Public Applications (deprecated)
OAuth1.0a is in the process of being deprecated and new public apps can no longer be created. If you're building a new integration please check out OAuth 2.0
Public applications use the standard 3 legged OAuth process where a user can authorise your application to have access to their Xero organisation.
Public applications can either be web based or desktop/mobile installed. Access tokens expire after 30 minutes.
Connecting to Xero
Below is a summary of the steps required for an end user to authorise a public application to have access to their organisation in Xero
- User presses a “Connect to Xero” button or something similar in the 3rd party application.
- User is redirected to Xero and prompted to login if they do not already have an active session.
- User is requested to select which Xero organisation they want to grant the application access to.
- Once the application is authorised, the user is redirected back to the 3rd party application, which can then start interacting with their Xero organisation using the Xero API for up to 30 minutes
How to register an application
Any Xero user can register a public application. If you do not already have a Xero user account, sign up for a free account.
- Login to the Xero Developer portal
- Go to the My Applications > Add Application screen to add your application.
- Select “Public” and enter a name for your application and the URL of your company. Find out more here.
- Optionally you can enter a callback domain. This will be used to verify the callback url you specify when authorising is allowed.
- Choose save. You’ll now be shown your OAuth credentials.
Note: The name you select for your integration will be visible to end users. Check out our guide on branding your integration for more details.
URLs for authorisation and using the API
Xero follows the OAuth v1.0a spec. The URL’s to authorize your application are:
|Get an Unauthorised Request Token:
|Redirect a user:
|Swap a Request Token for an Access Token:
|Connect to the Xero API:
- When getting a request token and specifying the callback URL, the callback URL should be no more than 250 characters long.
- The callback url must be within the domain specified when registering your app. Learn more
- If a callback url is not specified then the user will be given an authorisation code to enter into your application. The authorisation code is a fallback method, and should only be used if it is not technically possible to use the callback.
All requests need to be signed using HMAC-SHA1.
- Each access token will only last for 30 minutes.
- If you want longer access to the organisation, you will need the user to re-authorize your application.