Partner Applications


Partner applications are public applications that have been upgraded to support long term access tokens.

  • Partner applications use the same 3-legged authorization process as public applications, but the 30-minute access tokens can be renewed. Access tokens can be renewed without further user authorization. This process of token renewal can occur indefinitely, while the partner application is in active use
  • Partner applications also use a different signature method to public apps. You need to sign your requests using the RSA-SHA1 method. More details are provided below.

Connecting and disconnecting an application

The process for an end user to authorise a partner application is identical to a public application.

Since your application will have long term access to an organisation, an end user may want to revoke access to an application. This can be done inside the Xero application (via the Add-ons settings screen (Settings > General Settings > Add-ons). Once an application has been revoked you need to follow the standard initial connection process ie. get a request token etc again.

Technical Details

How to register an application

  1. Start by registering a public application.
  2. Register your interest in becoming a partner and to apply to have your application upgraded to a partner application. Approved developers will be sent further details about how to complete this process.
  3. Once your application has been upgraded you have to upload your Xero public key. See signing requests below

Note: The name you select for your integration will be visible to end users. Check out our guide on branding your integration for more details.

URLs for authorising and using the Xero API

Xero follows the OAuth v1.0a spec. The URL’s to authorize your partner application are :

Get an Unauthorised Request Token:
Redirect a user:
Swap a Request Token for an Access Token:
Swap an expired access token for a new one:
Connect to the Xero API:

Callback URL

  • When getting a request token and specifying the callback URL, the callback URL should be no more than 250 characters long.
  • The callback url must be within the domain specified when registering your app. Learn more
  • Up to 3 callback domains are supported. When specifying more than 1 callback domain, separate each domain with a comma
  • If a callback url is not specified then the user will be given an authorisation code to enter into your application. The authorisation code is a fallback method, and should only be used if it is not technically possible to use the callback.

Signing requests

Only messages signed using RSA-SHA1 will be accepted. When requesting an upgrade to partner status, you will need to upload a self generated public certificate. To do this you need to generate a public/private key pair.

Refreshing access tokens

Each time that a Partner application calls the /OAuth/AccessToken method, the server will return a number of parameters in addition to the usual access token and secret:

oauth_token_secret=4MC3JQZHNG6DTKIKUITLNCYVFT61F7 Access Token Secret
oauth_expires_in=1800 Number of seconds before the access token expires
oauth_session_handle=ODJHMGEZNGVKMGM1NDA1NZG3ZWIWNJ Session Handle used to renew the access token
oauth_authorization_expires_in=31536000 Number of seconds before the session expires