Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

OAuth2 Auto Authentication NodeJS

Started by Jarryd Pearce -   in API Authentication

Hi everyone,

I am busy migrating our software platform from OAuth1a to OAuth2. I have managed to successfully authenticate using the new methods, however I am trying to wrap my head around how to automatically authenticate for the following use case:
- We have developed a software platform in NodeJs for an organisation that gets billed monthly for the number of active accounts (ie variable amount) in the respective month. I have a server script that runs on the 15th of every month that needs to bill this organisation for the number of accounts in use, and in turn automatically generate and send the invoice. All the documentation that I have come across forces a redirect to Xero for the user to allow access, is there a way to authenticate without this redirect?

Thanks in advance
You'll typically need to build a small interface in order for the user to pass through the authorisation process. This should however be a one-time process as once your app has obtained the tokens it can maintain the connection without user interaction.

Robin Blackstone (Community Manager)  

I have the same problem (https://github.com/XeroAPI/xero-node/issues/331). And you won't be able to keep your refresh token to maintain the connection without user interaction since this one gets invalidate after its first usage or after 1 month.

Vincent Giersch  

FWIW instead of using a "small interface" to get tokens, you can use the Google OAuth Playground:

FWIW, you can use the Google OAuth playground to get a token without making your own mini-app for doing the OAuth dance:


However, since refresh tokens expire after 30 days you will need some extra process that keeps your refresh token alive by periodically refreshing it. Also note that each use of the refresh token invalidates it, so you will need to have some kind of locking system to ensure two processes do not refresh the tokens at the same time, and that they always share the same tokens. Probably you would have to avoid two processes using the tokens at the same time.

Dobes Vandermeer