OAuth Callback Domains Explained
Configuring your callback domain
Within a Public or Partner application type, a user can specify a callback domain. This is done when creating or editing an application in the Xero Developer Centre.
Note that a callback domain is not a full url, but a domain name, IP address or hostname: localhost.
Examples of acceptable callback domains:
- xero.com
- localhost
- 127.0.0.1
Examples of unacceptable callback domains:
- http://xero.com/subpage.aspx
- myrandomhostname
Setting a callback URL – OAuth
The callback URL is a parameter (oauth_callback) that is set in the RequestToken OAuth call.
We will check that the oauth_callback parameter is a full url that uses the registered callback domain.
If the callback URL does not contain a domain match with the callback domain, an OAuth error is returned:
oauth_problem = parameter_rejected
oauth_problem_advice = Callback url is not the registered callback domain
If the callback parameter is not set, when a user authorizes an application, the user will not be redirected back to a webpage, but will be displayed a random number authorization code.
Callback domains and subdomains
A callback domain can be a top level domain such as xero.com, or a sub domain such as api.xero.com.
If you wish to use multiple subdomains, you can set the top level domain as your callback domain so that callback URL’s of api.xero.com and developer.xero.com would be accepted for a callback domain of xero.com
Previous Xero API Applications
In the past, Xero API applications did accept a callback URL to be configured within the application setup, and this was used as the default callback URL for an application.
As the Xero API now supports the oauth_callback parameter, new applications need to use this parameter, whereas applications with the old callback URL are continued to be supported until the they are edited, and changed to use a callback domain.