Xero's MCP Server will work with any MCP client that supports local/STDIO MCP servers. Depending on your MCP Client you might be able to support many different LLMs. All testing has been done using Claude Desktop and Cursor.
Yes, some development or programming experience is needed, as the toolkit consists of programmatic tools and APIs used to build AI agents.
An AI agent is a software program that uses an AI model to autonomously perceive, reason, and act to achieve a specific goal. Check out Xero's Agentic Toolkit.
MCP (Model Context Protocol) is a system for securely and efficiently connecting an AI model to an external data source. Check out Xero's MCP Server.
Our agentic toolkits is intended for any developer who builds and programs AI agents and wants to seamlessly connect these to Xero data.
If you want to show your support for a feature not currently in the API then please add your votes and comments to our Xero Developer Ideas page.
In the Xero Developer team we try and be as transparent as possible letting developers know what we're up to via the Changelog and also through responding to ideas on the Xero Developer Ideas page.
Whenever we make a change to the API we try to do so in an additive way that won't break existing integrations. However, occasionally things can change in a way that isn't backwards compatible. Make sure that you check out our Changelog for the latest updates.
If the organisation you're connecting to is in Australia, New Zealand, the UK or the US then you have the option of utilising our premium integration option Custom Connections.
If your organisation isn't in one of those regions, or you don't want to pay for a Custom Connection, then you can still make use of Web or PKCE code flow for building machine to machine integrations but you'll need to request your tokens and handle authorisation outside off your application.
No, we've implemented short-lived tokens with long-lived authorizations as is best practice for OAuth 2.0. All Xero access tokens expire after 30 minutes. Refresh tokens allow your app to obtain new access tokens without involving a user again.
Alternatively, if you'd prefer not to have to manage a refresh token, you might be interested in the premium, Custom Connection option. It utilises the client credentials grant type and only requires your client id and client secret to request new access tokens.
The Xero API does not support basic API Key authentication. Our API uses OAuth 2.0 which means you need to register your app to get a client id and client secret which you use to access the API.
The quickest way to try out the API is to set up your demo company and dive into the API Explorer. Most of the API functionality is supported and you can quickly start playing with real calls against demo data.
We've got SDKs to cover the most used technologies in the community, but we'll never cater for everyone. If we don't support your particular tech then check out our developer forum archive, or connect with other developers on Stack Overflow. You can also use our OpenAPI spec to generate your own SDK.
The first step is to sign up for a free Xero account. Once you have done that, you have two options as to how you can begin development without incurring any cost:
Check out our Development Accounts guide for more details.
Hopefully everything you need to know is on the Xero Developer Centre, but if you're still stuck we encourage you to connect with other developers on Stack Overflow, or engage with a Xero certified developer for hire.
We currently support OAuth 1.0a and OAuth 2.0. However, OAuth 1.0a is in the process of being deprecated and OAuth 2.0 is required for all new integrations.
That's really up to you! Get connected with accountants and business owners to find out how you can help them be successful.
Xero is not suitable for all types of business, particularly those with very high transaction volumes. Please see our notes on system limits.
No, our rate limits are the same for all apps connecting to the API. If you are hitting rate limits there are a number of things you can do to make your integration more efficient.
Rate limits apply to each connection. For example, if two separate Xero organisations are connected to an application, each connection would have 5000 API calls available in a given 24 hour period.
There are limits to the number of API calls that your application can make against a particular Xero organisation.
If you exceed either rate limit you will receive an HTTP 429 (too many requests) response. For a full list of API limits, please check our API Limits page
Quite often, applications that you might believe would exceed the Xero API rate limits, can in fact work within the limits by analysing the structure of how you intend to use the Xero API
You can do more than one thing in a single request: For example, you can create more than one Invoice in a single PUT or POST Invoices API call. While there is no upper limit in the number of nodes that can be sent at one time, a ceiling of about 50 nodes per request is practical - this will ensure a request does not exceed the maximum size of 3.5MB. You should also review our notes on summarizing validation errors.
If you are hitting rate limits because you retrieve a large amount of data from Xero there are a couple of features you should be taking advantage of:
You can use pagination to retrieve line item details for 100 items (e.g. Invoices) at a time. Endpoints on the Accounting API that currently support pagination include invoices, contacts, bank transactions and manual journals. All major endpoints on the Payroll, Files and Assets APIs also support paging.
Use the If-Modified-Since header to retrieve only what's changed since your previous request
If you exceed a rate limit you will receive a Retry-After http header that tells you how many seconds to wait before making another request.
The OAuth 2.0 spec (section 3.1.2 of RFC 6749) requires that a redirection URI must be an absolute URI. The use of wildcards in redirect URI is not supported.
You can use up to 50 redirect URIs for your app.
If the callback fails for any reason you will need to send the user through the auth flow again. If the user got as far as connecting their org the first time, it will show as already connected the second time. They can continue to click through as normal to be redirected back to your app with a new code.
If you don't receive a response from a token refresh you can retry using your existing refresh token for up to 30 minutes. If you can’t refresh your access token in that time you’ll need to send the user through the authorization flow again to get a code that can be exchanged for a new access and refresh token.
Unused refresh tokens expire after 60 days. If you don’t refresh your access token within 60 days the user will need to reauthorise your app.
When you perform a token refresh, you should replace your existing refresh token with the new one returned in the response. If, for whatever reason, you don't receive the response you can retry refreshing your existing refresh token for a grace period of 30 minutes.
Xero supports the Proof Key for Code Exchange (PKCE) extension to the authorization code flow. This allows native apps to securely connect to our API without needing to store a client secret. Single page apps are not currently supported.
Integrations should be fully built and tested before being connected to a live organisation. Once the integration is complete, you can hand it over to a Standard or Adviser level user to connect. Please see our Development Account page for ways to test your integration without cost.
The user that connects the integration has to have either Standard or Adviser level user permissions. The API essentially works on behalf of the user that authorised it to connect.
Apps using the API have the permissions of Standard or Adviser level user. To access reporting APIs the authorising user must have Reports access and for Payroll APIs the authorising user must be a payroll admin.
If your organisation isn't showing in the organisation dropdown, this means either that you don't have Standard or Adviser level permissions in that organisation, or you already connected that particular app to the organisation.
The process is not immediate. We need to understand the details of your implementation and may have additional questions once you have returned the assessment. Typically the assessment takes around 5 working days to complete, followed by 5-10 working days for us to assess your answers. We may then ask you to remediate any items that don’t meet the requirements.
The security assessment will need to be undertaken annually.
Once you’ve filled out the security assessment and submitted it to us we will review your answers. We’ll let you know via email whether you have passed.
If you have work to do in order to achieve a pass we will provide you with a remediation report. You will then have 30 days to provide us with a remediation plan detailing how you will address the items in the report followed by 60 days to implement the changes. Once the changes are implemented we will re-review your app and determine if the standards have now been met.
At Xero, we take the responsibility of managing our community’s data privacy and security seriously. As part of the work Xero has been doing with the Australian Tax Office and other industry players, we have developed a set of agreed security standards to be applied globally to our ecosystem. These come into effect for new app partners certified after 1 January 2020 and existing app partners have until 30 June 2020 to comply. We’re still working through all the details of our new process, but wanted to share this information with you early, so you can start to understand what these changes mean for your app.
In preparation to meet these new requirements, Xero will be updating our security requirements for our app and developer partners, as well as Xero’s App and Developer Partner Terms of Agreement.
All app partners will need to undertake a security assessment which will be reviewed by Xero’s security team. App partners who reach 1000 or more connections will be required to undertake an advanced security assessment which will also be reviewed by Xero’s security team. App partners will not be certified or listed in Xero’s app marketplace without passing these assessments. App partners will need to undertake and pass the security assessment on an annual basis.
We’ll keep our app partners updated via developer.xero.com, our twitter account and our developer emails.
An annual self assessment against the standard
These new requirements will include, but are not limited to, API risk rating, authentication, certification, personnel security, encryption and audit logging
2SA will be the minimum level of account authentication but this will be provided already if your app connects with Sign in with Xero
Consumers of the Xero Accounting API, Payroll APIs, Fixed Assets API, Projects API, Files API, Bank feeds API or WorkflowMax API with more than 1,000 connections
All consumers of the Xero Practice Manager, Xero HQ, and Xero Tax APIs
Any other consumer outside of the above criteria that Xero determines is in need of a security assessment
The API can be used with all Xero plans, but not all features will necessarily be available. Payroll API requires a Payroll plan. Cashbook and Ledger plans exclude certain features (e.g. invoicing) but can still be connected to via the API.
The Xero API uses very few of the defaults that can be set through the Xero UI. The only defaults it will use are the tax rate from the account code if the tax rate isn't sent, and the description, account code and price on inventory items (but not tax rate). All other information must be specified in your call.
It's best to become familiar with the Xero platform and basic accounting principles before designing an integration. Xero accounts are free, and each comes with a fully functional Demo Company. The Demo company is populated with sample data to give you an idea of what items should look like. We also have an extensive Help Centre with information on each feature as well as how-to guides specific to the API. You may also want to consult with a Xero Certified Adviser who can instruct you on the accounting requirements many clients may have.
