OAuth Callback Domains


Configuring your callback domain

Within a Public or Partner application type, a user can specify a callback domain. This is done when creating or editing an application in the Xero Developer Centre.
Note that a callback domain is not a full url, but a domain name, IP address or hostname: localhost.

Examples of acceptable callback domains:

  • xero.com
  • localhost
  • 127.0.0.1

Examples of unacceptable callback domains:

  • http://xero.com/subpage.aspx
  • myrandomhostname

Setting a callback URL – OAuth

The callback URL is a parameter (oauth_callback) that is set in the RequestToken OAuth call.
We will check that the oauth_callback parameter is a full url that uses the registered callback domain.

If the callback URL does not contain a domain match with the callback domain, an OAuth error is returned:
oauth_problem = parameter_rejected
oauth_problem_advice =  Callback url is not the registered callback domain

If the callback parameter is not set, when a user authorizes an application, the user will not be redirected back to a webpage, but will be displayed a random number authorization code.

Callback domains and subdomains

A callback domain can be a top level domain such as xero.com, or a sub domain such as api.xero.com.
If you wish to use multiple subdomains, you can set the top level domain as your callback domain so that callback URL’s of api.xero.com and xerodev.wpengine.com would be accepted for a callback domain of xero.com.

Multiple callback domains

Partner applications support multiple callback domains. Visit the Partner application page for more details on using multiple callback domains.

Previous Xero API Applications

In the past, Xero API applications did accept a callback URL to be configured within the application setup, and this was used as the default callback URL for an application.
As the Xero API now supports the oauth_callback parameter, new applications need to use this parameter, whereas applications with the old callback URL are continued to be supported until the they are edited, and changed to use a callback domain.