OAuth 2.0 is a protocol that lets your app access a user's account without accessing their password. Your app requests specific permission scopes and is granted an access token upon a user's approval.
The standard flow is the most well known OAuth 2.0 flow and typically used by web server applications. It requires your app to securely use and store a client secret.
The PKCE flow requires your app to create a secret (called a code verifier) for each authorization request. It’s slightly more complicated to implement but offers a secure way to connect to the API if your app can’t be trusted to store a client secret. Native (desktop and mobile) apps are required to use PKCE if connecting directly to the API. Support for Single Page Apps (SPAs) is coming soon.
We have a migration endpoint for partner apps to bring existing connections to OAuth2.0. Migrating your connections will provide a smoother user experience and ensure your app retains its status in the partner program.
The key dates for migrating OAuth 1.0a apps:
In April 2020 the WorkflowMax API is coming to api.xero.com and OAuth 2.0. For details on migrating from the WorkflowMax API check out the specific guide for Practice Manager apps.
Wondering how OAuth 2.0 can work for your back-end service/script? Check out our guide for building integrations with no UI using OAuth 2.0.