAT and due dates, customizable approval workflows and permissions, scheduled and bulk payments, supplier payment notifications, and automatic matching of invoices to bank transactions. Qonto markets that "85% of AI-generated accounting entries need zero manual work." This is no longer a "shallow bulk-PDF-upload module" -- it is a credible AP-automation product encroaching directly on Orcha's core.
2025-2026 trajectory is explicitly toward autonomous accounting. A March 2026 update added multi-page supplier-invoice scanning with automatic full-detail extraction. A March 2025 partnership with agent-automation company Twin deploys autonomous agents that extract transactions, identify missing invoices, retrieve them from supplier websites, and upload them into Qonto. Qonto leadership publicly frames the direction as "autonomous accounting" with AI cash-flow forecasting and automated financing suggestions. Qonto integrates with ~80-80+ accounting tools as of late 2025.
Germany-specific AP push: no Germany-only AP/invoice announcement was found in the 2025-2026 update log -- the AP product is built France-first. But the supplier-invoices feature set is already live in the general product (it is not gated to France), e-invoicing-mandate features are being shipped market-by-market, and Germany is one of Qonto's four core markets with a dedicated accountant strategy. The German rollout is a "when," not "if."

Net: Qonto is the most AP-ambitious vendor in the researched set. It owns an AP-automation platform (Regate), ships an increasingly capable native Supplier Invoices product with AI extraction + approval workflows + payment + auto-matching, and is openly steering toward "autonomous accounting." Every one of those is in Orcha's lane. Rating: MEDIUM-HIGH, leaning HIGH. Recommendation discipline from the master assessment stands -- integrate with Qonto when a customer already uses it; do not make Qonto a default recommendation.

C. API read/write refresh -- CONFIRMED, still holds

No material change since the 2026-05-13 research:

READ: Real-time transactions.created / transactions.updated webhooks at bank-booking time; 10 cards.* lifecycle events; GET /v2/transactions, /v2/cards, /v2/memberships, /v2/supplier_invoices, /v2/attachments; labels and vat_details read-only. All transactions visible in the Qonto UI are retrievable via API v2. Confirmed current.
WRITE: Broad but bank-shaped, not ERP-shaped. Full payment-write surface (POST /v2/sepa/transfers, bulk/recurring/internal/external/international, beneficiaries) -- sensitive scopes (payment.write etc.) require regulatory classification (AIS/PIS) + written justification at OAuth app registration, multi-day approval. Write also covers cards (create/limits/lock/discard/bulk), attachments (POST /v2/transactions/{id}/attachments), supplier invoices (POST /v2/supplier_invoices/bulk), client invoices, memberships, teams, webhooks, expense-request review.
No reference-data write. Qonto still has no chart-of-accounts / cost-center / tax-code concept; labels remain read-only via the public API. So Orcha can READ transactions/cards/receipts richly and WRITE payments/cards/attachments/invoices -- but cannot sync coding reference data into Qonto, because Qonto does not model it. For this customer (DATEV = books of record) that is a non-issue.
API still free on all paid plans -- "you can access the API and connect integrations on any Qonto plan." No Advanced-tier gate. Confirmed current.

For the customer's "READ and WRITE" requirement: Qonto passes -- the read side is best-in-class (real-time, bank-grade) and the write side is genuinely broad. The only "write" Orcha cannot do is reference-data sync, which is structurally absent and doesn't matter when DATEV is the ledger.

D. Card funding model + cards/app UX

Funding model -- this is the key new finding, and it is favorable to the customer.

Qonto's standard cards are Mastercard debit cards: each payment is "debited directly from your bank account" -- money must be in the Qonto account. By the customer's definition this is effectively the "prepaid-feel" model they dislike (you must pre-fund the account the cards draw on).

BUT -- as of January 2026 Qonto ships a deferred-debit ("credit mode") card on its Plus and X card tiers. Qonto explicitly calls these deferred debit cards: purchases across a calendar month are aggregated and the full amount debits on the 1st of the following month, and "before the debit date, Qonto covers the transaction amount without interest." Limit up to EUR 15,000/month, 0% interest if settled on time (a daily rate applies only if there are insufficient funds at settlement). This is precisely the charge-card / spend-now-settle-monthly model the customer wants -- it is not a prepaid wallet, and during the month Qonto fronts the money.

Important caveat: deferred debit is not automatic -- it is eligibility-gated. Requirements: business operating 6+ months, Qonto customer 6+ months, HQ in FR/DE/NL/ES, stable consistent revenue, clean payment history, KYC/KYB complete, requested by an owner/admin. A brand-new Qonto customer cannot get deferred-debit cards on day one -- they would start on standard debit (pre-funded) and become eligible later. It is also not a true revolving credit line: it is a ~30-day payment deferral, and sufficient funds must be in the account at the monthly settlement date or late-payment interest applies.

So for the customer's "prefers NOT prepaid" priority: Qonto can satisfy it, but only after a 6-month tenure ramp, and only on Plus/X cards. This is a real but conditional win -- worth flagging explicitly to the customer because it materially affects the migration timeline (they'd spend the first ~6 months on pre-funded debit before the deferred-debit facility opens up).

Cards & app UX, per reviews:

Aggregate ratings are strong: G2 ~4.7/5 (~154 reviews), Capterra ~4.5/5 (~236 reviews, 89% positive, Ease of Use 4.7), Trustpilot ~5/5 across a very large review base (50k+) though Trustpilot also carries a visible minority of severe complaints about frozen funds / blocked transfers / KYB friction -- a known pattern for EU neobanks.
Cards product: well-regarded -- physical + virtual + instant one-off virtual cards, per-card adjustable limits, real-time monitoring, category restrictions, instant lock/unlock. Solid for an employee-card use case.
Mobile receipt capture: functional -- employees photograph receipts, categorise, and build expense reports "in a few taps" in the mobile app, with receipts linked to transactions. But reviewers note the mobile app lacks parity with the web app (inconsistent experience), and some report receipt auto-matching/reconciliation is imperfect (manual photo+categorise+upload still needed in cases). It is a competent capture app, not a class-leader -- Pleo and Payhawk remain stronger on pure expense-app polish, consistent with the original doc's "banking-first, expense tooling lighter" framing.

UX verdict: Cards product is genuinely good and fit for the core employee-card need. Mobile receipt-capture app is good-but-not-best -- adequate, but a step down from a dedicated spend-tool's app, and web/mobile parity gaps are a documented irritant.

Addendum sources