Xero uses a standard OAuth 2.0 system. Postman can be useful to test your API calls without having to code anything. We've created a Postman collection that makes authentication easy. Postman is a REST client that provides an intuitive user interface to send requests, save responses, add tests, and create workflows.
Get started by heading to our Xero-Postman-OAuth2 Github repo or just use the "Run in Postman" button below and follow the steps:
Click the button below and select the Desktop version of Postman (Chrome extension doesn't support environment variables). This will also install the Collection and Environment we'll be using.
Go to the Xero developer portal and create an OAuth2 app.
If you haven't already signed up for a xero account you can do so here.
Use the following values:
Copy the Client id, Client secret and OAuth 2.0 redirect URI from the My Apps screen into the environment variables in Postman. To add these details to the Environment, make sure you have the OAuth 2.0 Environment selected, click the eye button, then edit.
Our Developer Center lists the available scopes here. For getting started you will need at least:
In addition, to make further test calls we would also suggest adding:
openid profile email accounting.contacts accounting.settings
Add the scopes required to the scopes environment variable.
At this stage you will be prompted to log in to Xero.
If you've included the openid profile email scopes, you'll be asked to access your basic profile information.
You'll then be taken through to the Organisation Select window. Select the Organisation you want to connect to. If you want to connect to more than one Organisation, you can repeat the steps above and select another Organisation.
Once complete you'll be passed back to Postman.
We now have the last remaining tokens needed to access the Xero API. These need to be set to the Environment Variables, to do this:
Follow the same process for the Refresh Token.
Congrats! You're now authenticated and can start making API calls. Your access token will last for 12mins, after which time you'll need to refresh the token.