Xero API request forgery
I would like to know whether the Xero oAuth 2.0 endpoint only allows request from the URL's URI's added to the app details? i.e. Does the API ensure a payload of valid clientID, tenants & state (token) etc. is requested by the URLs in the app details?
It isn't explicit in any of the documentation I have read.
It isn't explicit in any of the documentation I have read.
1
Replies
Hi Union.
There is no validation of the URI for an API call once you have a valid access_token.
That being said, you are only able to generate an access token via OAuth2 callback which must match exactly to the URI you configure in your API application dashboard as per the OA2 spec.
Let me know if that answers your concerns!
There is no validation of the URI for an API call once you have a valid access_token.
That being said, you are only able to generate an access token via OAuth2 callback which must match exactly to the URI you configure in your API application dashboard as per the OA2 spec.
Let me know if that answers your concerns!