Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > Getting Started >

Private Application after 1st December 2019

Started by Andrew Cunningham -   in Getting Started


We currently have a private application that we are in the process of testing. However i am unclear on how or what will need to be changed for the existing application and for any future new private applications after the 1st December 2019 change over where only OAuth 2.0 applications can be created.

I have reviewed the provided link https://developer.xero.com/documentation/oauth2/overview but i am not sure i understand specifically what will change for private applications.

Here are my questions:
1. Will the nature of private applications for Xero change so these will no longer be associated with a Xero company, in favour of being associated with a user login? (currently i believe that Private application bypass OAuth 1.0 in favour of the public/private key)

1a. If private application are associated with a user logon and i have a call to the api from my application does the user have to login via the Xero login if it has been more then the token timeout time (12 minutes i believe?)

2. Do you have any examples of a private application example using C# Winforms calling the Xero API's with the new OAuth 2.0 as the only example i can find is https://github.com/XeroAPI/xero-netstandard-oauth2-samples/tree/master/XeroOAuth2Sample which is an MVC application and i am struggling to see how this code converts to C# Winforms

Apologises if i am asking really basic questions, but any help would be greatly appreciated



Hi Andrew,

with oAuth 2.0 there is no longer the concept of private/public and partner apps. They all become one and the same. So the app would not require a private connection. If you are only going to use the app for private purposes you do the following.

1. Make sure you request offline access
2. Use the oAuth Login Flow for the first time + select the organisation you want private access to. Potentially with some patience you could have the same user authenticate multiple organisations with the same token. The login flow needs to be repeated per org they want to add.
3. Save the token with Refresh Tokens.
4. If you have a token no longer show the Xero login but use the saved tokens/refresh token to continue.
5. Everytime your token expires just refresh it.
6. Prepare to handle a scenario where the user account that connected is no longer associated with the company in question. Say if this was an employee that they left the company - you will need to obtain a new token/login to proceed.

We've done the above without a problem however we used the raw oAuth 2.0 libraries in Node I don't have a C# example for windows.

Jonathan Mifsud  

I seem to have a similar concern. I have just got my private app running reliably (went live on November 1st) and got my rusty vb coding to a level where I don't really worry about connecting to Xero, and now it's going to change. As I'm in vb.net, I think I will wait for a bit, for things to settle down and stop being version 0.0.1 beta.

Mike Edwards  

Hi Mike, sorry to hear that. Unfortunately, security policies mean that migration to 2.0 needs to happen as it also provides a far more secure connection.

What we've found is that with the new infrastructure it's much easier to work cloud-based - and completely offline applications do at the least require the first level of tokens to be generated online - although token renewals can happen offline as they are server to server.

Jonathan Mifsud  

I am hoping I'll be able to find some workable sample code that I can adapt, as that's basically what I did to get my initial connection working in the "old" way. Once I can connect and run various checks and updates, that's all I need - I'm sure our application is quite basic compared to others.

I suspect I will need to have a good read up on how this is going to work, which will hopefully be without too many major modifications.

Mike Edwards  

This is exactly what i am currently doing, attempting to reverse engineer the MVC example as a winform.

I have been looking into IdentityModel.OidcClient, i have made some progress, but once the callback has been detected using the http listener it is not clear how i get the token.

I i manage to get some sample code working i will post it here

Andrew Cunningham  

Looking at the sample app, it strikes me that much of it is alien terminology to me. It concerns me a little that I may not be able to replicate what I have now - which is a windows service that runs entirely in background and acts as a gateway between my clients point-of-sale system and Xero.

Mike Edwards  

Hi, we're in the same boat. This is really problematic for us. We just spent a couple of months writing a completely new system which uses a Xero Private application via the PHP SDK. We set it all up according to the Xero docs and the authentication according to the PHP SDK docs, which don't even mention anything about Public applications. Now that we're ready to go live we can't even create a new Private application.

When we started investigating there was no mention of Oauth 1.0a going away, otherwise we obviously wouldn't have spent time writing this. Our application has no need for user authentication, we have no users other than ourselves. We won't ever have any users logging in to our account or app, but simply want to generate Invoice and Payment objects via the API and add them to our account ad hoc. So we have no need for user logins, user flows, etc, and the notion that, just because we might not generate any invoices for 30 minutes at at time we might have to come back and manually log in to a "public" application, seems completely bizarre.

What's the recommended approach here, please? Is it *seriously* that we have to log in manually to get a token and then just keep refreshing that token forever? Seriously?


Igor Clark  

In fact, the lack of ability to create a new private app using Oauth1 gives me a problem that I hadn't realised, in that when my trial expires tomorrow, I won't be able to run any testing at all against Xero, unless I use my customers live organisation or buy a subscription. This is a serious issue, perhaps.

From the point that the new SDK became available, I don't think there's been anywhere near enough time that stopping new OAuth1 apps is reasonable, though I must admit that other than a quick look a month or two back, I can't say exactly when the new SDK did appear. As it's also described as "version 0.0.1Beta", it doesn't give me a lot of confidence. The basic information on the developer site still talks about the different application types, which suggests it's all very new.

Mike Edwards  


I have managed to get OAuth2 connecting to Xero working with a WinForms application using C#

Below is my very rough play code, hope this helps:



Andrew Cunningham  

Thanks for the link, I will download it and have a look. C# isn't my language, but it might be relatively easy to translate / convert. Or it might be easier to learn c# for the other ftp / xml stuff I do.

I might be being thick, here, but does the provision of a HTTP callback mean that my clients system needs to have an incoming port forwarded to it so that Xero can contact it? I presume it does. And how does the localhost address relate to the URL I have to provide when registering my OAuth2 app?

As I try to read the code (which looks fairly straightforward) it does seem that it's going to be quite difficult to replicate what I have now, which runs as a service with no user interaction.

Mike Edwards  


No ports need opening, this is just the call back from the same session that is being listened for.

And yes redirectUri must be the same one that you setup when you created the new OAuth2 application with Xero.

Note i needed to add a / to the end of the local host


Andrew Cunningham  

might help C# to vb.net converter http://converter.telerik.com/

Andrew Cunningham  

On the subject of continuing to have a test connection for a private app to a trial company (while my customer is live, we're still adding functionality to do things we didn't think we needed to until working live) there is a link that still allows a private app to be created.

That at least allows me to continue getting some things tested for the customer, while the conversion to the new operation goes on.

Mike Edwards  

Hi, we are in a similar position.

Apologies for my lack of understanding and probably the stupid question but I am at the leading edge of my knowledge!

I have extended our Access VBA based administration system to create Contacts, invoices, Payments etc on Xero. It's off line, no Web based component other than the API to Xero. We are going live before January 2020. I am struggling to see how I will it change to OAuth 2.0 (I understand we have until December 2020).

I have been looking a the SDKs to see how I can solve the issue but can't get a new App registered. To register a OAuth 2.0 App it asks for two URLs, I can appreciate the reason for the callback URL but the first box asks for a Company or Application URL. Is the Company URL linked to our Organisation? Can you give any guidance on what this URL should be?

Thanks, David

David Champ  

I just put our company URL relating to the product, it does not mater as far as i can tell

Andrew Cunningham  

Thanks. Ours is http:// not https:// so perhaps we'll have to upgrade it.

David Champ  

Yes the Company URL does not really matter other than allowing Xero to link back if necessary.

Callback URLs are only supported in https.

I believe the libraries between oAuth 1.0 and 2.0 have been updated so if you're using a library you probably need to re-code /update the necessary parts. In terms of data it's only authentication which has really changed so you should be able to swap that out.

That said with authentication you will have token renewals to deal with if you support 'offline' access.

Jonathan Mifsud  

Thank you. I am using VBA-Web directly from within Access at the moment but think I may need to call .NET C# for OAuth 2.0 as although VBA-Web has a OAuth2 example it doesn't deal with Callback ULRs. It's all a bit of a steep learning curve.

David Champ  

So, XOAuth should resolve this, but the current version does appear to have issues. Search forum for xoauth.

David Nye  

Just did an update of xoauth and it still fails to store environment variables on Windows 10.

Please can this be fixed.

David Champ