Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Does the api support oauth_callback?

Started by Ron Garret -   in API Authentication

oauth_callback doesn't seem to work for me. I'm wondering if I'm doing something wrong or if xero simply doesn't support it.
The Xero API definitely supports this as I have utilised it myself with the xeroizer (ruby) library.

However, you must register the domain used in the callback with the application at http://api.xero.com (I know it says optional, but only if you don't want to use oauth_callback).

Wayne Robinson  

My domain is registered, but it is "localhost:8080" (since I'm just testing at the moment). Maybe it only works for "real" domains?

Ron Garret  

You might want to try removing your port from that domain.

However, I haven't tested with localhost.

Wayne Robinson  

Using localhost won't work since localhost means use the address of the machine that is making the call and since its the Xero server making the call you've just told it to call itself.

You need to use the address of your machine as seen from the rest of the internet. Use something like "whats my ip address" (google it) is one easy way.

If you are using a cable modem and the modem is acting as a router then you may also need to open a port on the router and route thru to your pc.

The callback stuff is working.

Richard Perfect  

Actually, as far as I understand, the callback URL gets passed as a 302 redirect to the client and the client should know what localhost is.

Wayne Robinson  

Wayne is correct. I have successfully using localhost (and even locahost:8080) as a callback with other OAuth-based services.

Does anyone from Xero hang out in these forums? Or are we developers on our own?

Ron Garret  

Ron, they come here occasionally. The best bet is to just email network@xero.com. They usually respond reasonably quickly.

Wayne Robinson  


Ron Garret  

Hmm, going back to the 302 redirect thing, correct me i'm wrong but it would only work using localhost if the browser and the server were on the same machine?

Richard Perfect  

Richard: It doesn't matter where the server and client is. The server sends the response to the client and the client looks up the host in the "Location" header. The server never has to lookup the host of the redirect.

Wayne Robinson  

I think I figured it out. The API does in fact ignore the oauth_callback parameter. But it will do a callback, you just have to set the callback URL in the application configuration web page. This is badly broken. Not only does it violate the OAuth standard, it means that there can only be one callback URL per application. Is there a way to file a ticket?

Ron Garret  

@Ron - Try specifying the oauth_callback parameter when you obtain your request token - we've implemented as per the spec

Tony Rule (Xero Staff)  

Just for the record, the problem turns out to be a rather serious bug in the simplegeo oauth2 library. Details and a fix can be found here:


Also (a more generic solution):


Ron Garret