Custom Integration
How do I build a machine to machine integration?
If the organisation you're connecting to is in Australia, New Zealand, the UK or the US then you have the option of utilising our premium integration option Custom Connections.
If your organisation isn't in one of those regions, or you don't want to pay for a Custom Connection, then you can still make use of Web or PKCE code flow for building machine to machine integrations but you'll need to request your tokens and handle authorisation outside off your application.
Will you support long lived access tokens?
No, we've implemented short-lived tokens with long-lived authorizations as is best practice for OAuth 2.0. All Xero access tokens expire after 30 minutes. Refresh tokens allow your app to obtain new access tokens without involving a user again. Alternatively, if you'd prefer not to have to manage a refresh token, you might be interested in the premium, Custom Connection option. It utilises the client credentials grant type and only requires your client id and client secret to request new access tokens.
Will you support the client credentials grant type?
Yes, using the Client Credentials grant type provides an alternative way to retrieve information about your connections and users' subscriptions, without requiring the user's access or refresh tokens. You will however need a ClientID and a Client Secret.