Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Identity Endpoint Refresh Documentation Incorrect

Started by Michael Holmes -   in API Authentication

Hi Dev Team,

Referring to the currently published documentation regarding "Refreshing Access & Refresh Tokens" found here: https://developer.xero.com/documentation/guides/oauth2/auth-flow#refreshing-access-and-refresh-tokens

Please update the documentation as follows:

Remove Authorization Header (Basic) -> This endpoint does not use the Basic Auth, it uses no Authorization header

Add the authentication components to the request body instead: client_id & client_secret (along with the existing body keys grant_type & refresh_token)

I have tested that the refresh endpoint works correctly when the ID/Secret are provided in the body; and provides an invalid grant prompt when they are missing and instead specified in the Authorization header as Basic Auth.
You can structure the call either way, however for security reasons we would always suggest encoding your client ID and Secret into the headers to prevent anyone gaining access to your secret and causing disruption to your apps security,

There may have been an error in your encoding that caused the issue with using the encoded method.

If you get this error again, feel free to use the contact us link at the bottom of the Developer.xero.com page, I have added the link here for convenience

Sally C (Community Manager)