Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Endpoints >

User access level

Started by Brendan Doherty -   in API Endpoints

When a user gives my authorises my application to access their organisation, does my access token inherit the users access level? (Standard, Financial Adviser + Manage Users, Invoice Only, Read Only , etc).

Does a user have to have a certain level of access to authorise a 3rd party application like mine?
Hi Brendan,

Users can currently only authorise 3rd party applications with Xero organisations, only if they have 'standard' or 'financial adviser' roles within that organisation.

Once an application has been authorised, the application has full access to all of the endpoints that have been developed within the API. We are currently investigating how best to limit the access of 3rd party applications, as not all users want the applications to have full read/write control over the organisation.


Daniel Barratt (Xero Staff)  

It would be useful if the access key that an application receives was linked back to the user that authorised it. Then you could make it so that the 3rd party application would only only the privileges of that user.

When the 3rd party application creates/changes something on behalf of that user, then the history of that item could show something like "Created by John Doe via My Application on 2 Nov 2011 at 21:06p.m." At the moment it shows "Created by System Generated on 2 Nov 2011 at 21:06p.m.".

This would act the same way that 3rd party applications do in relation to twitter. If you authorise them to do something, they are doing it on behalf of you.

Brendan Doherty  

In practice, once an access has been given to a 3rd party application, it's difficult to know how the application is being used. There's no knowing if one user authorises an application which many users can also utilise.

It wouldn't be correct to assume that the user responsible for authorising the application, is also responsible for all subsequent invoices, receipts, manual journals created by that application.

The best we can could record "Created by My Application on 2 Nov 2011 at 21:06p.m."


Daniel Barratt (Xero Staff)  

Ok, that's a bit different from other oauth scenarios i've used. In my experience the consumer authorises an application to act on their behalf. (Eg, tweetdeck and twitter, allowing 3rd party access to google docs). (eg http://hueniverse.com/2009/04/introducing-sign-in-with-twitter-oauth-style-connect/).

If you were recording "Created by My Application on 2 Nov 2011 at 21:06p.m.", it would be cool if "My Application" was a hyperlink back to my application. You could get that from the "Name URL of your company or product" field for the application.


Brendan Doherty