Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Migration of an Oauth1 private app that creates invoices.

Started by Aaron Cooper -   in API Authentication

First I have to say that forcing Oauth2 on customers will so little warning, especially when it is so poorly documented that I (and others looking at the the state of this forum) need to ask this sort of question is really quite unprofessional and makes it difficult to advise clients that Xero's technical platform is worth investing in. You really need to take developer feedback on board here.

We have a client site that up until now, uses a php script run by cron to read transactions from a local table of data and create invoices in Xero (and contacts if needed) if the record hasn't been processed, and emails the invoice from Xero. Not only does the user not view this page, no human ever does.

Looking at the new app creation system, I can't make sense of the information being asked, nor does the documentation cover what these items are or why they are needed. Specifically:

* Company or application URL - doesn't accept non-https urls. So we can't use development environments anymore? Does this even have to match the URL we are currently working on?
* OAuth 2.0 redirect URI - Required. Why? Redirect for what? My script doesn't redirect anywhere. It pushes data to Xero. Leaving the calling website is not an option.
* https://github.com/XeroAPI/xero-php-oauth2 - Provides samples where a three step process occurs just to read an Organisation's details. Is this honestly the process that is required just to read from one API endpoint? Or am I missing something?
Official Xero Reply
We've been listening and wanted to give you a heads up that client credentials are coming:

We’re working on a premium option for custom, machine-to-machine integrations. We’re hoping to have this ready early 2021!

Alongside our standard OAuth 2.0 flow, Custom Integrations will be a more streamlined integration option for anyone building bespoke solutions for Xero businesses. It will utilise the client credentials grant type to provide a simplified, efficient developer experience. On top of that, there’ll be a dedicated consent flow that keeps customers in full control of their data.

This new, premium OAuth 2.0 option will strip away much of the complexity that comes with building a traditional Xero app, making it easier to build and manage bespoke integrations.

Don’t worry, we’ll make sure the deprecation of OAuth 1.0a for private apps falls after Custom Integrations is available. That way you can choose the best OAuth 2.0 integration option for you and your customers.

We’ll share more details and timings as we get closer to launch. Keep an eye on this page, our roadmap and make sure you’re subscribed to our newsletters.

Dan Young (Xero Staff)