Frequently asked questions


OAuth 1.0a Migration



  • Can I/should I still get my OAuth 1.0a app certified?

    We encourage anyone building new apps to use OAuth 2.0 but we will continue to certify OAuth 1.0a integrations until the end of March 2020. Please be aware that if you choose to launch with OAuth 1.0a you will be required to migrate it to OAuth 2.0 before December 2020



  • Will current partners have to re-register? Will partner apps have to certify again?

    There’s no need for re-certification. Partners will be able to generate an OAuth 2.0 client id and secret for their existing partner app, which will give them no connection limit, as well as any special scopes they currently have. More details on this soon.



  • What is happening to public/partner/private apps?

    The concept of "app types" will be going away with OAuth 2.0. All apps will use the same authentication flow. Connection limits limits will be the main difference between certified (i.e. partner) and uncertified (i.e. public/private) apps. New apps will be able to connect with up to 25 organisations before they need to get certified to have the connection limit removed. Please see the OAuth 2.0 docs for more details.

    All OAuth 2.0 apps will be able to maintain an offline connection (like partner apps can currently).



  • I use multiple private apps to integrate with with multiple Xero organisations and I don’t want to become app partner. What should I do in OAuth 2.0?

    If you have a custom integration with multiple organisations (e.g an accounting practice or franchise) then get in touch with us at api@xero.com, tell us more about your use case and we can adjust your connection limit accordingly.



  • What is the recommended migration workflow (moving existing customers)?

    We'll soon have a migration endpoint that will allow partner apps to swap existing OAuth 1.0a tokens for new OAuth 2.0 tokens. Users won't have to reauthorize your app. We expect the migration flow to be available mid December 2019 so expect a formal announcement soon.

    We won’t be offering a migration flow for public or private apps. If you have clients using those apps then you will need to create a new OAuth 2.0 app and ask them to re-authorise.



  • Will the current OAuth 1.0a SDKs be updated to support OAuth 2.0?

    We have released 4 new SDKs (.NET, NodeJS, PHP, Java) all built from the ground up with OAuth 2.0. We'll be adding Ruby and Python by March 2020. We don't have any plans to add OAuth 2.0 support to the OAuth 1.0a SDKs.



  • Is it possible to get the authorization code displayed in the browser (i.e. not use a redirect url) like it was in OAuth1.0a?

    The redirect URL will return a code in the query string, but we will not display it in the browser. The use of a redirect URL is required in OAuth 2.0.