Frequently asked questions


Getting Started
7 questions
Limits
7 questions
Authentication
9 questions
Permissions
5 questions
API Updates
4 questions
Partner Program
17 questions

  View all questions

Authentication



  • What Authentication do you support?

    We only support OAuth 1.0a. This means we don't support API keys or basic password authentication


  • Can you give me an API key?

    The Xero API does not support basic API Key authentication. Our API uses OAuth1.0a which means you need to register your app to get a consumer key and consumer secret which you use to access the API. Depending on the type of app you register you may also need to upload a X509 Public Key Certificate.


  • Whats with OAuth1a? Any plans for OAuth2?

    OAuth1.0a has served us well but we appreciate that it's less convenient than OAuth2.0. We will look to transition to OAuth2.0 in the future but no specific details to share at the moment.


  • How do I redirect back to my app once a Xero user has authorised my app?

    In order to redirect a user back to your app, you'll need to specify a callback URL parameter. The base of the URL will need to match the callback domain you set when registering the app. You can find more details on our OAuth Callback Domains page.


  • I'm getting an OAuth error. How do I fix it?

    We have a list of the most common OAuth errors and potential fixes on our OAuth Issues page.


  • How does OAuth differ between app types?

    A Private app uses RSA-SHA1 for signing and two-legged OAuth 1.0a. This generates a token that never expires.

    Public apps use HMAC-SHA1 for signing and three-legged OAuth 1.0a. The generated token expires after 30 minutes and then the user must re-authenticate to get a new access token.

    Partner apps use RSA-SHA1 for signing and three-legged OAuth 1.0a. The generated token expires after 30 minute like Public apps, but with Partner apps the developer can renew the token when it expires without the user reauthenticating.



  • What is three-legged auth?

    This is where the end user is redirected to Xero to login and granted an access token to the app. The OAuth Bible has a great explanation.


  • What is two-legged auth?

    During the creation of a Private App, the developer will select a single Xero org to connect to and generates a token. This token is used to sign requests and never expires, so no access token renewal is needed. It's commonly known as two-legged but is actually one legged, when you register the app. The OAuth Bible has a great explanation.


  • Is it possible for my app to have multiple active connections to a single Xero Organisation?

    Yes. If multiple Xero users from the same organisation have authorised a connection to your app you could have multiple active connections. Your app will need to be able to keep track of the each connection's token in order for this to work.

    There's no real benefit to managing multiple connections though, it just makes your token management more complicated. It won't give you additional rate limits.