Tally for Bill.com
Approval-gated AP, with payments hard-blocked.
Tally creates bills and vendor credits in Bill.com — but only when an approval policy exists in the org. Payments, vendor bank accounts, and approval-policy mutations are hard-blocked at the code level.
What Tally does with Bill.com
Tally connects to Bill.com to automate the data flow into your accounting stack — with explicit safety rules at every step.
Bill creation & line-item coding
Creates AP bills with vendor, line items, GL accounts, and due dates. Bills are created ACTIVE and immediately enter the approval workflow defined by your Bill.com approval policies.
Vendor management
Reads and creates vendor records, plus updates basic vendor info. Vendor bank account writes are hard-blocked to prevent payment redirection attacks.
Vendor credit handling
Creates vendor credits to offset future bills. Credits enter the same approval workflow as bills.
Document upload & matching
Uploads invoice PDFs and attaches them to the corresponding bill record so the source doc is one click away from the GL entry.
Reference data access
Reads chart of accounts, approval policies, and org info so coding suggestions are accurate and the safety gate can be enforced.
Audit tag on every write
Every bill and vendor credit Tally creates has [Created by Ballast-Tally] appended to the description. Auto-tagged by the tool layer.
How it works
Setup is straightforward and auditable. No copy-pasted CSVs, no shared logins.
Authorize Tally in Bill.com
A Ballast accountant initiates the connection. Authorization happens through Bill.com's standard OAuth or API-key flow with the minimum required scopes.
Credentials encrypted at rest
Tokens are immediately encrypted with AES-256-GCM and stored in Tally's PostgreSQL database. Plaintext credentials never touch logs or error reports.
Tally pulls and normalizes data
Tally fetches data from Bill.com on a schedule, normalizes it, and ties it back to the corresponding records in QuickBooks Online.
Your accountant takes it from there
A Ballast accountant reviews exceptions, posts entries, and closes the books. You get monthly financials without lifting a finger.
Availability
This integration is provided to Ballast Consulting Group's accounting clients at no additional charge as part of their engagement. There is no per-seat fee, per-API-call fee, or per-integration fee billed to the client. The cost is included in your accounting fee.
Tally isn't sold separately. Access requires an active engagement with Ballast Consulting Group as your finance and accounting department. If you're interested in becoming a Ballast client, please reach out.
Security & compliance
Every Tally integration follows the same safety pattern. Here is how the Bill.com integration specifically is locked down.
Three-layer safety model
Path allowlist → write allowlist + explicit deny list → approval-policy gate. Each layer is enforced independently. The deny list always wins over the allow list.
Payments hard-blocked
POST/PATCH/DELETE on /v3/payments are on the explicit deny list. Tally cannot send a payment, schedule a payment, or modify a payment record under any circumstances.
Approval policy required for writes
Before every bill or vendor-credit creation, Tally calls assertApprovalPolicyExists() to confirm the org has at least one approval policy. If 0 policies exist, the write throws. Bills cannot enter an approval-less org.
Vendor bank accounts blocked
POST/PATCH on /v3/vendors/bank-accounts are blocked. An attacker who compromises Tally cannot redirect vendor payments to a different bank account.
Approval-policy mutations blocked
POST/PATCH/DELETE on /v3/approval-policies are blocked. Tally cannot delete or weaken your approval policies — preventing it from disabling the safety gate above.
Session-based auth with auto-refresh
Bill.com sessions expire every 35 minutes. Tally auto-refreshes at the 30-minute mark with a 5-minute buffer. Concurrent session refreshes are collapsed via in-flight promise map.
Frequently asked questions
Why does Bill.com require an approval policy?
Bill.com bills are created ACTIVE — there's no DRAFT status like Ramp has. Without an approval policy, an active bill could potentially be paid before any human reviews it. Tally's safety model requires at least one approval policy in the org so every bill faces a human gate before payment.
Can Tally pay bills in Bill.com?
No. POST/PATCH/DELETE on /v3/payments are on the explicit deny list and cannot be invoked under any circumstances. Bill payment requires a human Bill.com user to approve and execute.
Are bill amounts in dollars or cents?
Dollars. Unlike Ramp (which uses cents), Bill.com's API expects amounts in dollars. No conversion needed.
How do I set Tally up for Bill.com?
Bill.com uses session-based auth, not OAuth. A Ballast accountant collects your username, password, org ID, and developer key, validates the session, and stores the credentials encrypted (AES-256-GCM). The session is auto-refreshed by Tally — you never have to re-authenticate.
What's the rate limit?
Tally is configured at 5 req/sec per org — well under Bill.com's 20,000/hr limit. This conservative limit prevents accidentally exhausting your org's API quota during a backfill.
Talk to Ballast about your books
Tally's Bill.com integration comes at no additional charge when Ballast runs finance and accounting for you. If you need a team that actually understands the systems your business runs on, get in touch.