Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Machine to Machine OAuth2 is supported?

Started by Mateus Petkovicz -   in API Authentication

I'd like to use the server to server OAuth2 flow, like the other well-known services. I have been generating long-live access token from the services in that case. Does Xero OAuth2 support the feature?
We have a guide written up for Machine to Machine scenarios here: https://developer.xero.com/documentation/api-guides/machine-2-machine

Please let us know how you get on.

Robin Blackstone (Community Manager)  

Wouldn't it be a much better solution if you could pass all the necessary arguments to the consent url and have it redirect to the callback url without user interaction? That way it could be done programmatically without any headless browser magic.

Driveline Support  

@Robin, I'm having trouble with that, because of refresh token invalidation. in the developer's documentation, it says refresh token's lifetime is 60 days, but it seems not working.

I wanna have a long-live access token, just like the other OAuth2 providers.


Mateus Petkovicz  

I too am struggling with this concept.
All of my existing systems run invoices every night from a remote server using the Oauth1 (previous XERO implementation), this has worked perfectly for 5 years.
Now I have come to create a new app and can only use Oauth2 which will require user login each time it runs.
This is totally unacceptable, something has been replaced, understandably in this case, but vital functionality has been removed and left developers in a very tricky situation.
The minimum I would expect in this scenario is to allow us to still use an Oauth 1 app.

Please can you give me some additional guidance as to how I might overcome this obstacle.


@Robin, can a Client Credential Flow be supported?

I have cronjobs generating invoices that now need to have a public http endpoint exposed for this authentication model. Using Authorisation or PKCE is a MASSIVE step backwards for an M2M integration and needs to be addressed asap.

Brett Graves  

If machine to machine access still requires a user account, then I'll need to set it up as a generic service account.

Xero, when you make 2FA on login mandatory (as you've been making noises to that effect) how will that work with a generic login account that is not "owned" by anyone in the organisation?

Dan Morrison