Frequently asked questions

Get help with common queries


OAuth 1.0a Migration*

Can I/should I still get my OAuth 1.0a app certified?*

We encourage anyone building new apps to use OAuth 2.0 but we will continue to certify OAuth 1.0a integrations until the end of March 2020. Please be aware that if you choose to launch with OAuth 1.0a you will be required to migrate it to OAuth 2.0 before December 2020

I use multiple private apps to integrate with with multiple Xero organisations and I don’t want to become app partner. What should I do in OAuth 2.0?*

If you have a custom integration with multiple organisations (e.g an accounting practice or franchise) then get in touch with us at, tell us more about your use case and we can adjust your connection limit accordingly.

Is it possible to get the authorization code displayed in the browser (i.e. not use a redirect url) like it was in OAuth1.0a?*

The redirect URL will return a code in the query string, but we will not display it in the browser. The use of a redirect URL is required in OAuth 2.0.

What is happening to public/partner/private apps?*

The concept of "app types" will be going away with OAuth 2.0. All apps will use the same authentication flow. Connection limits limits will be the main difference between certified (i.e. partner) and uncertified (i.e. public/private) apps. New apps will be able to connect with up to 25 organisations before they need to get certified to have the connection limit removed. Please see the OAuth 2.0 docs for more details. All OAuth 2.0 apps will be able to maintain an offline connection (like partner apps can currently).

We have a migration endpoint that allows partner apps to swap existing OAuth 1.0a tokens for new OAuth 2.0 tokens. Users won't have to reauthorize your app. We won’t be offering a migration flow for public or private apps. If you have clients using those apps then you will need to create a new OAuth 2.0 app and ask them to re-authorise.

Will current partners have to re-register? Will partner apps have to certify again?*

There’s no need for re-certification. Partners are able to generate an OAuth 2.0 client id and secret for their existing partner app, which will give them no connection limit, as well as any special scopes they currently have.

Will the current OAuth 1.0a SDKs be updated to support OAuth 2.0?*

We have released 6 new SDKs (.NET, NodeJS, PHP, Java, Ruby, Python) all built from the ground up with OAuth 2.0.