Private Applications (deprecated)

Important Notice

OAuth1.0a is in the process of being deprecated and new private apps can no longer be created. If you're building a new integration you'll need to use OAuth 2.0. For more information about your options, please check out our FAQs.


Private applications use 2 legged OAuth and bypass the user authorization workflow in the standard OAuth process. Private applications are linked to a single Xero organisation which is chosen when you register your application. Access tokens for private applications don’t expire unless the application is deleted or disconnected from within the Xero organisation.

You can create a maximum of 2 private applications against a single Xero organisation.

Technical details

Private applications use the RSA-SHA1 signature method. You will need to generate a public/private key-pair, of which the public part will be uploaded to Xero during application registration.

Once you have added a private app you will be given a consumer key to use. The consumer key is also used as the access token. The consumer secret is not used for private apps.

The minimum UserRole/permission for a Xero user to be able to authorise an integration/3rd party application against a Xero Organisation is "STANDARD"

How to setup a Private application

  1. Generate a public/private key-pair for use with your application.
  2. Login to the Xero Developer portal which is located at
  3. Go to the My Apps > New app screen in the Xero Developer portal to add your application.
  4. Select “Private app” and enter a name for your application
  5. Choose your organisation from the drop down list
  6. Upload the public certificate (.cer file) you generated in step one.
  7. Choose save. You will now have a Consumer Key to use for your application.
We recommend using a wrapper library to interact with the Xero API.