Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Xero API request forgery

Started by UnionSquare Software -   in API Authentication

I would like to know whether the Xero oAuth 2.0 endpoint only allows request from the URL's URI's added to the app details? i.e. Does the API ensure a payload of valid clientID, tenants & state (token) etc. is requested by the URLs in the app details?

It isn't explicit in any of the documentation I have read.
Hi Union.

There is no validation of the URI for an API call once you have a valid access_token.

That being said, you are only able to generate an access token via OAuth2 callback which must match exactly to the URI you configure in your API application dashboard as per the OA2 spec.

Let me know if that answers your concerns!
 

Christopher Knight (Xero Staff)