Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > Getting Started >

Using access token for private app

Started by Duc Mac -   in Getting Started

Hi. I am trying to communicate to Xero with a private app but just cannot seem to get it working. Could someone please guide me in the right direction?

So I have the "Demo Xero Environment" and have the consumer key/secret and have linked the corresponding certificate. According to the guides, my consumer key is my access token and my consumer secret is not used at all (is this correct?). My account has full access to my environment.

When I send a GET request to https://api.xero.com/api.xro/2.0/Employees, where/how should I be providing my access token?

Also, I tried using the Xero API Previewer and when I click "Run" with my endpoint being "Employees", no employee details are shown. For some reason, I did the same thing yesterday and it returned me all the employees in the environment. I haven't made any changes to the xero environment. Would anyone have any idea what happened and how I can get the information to display again?

Thanks in advance for any assistance
Hi,

You need oauth there is a example in https://developer.xero.com/documentation/tools/postmanand several languages at https://developer.xero.com/documentation/libraries/overview. The process involves sending your keys to https://api.xero.com/oauth/RequestToken then getting a access token with that token from https://api.xero.com/oauth/AccessToken. Use the postman example for guidance.

Kind Regards

Remember I consult on a per hour basis. Contact me if your need me to fix the problem. $45 per hour.

We can do a 30 min free consultation via Skype.

Henzard Kruger
Certified Advisor and Full Stack developer
Picahoo cc - 0711304241 - henzard@picahoo.co.za
Skype: henzard, Gtalk: henzardkruger@gmail.com
Quality is remembered long after the price is forgotten

I abide by the 3 message rule. After 3 messages we skype.

 

Henzard Kruger  

Hi,

If I am not wrong, the things you have suggested are for a public app. I want to access my Xero with a private app. For context, I am trying to import leave using a product called nintex workflow. Nintex workflow has an interface which allows me to call a web service.

In this function I am able to provide:
-URL (required)
-Username (optional)
-Password (optional)
-Method (e.g get/post) (required)
-Extra Headers (Optional)

if the paramaters can be entered in the URL, then it would be really simple. I have also tried adding a header (Authorization: Bearer {consumer_key}) but that didn't work also. Would you know where I should be looking?

Thanks again
 

Duc Mac  

Hi,

They all work the same. Public can connect to any company and private to only one app. What programming language are you using
 

Henzard Kruger  

Hi Henzard Kruger, I have the same problem. I have a platform that will allow users to connect their Xero account to my platform and configure their invoices and products from one place. but when I use the private authorization I get this error

Error: oauth_problem=consumer_key_rejected&oauth_problem_advice=Private%20applications%20cannot%20request%20a%20Request%20Token

I am using PHP library.

when I am using public keys, all working ok, but it gives me 30 mins token, but I need to connect to account without limitation.
So I am trying to use the same logic but with private key.

I have created private application, generated public and private keys, and get the customer key and secret.

 

Anna Gabrielyan  

I have the same question and I believe that @henzard is incorrect. They don't all work the same because the public apps use HMAC-SHA1 and the private apps do not. I believe that they use RSA-SHA1 which is not supported by Postman.

Anyone solve this problem - is OAuth 1.0 the only way to Auth?
 

Arnold Smyth  

Me too!

I am referring to this - https://community.xero.com/developer/discussion/12512483/ - its dated 2015 so is it even valid still?

Using it to try the Postman example - can no longer use the Chrome Extension so had to download the native app which no longer offers RSA-SHA1 so will it ever work?


Why is this so poorly documented for people who are not so familiar with OAUTH which seems to offer several ways of implementation.

Can any provide a clear explanation and a simple example please?


 

ceem- jay  

Me too!

I am referring to this - https://community.xero.com/developer/discussion/12512483/ - its dated 2015 so is it even valid still?

Using it to try the Postman example - can no longer use the Chrome Extension so had to download the native app which no longer offers RSA-SHA1 so will it ever work?


Why is this so poorly documented for people who are not so familiar with OAUTH which seems to offer several ways of implementation.

Can any provide a clear explanation and a simple example please?


 

ceem- jay  

Just hit this problem, and the answer is rather simple: your private app consumer key IS your `oauth_token`.

Use the consumer key supplied when setting up the application, as the `oauth_token` in all API calls. Do all the normal signing etc. for each call, and that should work. The token does not expire until you remove the application or generate new keys manually.
 

Developer Team  

Hi Developer Team,

I tried including oauth_token in the Get request header and in parameters but am getting the error below.

"oauth_problem=consumer_key_unknown&oauth_problem_advice=Consumer%20key%20was%20not%20recognised"

I have registered for private application and am setting the oauth_token=consumerKey.

Any pointers will be highly appreciated. Thanks in advance.
 

Nitin Gupta