Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Understand the flow to use OAuth 2 and xero node v4 and API call without web interface

Started by ADRIEN FABRE -   in API Authentication

Hello, I am building an API for table to facilitate reconciliations with Node, Serverless, AWS.

The front-end is React, it is using my API links from my backend. I do not want users to have any interaction with Xero.

I just want getBankTransactions to get all transactions from all accounts (with some time and supplier filters) and then being able to updateBankTransaction, one transaction at a time, the reference and a custom field.

I made it worked using xero-node V3 and OAuth 1.

Now I am trying to do it with xero-node V4 and OAuth 2.

So, I switched to xero-node V4 I believe I need to use this:


and this:


But before that I need to get all credentials.

So I read this: https://devblog.xero.com/an-update-on-why-we-are-saying-goodbye-oauth-1-0a-hello-oauth-2-0-6a839230908f

And I went through Postman with this: https://developer.xero.com/documentation/tools/postman

I created the app and I succeeded to get all data on Postman so I got

client id
client secret
Scopes: "openid profile email accounting.transactions offline_access"

And. Now I am trying to get those data on Node but without having to go on a webpage and I do not succeed to do it.

If I fill this:
const tokenSet: TokenSet = { id_token: 'xxx', access_token: 'yyy', expires_at: 1582308862, token_type: 'Bearer', refresh_token: 'zzz', session_state: 'xxx' }

Will my access be refreshed automatically?

Should I do:

const xero = new xero_node.XeroClient({
clientId: client_id,
clientSecret: client_secret,
redirectUris: redirectUri,
scopes: scopes.split(" ")






I checked the FAQ (https://developer.xero.com/faq/all/oauth-recommendation) and it is said:
"Once you have an access token and refresh token you can refresh indefinitely or until the token is revoked by the user." So I think I can do it.

Please could you help me to figure out the flow to make it work? Thank you.
Hi Adrien,

I made a branch demonstrating how to get everything set up here, including example calls to banktransactions endpoint and refreshing the token. To test it out, pull the repo, configure the .env with your clientID, clientSecret, and callbackURI, npm install, and npm run dev.

The example just refreshes the token when the route is hit but you could write a scheduled refresh process instead. A bit more on refresh tokens

"Xero’s access tokens have a limited lifespan of 30 minutes but they can be refreshed using a refresh token.
This means your integration can maintain an offline connection without needing the user to re-consent to your app.

To keep the connection alive there are just a couple of points to keep in mind:

Xero’s refresh tokens are single use meaning that you will receive a new refresh token after every refresh.
You should replace your existing refresh token with the new one each time.
To make the offline connection more resilient we allow used refresh tokens to be retried for a grace period of 30 minutes (after first use).
We recommend building retry functionality into your integration in case you don’t receive the new token after a refresh.
Unused refresh tokens expire after 60 days at which point the user will need to reauthorize your app.
If it’s likely that your integration will be inactive for more than sixty days you may want to set up a scheduled refresh at least every 60 days to ensure the connection stays alive."

Regarding your other request, of not wanting to redirect users to consent through Xero. That is a mandatory part of the OAuth2 flow outlined in detail here: https://developer.xero.com/documentation/oauth2/auth-flow

Xero API (Community Manager)  

Ok, thank you very for this detailed answer, this is very helpful. I succeeded to get data I wanted on the getBankTransactions.

I have one more question or this last point. Would it be possible for me to create the tokens with the button on local, as you shared, then put the tokens on a DB and update them with the refresh process (I still need to figure out how to do that).

Meaning that the few persons using the internal tools on the front end could be using my tokens and updating when they use the tool, as this is only an internal tool. And as they would use it with a frequency higher than the 60 days limit, they could just indefinitely use it.

And if the 60 days get passed for any exceptional reason, I could just update all tokens with another local auth going through Xero.

Thank you


Yes, in theory, you could generate tokensets for each user and store them in a db and update via the refresh process and not build a way for the user to reauthorize via the UI, however, I strongly discourage it for a couple reasons:

1) It lacks resiliency. If for whatever reason the tokens expire, the users are unable to reauthorize on their own through the consent flow because you didn't incorporate it into your UI and they'd be unable to access their Xero data until you regenerated the tokensets. If you moved on to another position within or outside your current company someone else would potentially have to take on the responsibility of maintaining employees access to Xero data.

2) It would be difficult to account for users with access to multiple tenants, because the user selects which tenant they wish to connect to during the consent flow.

3) It's not scalable, internally or externally. If your needs grow you have to oversee this fragile manual process for all users. If you decided in the future that your integration would provide value to other users and you wanted to be listed in the app marketplace, you would have to refactor your integration in order to be considered for certification.

Having said all this, if you want to proceed this way I suggest using this cli tool for generating your tokensets and copying the output from the console.

Xero API (Community Manager)