Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Refresh token is getting expired before 60 days

Started by Yasitha Pandithawatta -   in API Authentication


We are using an auth 2.0 app to integrate our web application instances to automatically create customer invoices every month. We have multiple webapp instances in every region and they are all connected to a single Xero account via one auth 2.0 app.

Each region has a separate refresh token stored and will be renewing in every 7 days. But sometimes, we are experiencing 400 error with message {"error":"invalid_grant"}. All of our regions are renewing their refresh tokens at the same time.

Is there anything that we are doing wrong here? What should be the best practice to handle this type of scenario.

Werlier we were using the auth 1.0 app with client key and secret with a certificate so we didn't have to store refresh tokens and renew them. I don't see any certifiicate or client credential grant in current auth 2.0 apps.
Hi Yasitha.

"Each region has a separate refresh token stored"

Do you mean you have multiple token sets, each containing a separate access_token and refresh_token, that you are refreshing each week?

Are these token_sets connected by the same Xero user, for the same Xero org?


Christopher Knight (Xero Staff)  

Hi Christopher,

Yes that's correct. We have separate web applications deployed in multiple regions with a separate database as well. All the web apps are connected to the same Xero user, using a same auth 2.0 app. We have two organizations in our Xero account and depends on the user's payment entity we create the invoice in the coresponding organization.

Yasitha Pandithawatta  

Ah - so each token_set related to a user should be unique and only stored in a single place.

If a token set is refreshed one place, it will cause issues if you try to refresh your API connection with an older token set.

Christopher Knight (Xero Staff)  

Ok thanks for the clarifiication. Then the best thing would be to create seperate auth 2.0 app per each region. Is there a limit for the number of apps that we can create per Xero account?

Yasitha Pandithawatta  

No - I think you should still keep a single OA2 API application (per environment.. ie dev, staging, prod)

But you should keep a DRY (do not repeat yourself) instance of a user / token_set combination. If you are storing a single user's token_set (access_token + refresh_token) duplicated across multiple databases you are going to continue having problems.

If you are building a API application that will require more than 25 connections you can start the certification process. This will pair you with a developer evangelist who can help you more directly as well.


Christopher Knight (Xero Staff)  

Thanks for the suggestion. I have created a separate app for one region and testing out this. I was renewing the refresh token in every 24 hours and it was renewing fine for 3-4 days and the day after I got invalid_grant again when renewing the token. The refresh token was stored only in this region and not shared with others.

Is it possible to monitor from your end if I provide you the app id?

Yasitha Pandithawatta  

Hello again, I have tried to setup separate app for each region but when I try to create 3rd app for the 3rd region and try to connect it to the organization but it doesn't allow and gives below error.

"Uncertified app connection limit reached. You can only connect two uncertified apps to an organization"

This is really frastrating to us, as we can't automate our invoicing process. We have to manually reauthenticate and generate a new refresh token to our regional servers to generate the invoices in every month. We don't want to go through the certification process as those apps will be used internally to generate invoiced in our Xero account.

It doesn't allow us to create oauth 1.0 apps any more and oauth 2.0 doesn't support machine to machine communication at all. No way to use client credentials, password credentials or certificate credentials grant types. Please fix this or give us an alternative.

Yasitha Pandithawatta