Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Demo company consumer key reset

Started by Sinisa Louc -   in API Authentication


I am testing my app against the demo company. I know that demo company has its mock data reset after 28 days, and that's fine. However, the consumer key/secret is also reset, which means that I either have to:

a) make sure to refresh the credentials manually within the 28-day period, otherwise tests will start failing

b) create my own private app and make up tons of data for testing (demo company is nice because it already has all this data)

Is there a way to prevent this reset, or perhaps a way to get the consumer key via an API instead of manual c/p from app dashboard? Or should I simply stop using the demo company and create my own private app just for testing purposes?


Hi Sinisa,

When the Demo Company resets the old company is deleted and a new one takes its place. This is why your integration loses its connection and you have to register a new Private app and get new credentials. There isn't a way to extend the time to reset. However, you can connect the same app you'd been using to the new Demo Company. You just need to update the app with the new consumer key and secret.

If you don't want to register a new app and update the credentials every 28 days, you can always subscribe to a Xero organisation. The first 30 days are free, and then you'll need to pay for the subscription. If you do this you will need to populate the organisation with your own sample data. You can find a list of the pros and cons of using a trial company vs the Demo company in our Developer Center.



Angela Marshall (Xero Staff)  

Hi Angela,

OK, everything you said was my understanding too. I was just wondering if there's some way around it. I have the subscription (that is, my company) and we will be using the partner app, but I need something just for testing, and demo company is great except for the fact that someone needs to manually update the app with new consumer key. I guess I will either keep a separate private company or build a mock using something like WireMock by recording the requests/responses made in current test scenarios. I hope you don't change the API that often :)


Sinisa Louc  

Hi Sinisa,

If you're in the process of being certified for a Partner app you'll want to contact your Developer Relations team member and they can go over what the best practices for incoming partners are. Otherwise, if you're developing Private apps you will need to schedule a roughly once a month task to register a new app and update the keys.


Angela Marshall (Xero Staff)  

So if we don't want our integration tests to break every 28 days we have to pay for an additional organisation?

That seems a little disingenuous. It would be trivially easy to just not reset the authentication credentials, and the only reason there is to reset them in the first place would be to contrive the inconvenience of forcing a human into the loop once a month.

James De Vries  

The above is spot on the money, it really does seem incredulous that if you had a demo company attached to a test/staging instance of an application it requires a human to go and reset things every month to keep it working.

Matthew Hillman  

+1 for the above. Please don't reset the API credentials for the Demo company. It's not practical to have to do this every 28 days for a staging environment or to have to pay for an organisation that's just used for testing.

Evan Williams  


We just integrated with Xero a month ago and today our entire staging environment fell over.

The "documentation" states data is reset but what it doesn't tell you is that:

1. Your webhooks you set up also disappear into oblivion.
2. Your access tokens become un-usable.

This makes it extremely hard to have more than just a production environment running.

The proposed solution to pay for a full account is absolutely insane and we would have been better off keeping everything inside Stripe.

Stripe gives you an always-on sandbox for free, because, ya know, you're already a paying customer with them...

Ash Connell  

I echo your comments Ash - our staging environment has required a lot of manual work resetting every 28 days due to this bug/fault. Resetting the company data should not invalidate the app. It's a poorly implemented design that should have been fixed long ago.

Adding insult to injury, the new oAuth 2 mechanism means we can no longer refresh our development environment at all, as the oAuth 2 flow is a blocker for us. The oAuth 2 flow prohibits batch applications, as the offline_access scope refresh token is invalidated whenever used (a new one does issue), however, this makes management of concurrency in a microservices environment (with replicated pods) extremely challenging. One concurrency race condition or untimely deployment and your refresh token chain is effectively dead. To even achieve moderate reliability, it will require significant engineering work to implement a distributed singleton pattern concerning the storage of the ever-changing refresh token. The xero Java library does not even support management of handing an invalidated access token, so that is of very little help.

If you look at offline_access scope of oAuth 2 for other providers such as Google or Salesforce, the refresh token is valid until a user changes their password or revokes access. The current way that oAuth 2 is implemented by xero also means that any xero zapier connections will no longer function. Lastly, the oAuth 2 spec mandates using POST, whereas Xero has for some reason chosen to using basic auth, which again means more development effort as oAuth 2 libraries need to be forked to be able to call Xero's custom implementation (that they call oAuth 2, but is not conformant to the oAuth 2 spec).

Very disappointing effort on this front also. Great software in terms of their primary use case of book keeping for their users; but unfortunately the developer API design and libraries are well below average.

I extend an open invite for a senior representative of the Xero development team to contact me to discuss.

Thomas Haines  

As a follow-up, there is a thread discussing the oAuth 2 issue here https://community.xero.com/developer/discussion/105714701/
and a Xero rep has mentioned they hope to fix that issue in January.

When is fixing this bug concerning how the demo company data is reset currently scheduled?

Thomas Haines  


Unfortunately, there's no sign of anything regarding stopping the demo company from being reset (or making the reset option a manual rather than an automatic process) on the Xero RoadMap.


John Howlett  

re stopping the demo company from being reset (or making the reset option a manual rather than an automatic process) - prevents us making better integrations....+1

Thomas Haines