Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > Partner Program >

Invalid access_token.secret can still able to do some request and doesn't return any error.

Started by Kevin Kline Gargar -   in Partner Program

We just switch from Public to Partner program and when did the testing we tried to change the access_token.secret in the database to be invalid or random string, but it still process the request and it doesn't return any error.

Before in Public application it returns an error if I changed the secret key and do an api request. But in partner application it fail to validate.

Anyone have tried the same case ? I think this is bug. I'm using xeroizer API Library.
Hi Kevin,

Assuming that you've switched to a Partner app type, your requests are now signed with a private key and you've uploaded the corresponding public key in the developer portal.
Because it's now signed, we don't worry about the token secret.
The only apps that require the token secret are Public apps as both Private and Partner require the key signing.



Steven Brown (Xero Staff)  

Yes, our partner app type was already implemented and working.

Thank you Steven.

Kevin Kline Gargar