> ## Documentation Index
> Fetch the complete documentation index at: https://docs.arcuserp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Update an account (PATCH allowlist)

> Updates the specified fields of an account. Only explicitly allowlisted fields may
be set via this endpoint (Rule 23 SSOT). The following fields are blocked and will
return 422 forbidden_field if included: credit_balance, is_credit_hold (use
POST /accounts/{id}/credit-hold to set/clear), merged_into_account_id, merged_at,
and all 30+ analytics columns (total_orders, ttm_revenue, account_health_score,
rfm_*, etc.).

Side effects:
- AvaTax recalc fires automatically on tax_exempt or avatax_entity_code change (AUDIT-037).
  Loader operators should disable AvaTax connector before bulk PATCH to avoid storms.
- Shopify customer sync fires post-commit if entity.settings.shopify_sync.customer_sync = true.




## OpenAPI

````yaml /openapi.yaml patch /accounts/{id}
openapi: 3.1.0
info:
  title: Arcus ERP Public API
  version: 1.0.0
  description: >
    Arcus ERP public REST API. Designed for external integrations and data
    migration.


    **Authentication.** Bearer token (API key) via the `Authorization` header.

    Format: `Authorization: Bearer ark_live_ent_<code>_<random>` (or
    `ark_test_*` for sandbox).

    API keys are issued per-entity in **Settings > Developers > API Keys**.


    **Entity scoping.** The entity is encoded in the API key prefix; routes are
    flat

    (e.g. `/v1/accounts`, `/v1/orders`, `/v1/products`). A small set of platform
    endpoints

    (migration, reconciliation, events, webhook endpoints, API keys) use the

    `/v1/entities/{entity_id}/...` form -- those are noted in their tags.


    **Key capabilities.**
      - Related-resource hydration via `?expand[]=` (see `x-arcus-expand` on each resource).
      - Cursor-based pagination (`starting_after` / `ending_before` / `limit`).
      - Idempotency via the `Idempotency-Key` header.
      - Webhook events for asynchronous notification.
      - Conditional requests / ETag for cache validation.
servers:
  - url: https://api.arcuserp.com/v1
    description: Arcus ERP API (accepts both live `ark_live_*` and test `ark_test_*` keys)
  - url: https://dev-api.arcuserp.com/v1
    description: >-
      Dev sandbox API (test-only data, accepts `ark_test_*` keys against dev
      RDS)
security: []
paths:
  /accounts/{id}:
    parameters:
      - name: id
        in: path
        required: true
        schema:
          type: string
        description: >
          Account UUID or account_number (e.g. ACCT-001, CUST-00042).

          Polymorphic lookup: if the value is not a UUID it is resolved to a
          UUID via

          accounts.account_number within the entity scope before the record is
          fetched.

          (NEW-GAP-API-V1-POLYMORPHIC-LOOKUP-CROSS-RESOURCE 2026-05-20)
    patch:
      tags:
        - Accounts
      summary: Update an account (PATCH allowlist)
      description: >
        Updates the specified fields of an account. Only explicitly allowlisted
        fields may

        be set via this endpoint (Rule 23 SSOT). The following fields are
        blocked and will

        return 422 forbidden_field if included: credit_balance, is_credit_hold
        (use

        POST /accounts/{id}/credit-hold to set/clear), merged_into_account_id,
        merged_at,

        and all 30+ analytics columns (total_orders, ttm_revenue,
        account_health_score,

        rfm_*, etc.).


        Side effects:

        - AvaTax recalc fires automatically on tax_exempt or avatax_entity_code
        change (AUDIT-037).
          Loader operators should disable AvaTax connector before bulk PATCH to avoid storms.
        - Shopify customer sync fires post-commit if
        entity.settings.shopify_sync.customer_sync = true.
      operationId: updateAccount
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AccountPatch'
      responses:
        '200':
          description: Updated account object
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    $ref: '#/components/schemas/Account'
        '401':
          $ref: '#/components/responses/Error'
        '403':
          $ref: '#/components/responses/Error'
        '404':
          $ref: '#/components/responses/Error'
        '422':
          description: Forbidden field or validation error
          content:
            application/json:
              schema:
                type: object
                properties:
                  error:
                    type: string
                    enum:
                      - forbidden_field
                      - tax_exempt_requires_exemption_code
                  code:
                    type: string
                  param:
                    type: string
                    description: The forbidden field name (when error=forbidden_field).
      security:
        - ApiKeyAuth:
            - accounts:write
components:
  schemas:
    AccountPatch:
      type: object
      description: >
        Partial-update payload for an account. Only present fields are applied;

        omit a field to leave it unchanged. `entity_id`, `id`, `account_number`,

        `credit_balance`, `is_credit_hold`, and `stripe_customer_id` are
        read-only.
      properties:
        display_name:
          type: string
        company_name:
          type: string
          nullable: true
        email:
          type: string
          nullable: true
        phone_main:
          type: string
          nullable: true
        phone_secondary:
          type: string
          nullable: true
        phone_mobile:
          type: string
          nullable: true
        website:
          type: string
          nullable: true
        payment_term_id:
          type: string
          format: uuid
          nullable: true
        credit_limit:
          type: number
          nullable: true
        tax_exempt:
          type: boolean
        avatax_entity_code:
          type: string
          nullable: true
        tax_number:
          type: string
          nullable: true
        default_pricing_level_id:
          type: string
          format: uuid
          nullable: true
        default_location_id:
          type: string
          format: uuid
          nullable: true
        default_shipping_method:
          type: string
          nullable: true
        shipping_preference:
          type: string
          enum:
            - always_freight
            - always_parcel
            - auto
          nullable: true
        enable_pro_portal:
          type: boolean
        is_active:
          type: boolean
        notes:
          type: string
          nullable: true
        metadata:
          type: object
          nullable: true
        external_customer_id:
          type: string
          nullable: true
    Account:
      type: object
      description: >
        An Arcus ERP account. Represents a customer, vendor, lead, or
        individual.

        account_type drives AR vs AP behavior: business/individual/lead =
        customer (AR);

        vendor = supplier (AP). entity_id is always from the API key (Layer 1
        isolation).
      properties:
        id:
          type: string
          format: uuid
        object:
          type: string
          enum:
            - account
        entity_id:
          type: string
          format: uuid
          readOnly: true
        display_name:
          type: string
          description: UI-facing name. Required.
        company_name:
          type: string
          nullable: true
        account_type:
          type: string
          enum:
            - business
            - individual
            - lead
            - vendor
          description: business/individual/lead = customer (AR); vendor = supplier (AP).
        account_number:
          type: string
          nullable: true
          readOnly: true
          description: Auto-generated sequential number within entity. Unique per entity.
        email:
          type: string
          nullable: true
        phone_main:
          type: string
          nullable: true
        phone_secondary:
          type: string
          nullable: true
        phone_mobile:
          type: string
          nullable: true
        website:
          type: string
          nullable: true
        payment_term_id:
          type: string
          format: uuid
          nullable: true
        credit_limit:
          type: number
          nullable: true
        credit_balance:
          type: number
          readOnly: true
          description: 'SSOT: utils/ar-helpers.mjs. Do not write directly.'
        is_credit_hold:
          type: boolean
          readOnly: true
          description: |
            Read-only on PATCH /accounts/{id} (Rule 23 SSOT).
            To set or clear the credit hold use the dedicated action endpoint
            POST /accounts/{id}/credit-hold { on_hold: bool, reason?: string }.
            The action endpoint delegates to canonical
            utils/credit-hold-helpers.mjs::setCreditHold which is the SOLE
            writer and also cascades to orders.is_credit_hold_blocked.
        tax_exempt:
          type: boolean
        avatax_entity_code:
          type: string
          nullable: true
        tax_number:
          type: string
          nullable: true
        default_pricing_level_id:
          type: string
          format: uuid
          nullable: true
        default_location_id:
          type: string
          format: uuid
          nullable: true
        default_shipping_method:
          type: string
          nullable: true
        shipping_preference:
          type: string
          enum:
            - always_freight
            - always_parcel
            - auto
          nullable: true
        enable_pro_portal:
          type: boolean
        is_active:
          type: boolean
        notes:
          type: string
          nullable: true
        metadata:
          type: object
          nullable: true
        stripe_customer_id:
          type: string
          nullable: true
          readOnly: true
        source_platform:
          type: string
          nullable: true
          readOnly: true
        external_customer_id:
          type: string
          nullable: true
        created_at:
          type: string
          format: date-time
          readOnly: true
        updated_at:
          type: string
          format: date-time
          readOnly: true
    ErrorEnvelope:
      type: object
      description: |
        Canonical error response envelope. All API errors use this shape.
      required:
        - error
        - code
      properties:
        error:
          type: string
          description: Machine-readable error key
          example: not_found
        code:
          type: string
          description: Machine-readable error code (often same as error)
          example: not_found
        type:
          type: string
          enum:
            - validation_error
            - permission_error
            - not_found
            - conflict
            - rate_limit
            - internal
            - expand_error
            - not_implemented
          example: not_found
        hint:
          type: string
          description: Human-readable one-sentence explanation (English)
          example: >-
            The requested order does not exist or does not belong to this
            entity.
        param:
          type: string
          description: The parameter that caused the error, if applicable
          example: expand[0]
        required:
          type: string
          description: The scope required (only on insufficient_scope errors)
          example: accounts:read
        request_id:
          type: string
          description: >-
            Unique request ID for support tracing (maps to CloudWatch log
            stream)
          example: req_abc123
  responses:
    Error:
      description: Error response (400/401/403/404/409/422/429/500)
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorEnvelope'
  securitySchemes:
    ApiKeyAuth:
      type: http
      scheme: bearer
      description: |
        API key issued per entity via Settings > Developers > API Keys.
        Each key carries scopes (e.g. orders:read, products:write).
        Bearer token format: Authorization: Bearer ark_live_ent_<code>_<random>
        Test keys use ark_test_ent_<code>_<random>. Both are issued per entity
        via Settings > Developers > API Keys.

````