Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Should I user 'Auth code with PKCE' and/or 'XOAuth'

Started by Darren Grayson -   in API Authentication

I've been through the steps to try out the "Xero NetStandard OAuth 2.0 Starter App with .NET Framework v4.6.1" on Github and got this working OK.

I need to migrate a private app, it's a .net command line application that runs as a scheduled task once per month.

I see on the "New App" dialog there's the PKCE option for "desktop and mobile apps". Given I am not distributing the application outside my organisation, is the default option "Web App" actually more appropriate? The Github page doesn't mention the PKCE flow so I presume if I choose this option I am going to need to get into the details of the protocol and start making changes to the sample code.

I also see that the 'XOAuth' application is being used with batch applications. Is this my best bet? Is there an example that is already geared up to use one or the other, or both if appropriate?

I've read many posts on here from people struggling to do the same thing. A starter app that covered the simpler (and I'd imagine) more common use case of a batch application would be really useful.
PKCE (Proof Key Code Exchange) is only for desktop type apps that can't maintain security of the API app's secret. Use web app.

Also - Here is a video I made covering how to migrate from private apps to OAuth2.0: https://www.youtube.com/watch?v=Zcf_64yreVI

Using xoauth instead of Insomnia rest client will achieve same result. Only thing you need to do other than in the tutorial is to code the "batch app" refresh logic to keep your connection persisted at least once every 60 days.

Christopher Knight (Xero Staff)  

Thanks for the swift reply Christopher.

Darren Grayson