OAuth 2.0 is a protocol that lets your app access a user's account without accessing their password. Your app requests specific permission scopes and is granted an access token upon a user's approval.
Xero’s API supports the authorization code grant type using the standard authorization code flow or the Proof Key for Code Exchange (PKCE) extension.
The standard flow is the most well known OAuth 2.0 flow and typically used by web server applications. It requires your app to securely use and store a client secret.
The PKCE flow requires your app to create a secret (called a code verifier) for each authorization request. It’s slightly more complicated to implement but offers a secure way to connect to the API if your app can’t be trusted to store a client secret. Native (desktop and mobile) apps are required to use PKCE if connecting directly to the API. Support for Single Page Apps (SPAs) is coming soon.
We have a migration endpoint for partner apps to bring existing connections to OAuth2.0. Migrating your connections will provide a smoother user experience and ensure your app retains its status in the partner program.
We will not be providing a migration path for public and private apps. If you have an integration using a public or private app you can create a new OAuth2.0 app and migrate your users at any time.
The key dates for migrating OAuth 1.0a apps:
In April 2020 the WorkflowMax API is coming to api.xero.com and OAuth 2.0. For details on migrating from the WorkflowMax API check out the specific guide for Practice Manager apps.
All API communication using OAuth 2.0 requires TLS 1.2 or higher. Any requests using TLS 1.1 or lower will receive a 403 Forbidden response.
Wondering how OAuth 2.0 can work for your back-end service/script? Check out our guide for building integrations with no UI using OAuth 2.0.
If you have and questions then check out our FAQs on OAuth 2.0 and the migration. If you still need more information then contact us the usual way.
We have a range of new SDKs and sample apps that integrate with OAuth 2.0. These are all generated from our collection of OpenAPI definitions.