Partner applications are public applications that have been upgraded to support long term access tokens.
The process for an end user to authorise a partner application is identical to a public application.
Since your application will have long term access to an organisation, an end user may want to revoke access to an application. This can be done inside the Xero application (via the Add-ons settings screen (Settings > General Settings > Add-ons). Once an application has been revoked you need to follow the standard initial connection process ie. get a request token etc again.
Note: The name you select for your integration will be visible to end users. Check out our guide on branding your integration for more details.
Xero follows the OAuth v1.0a spec. The URL’s to authorize your partner application are :
|Get an Unauthorised Request Token:||https://api.xero.com/oauth/RequestToken|
|Redirect a user:||https://api.xero.com/oauth/Authorize|
|Swap a Request Token for an Access Token:||https://api.xero.com/oauth/AccessToken|
|Swap an expired access token for a new one:||https://api.xero.com/oauth/AccessToken|
|Connect to the Xero API:||https://api.xero.com/api.xro/2.0/...|
Only messages signed using RSA-SHA1 will be accepted. When requesting an upgrade to partner status, you will need to upload a self generated public certificate. To do this you need to generate a public/private key pair.
Each time that a Partner application calls the /OAuth/AccessToken method, the server will return a number of parameters in addition to the usual access token and secret:
|oauth_token=ZWFHNMIWNZBMZJI1NDQ4ZJK0ZDGYMZ||Access Token Key|
|oauth_token_secret=4MC3JQZHNG6DTKIKUITLNCYVFT61F7||Access Token Secret|
|oauth_expires_in=1800||Number of seconds before the access token expires|
|oauth_session_handle=ODJHMGEZNGVKMGM1NDA1NZG3ZWIWNJ||Session Handle used to renew the access token|
|oauth_authorization_expires_in=31536000||Number of seconds before the session expires|