Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > Wrapper libraries >

Developing an OAuth implementation from scratch

Started by Ronan Quirke (Community Manager) -   in Wrapper libraries

Quite often we get questions on implementing a connection to the Xero API from scratch.
We recommend using a code sample if at all possible, but we know that isn't always possible if you want to use a programming language we don't have a supported SDK for.

We won't be able to offer much in-depth assistance, but we thought a quick primer will at least point you in the right direction, so here goes.

OAuth 1.0a
Xero uses OAuth 1.0a for authentication - put simply, these means you need to generate a signed request as part of your communication to Xero.

While Xero may not have a code sample in your preferred language, OAuth is a fairly common authentication method for RESTful APIs, so you may still find an SDK, library or code snippet that can help you. The important thing to bear in mind is the version we use is OAuth 1.0a. Check Github and anywhere else your preferred programming language might have libraries that support OAuth 1.0a.

Xero OAuth app flavours
One small but important detail you will need to know is that Xero uses RSA-SHA1 signing for private and partner API type applications - not all 3rd party libraries will support this as HMAC-SHA1 (used for public apps) is more common.

Xero also uses two different OAuth flows - private applications use what the OAuth bible refers to as the one-legged flow (you don't need to generate a request token), whereas both public and partner application types use the three-legged flow.

Some helpful resources
  1. OAuth for dummies is a great primer on OAuth generally - it helps to know what you are dealing with
  2. Dancing with OAuth goes into more depth on some of the OAuth workflows (the OAuth dance) and the parameters needed for generating a signature.
  3. The OAuth bible is a great resource on understanding the specific flavours of OAuth and what needs to be included when generating a signature.
  4. oauth-signature-generator-js is a Javascript OAuth signature generator project with a live example which is handy to see the signing process, but only supports HMAC-SHA1, not RSA-SHA1.
  5. The OAuth test client at term.ie can generate an RSA-SHA1 request, which is useful to use to test your own signing.
  6. Nouncer.com has a quite complete OAuth signature generation tool ('use generate your own' option) - unfortunately it relies on Java so may not be too future proofed.

Hopefully the above resources will set you on the right path.
If you are stuck on a particular programming language, search our forums for any existing questions and answers on that specific language, and if no luck, start a new thread rather than tagging on a question here.

Good luck!
Thanks very much for putting that all together - I appreciate the effort. This might be a good resource to add to the mix:


It shows a minimalist approach to calling the Xero API without using a wrapper. There is one file example in python and one on Lua.

The example makes use of openssl command line tool and the curl command line tool so it should be easy to get running and be easy to port to other languages as desired. It's all very specific to the Xero API rather than looking at Oauth in general which can be a little overwhelming.

Eliot Muir  

Can anyone say how much of this original post is still valid?

I have tried Postman and it no longer seems to support RSA-SH1?


ceem- jay