Private Applications (deprecated)

Important Notice

You can no longer create new OAuth 1.0a apps and any custom API integration (private app) that you’ve created will need to move to OAuth 2.0. There’s a few ways to achieve this, please choose the option that’s best for you and your customers.

  1. Client credentials grant: we’re working on a premium, client credentials grant option for machine-to-machine integrations. Only available to Xero subscribers in Australia, New Zealand and the UK. We’re hoping to have this ready soon. Learn more.
  2. Proof Key for Code Exchange: PKCE makes it quick and easy for mobile and desktop app developers to build directly to the Xero API with no need to build a comms proxy or manage private app credentials for every connection. Learn more.
  3. Standard OAuth 2.0 app: you’ll still be able to build to the standard OAuth 2.0 flow if you prefer. Regular OAuth 2.0 apps will remain free to create and use. Learn more.
Key information for private apps


Private applications use 2 legged OAuth and bypass the user authorization workflow in the standard OAuth process. Private applications are linked to a single Xero organisation which is chosen when you register your application. Access tokens for private applications don’t expire unless the application is deleted or disconnected from within the Xero organisation.

You can create a maximum of 2 private applications against a single Xero organisation.

Technical details

Private applications use the RSA-SHA1 signature method. You will need to generate a public/private key-pair, of which the public part will be uploaded to Xero during application registration.

Once you have added a private app you will be given a consumer key to use. The consumer key is also used as the access token. The consumer secret is not used for private apps.

The minimum UserRole/permission for a Xero user to be able to authorise an integration/3rd party application against a Xero Organisation is "STANDARD"

How to setup a Private application

  1. Generate a public/private key-pair for use with your application.
  2. Login to the Xero Developer portal which is located at
  3. Go to the My Apps > New app screen in the Xero Developer portal to add your application.
  4. Select “Private app” and enter a name for your application
  5. Choose your organisation from the drop down list
  6. Upload the public certificate (.cer file) you generated in step one.
  7. Choose save. You will now have a Consumer Key to use for your application.
We recommend using a wrapper library to interact with the Xero API.