Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > Partner Program >

Partner Program confusion

Started by Sam Mceachern -   in Partner Program

To give some background, we are using the xero api for internal integration between multiple pieces of software within our business. At the moment we have 4 services that use the xero api, and this is likely to increase. Given that these apps are uncertified, we can only connect two of them at a time.

My question is why does our own business have to verify the apps that it created for its own internal use? The partner program ask us to get "clients that are happy to act as a reference", so do I get us a reference from ourselves?

If its the case that we wont be allowed to connect ore than two apps to our site, then we will have to have 3 of the 4 services share an app, which will lead to alot of difficulty around sharing api requests. It will also lead to issues around adding more integrations, as we were planning on adding more in the future.

Any help on this would be appreciated.
Hi Sam - to quickly recap, all OAuth2.0 apps (client id/client secret) have a connection limit of 25 users. On the flipside of that each organisation or practice is limited to connecting a maximum of two uncertified apps. The reason for this is to limit bad actors and their ability to skirt our connection limits and add an unlimited amount of apps that con't complete the certification steps ( https://developer.xero.com/partner/app-partner/ ). This may cause challenges for a small subset of our users like yourself, but ultimately its for the security of the ecosystem as a whole. But lets dig in, sure we can find a way to work around your needs!


In your case since this is internal API usage only, you don't have the goal of getting into the marketplace. Based on this knowledge our team would be happy to review your API usage and get you an an app with a reasonable connection cap that was treated as 'certified'. Ping us at api@xero.com with your use case and we'll get you sorted.

However, you mentioned you have 4 services all using different application client_id/client-secrets. Can you elaborate on that need? It would be a lot simpler to have a single /myapps called "Sam's XeroAPI connector" - Is there something about your logging/infrastructure that you can't share the same credentials across those 4 services? Insight into that will help me guide you to the easiest solution.


Christopher Knight (Xero Staff)  

Hi Christoper. Am I right in assuming each app has its own share of api calls to make against a tenant? and not that a tenant has a limit on api calls? if the former is the case, then it would be alot easier for our applications to manage their own api limits than having to worry about how the other services are using the limits. One of the services runs on a monthly basis, and makes a large amount of api calls when it does run. The other services run hourly. I am a little worried that these hourly services will be interrupted by the monthly service due to api limits exceeding. Not just for the max api calls per minute/day, but for the concurrent api calls limit (each service can make 2-3 concurrent calls at a time).

I can find some kind of work around if you guys aren't able to do this for us, this would just be the easiest solution for us.

Sam Mceachern  

Okay - makes a bit more sense why you broke them up, however just reviewing our API limits I don't think it would be an issue. Especially if you throttled the large sync to have some kind of time spread.

All the limits below relate to an API App & a particular TenantID

> So if you have 25 individual users all under the same org/tenant connect to the same app, and that script is running for each of them, you are going to have a bad time.

I think your best bet is to validate your use case with our team (api@xero.com) and we can ensure you have a reasonable amount of 'api firepower' to handle your internal business scripting use cases.



API Rate Limits
There are limits to the number of API calls that your application can make against a particular tenant (organisation or practice):

Concurrent Limit: 5 calls in progress at one time
Minute Limit: 60 calls per minute
Daily Limit: 5000 calls per day
Each API response you receive will include the X-DayLimit-Remaining and X-MinLimit-Remaining headers telling you the number of remaining against each limit.

Christopher Knight (Xero Staff)  

Cool thanks for your help Christopher. Ill be contacting the email you provided soon.

Sam Mceachern