OAuth Callbacks


Configuring your callback domain

Within a Public or Partner application type, a user can specify a callback domain. This is done when creating or editing an application in the Xero Developer Centre. Note that a callback domain is not a full url, but a domain name, IP address or hostname: localhost. Examples of acceptable callback domains:

  • xero.com
  • localhost
  • 127.0.0.1
Examples of unacceptable callback domains:
  • http://xero.com/subpage.aspx
  • myrandomhostname

Setting a callback URL - OAuth

The callback URL is a parameter (oauth_callback) that is set in the RequestToken OAuth call. We will check that the oauth_callback parameter is a full url that uses the registered callback domain. If the callback URL does not contain a domain match with the callback domain, an OAuth error is returned: oauth_problem = parameter_rejected oauth_problem_advice =  Callback url is not the registered callback domain If the callback parameter is not set, when a user authorizes an application, the user will not be redirected back to a webpage, but will be displayed a random number authorization code.

Callback domains and subdomains

A callback domain can be a top level domain such as xero.com, or a sub domain such as api.xero.com. If you wish to use multiple subdomains, you can set the top level domain as your callback domain so that callback URL's of api.xero.com and developer.xero.com would be accepted for a callback domain of xero.com.

Multiple callback domains

Partner applications support multiple callback domains. Visit the Partner application page for more details on using multiple callback domains.


Redirect on Error

If you supply the redirectOnError=true parameter when sending users to the authorize url we will redirect the user to your callback url if they click the "Cancel and go back" button.

https://app.xero.com/oauth/APIAuthorise?oauth_token=VL***************62&redirectOnError=true

We will add the ?error=access_denied&error_description=The+user+denied+your+request paramerter to the callback URL to let you know that the user has denied the request.

https://myapp.com/callback?error=access_denied&error_description=The+user+denied+your+request