Creating a Custom OAuth App
The following sections show how to create a custom OAuth app for use in the Custom Credentials authentication flow.
Register an OAuth Application: Desktop
Follow the steps below to register a public application to obtain the OAuth client credentials:
- Log in to the Xero developer portal.
- Click My Apps -> Add Application. Choose the Auth Code application type.
- Enter a name for your application and the URL of your company. This information is displayed to users when they connect.
- Register the Redirect URI appropriate for the product you are using.
After you click Save, you are shown your OAuth Client ID and can create a new OAuth Client Secret. You will set these to OAuthClientId and OAuthClientSecret in the authenticate guide, Custom Credentials.
Register a PKCE Application: Desktop
In addition to the default auth code application type, you can also create applications using PKCE. This is recommended for developers writing client side applications because PKCE does not require a client secret.
Registering a PKCE application is the similar to the process for registering an OAuth application. The only difference that Xero does not return an OAuthClientSecret because it is not used in the PKCE flow.
Register a Custom Connection Application
Xero also supports server-to-server OAuth integrations using Custom Connections. Licenses for these connections must be purchased from Xero before they can be used on production organizations. They can also be linked to demo organizations for free.
Follow the steps below to register a custom connection application in Xero:
- Log in to the Xero developer portal.
- Click My Apps -> Add Application. Choose the Custom Connection application type.
- Select a list of scopes to grant the application access to. It is recommended that you select all the available scopes to avoid permissions when connecting the driver. You can also select scopes individually, but if you do this the Scope connection property must be updated to match.
- You can optionally choose a user to authorize the connection. The application can only be linked to an organization that this user has access to.
- Click Save and Connect. This makes Xero send an email to the user you selected, which contains instructions on how to link the application to an organization.
Once the user has linked the application, go back to the developer portal and open the app settings. Under the Configuration tab there is a Client Id which is used to set the OAuthClientId application property. Click Generate a Secret and copying the generated value to generate a value for the OAuthClientSecret property.
Register an OAuth Application: Web
Follow the steps below to register a public application and obtain the OAuthClientId and OAuthClientSecret.
- Log in to the Xero developer portal.
- Click My Apps -> Add Application. Choose the Auth Code application type.
- Enter a name for your application and the URL of your company. This information is displayed to users when they connect.
- Set the Redirect URI to the full redirect or callback URL, where the user returns with the token that verifies that they have granted your app access.
After you click Save, you are shown your OAuth Client ID and can create a new OAuth Client Secret. You will set these to OAuthClientId and OAuthClientSecret in the authenticate guide, Custom Credentials.
Register an OAuth Application: Headless Machines
Follow the steps below to register a public application and obtain the OAuthClientId and OAuthClientSecret.
- Log in to the Xero developer portal.
- Click My Apps -> Add Application. Choose the Auth Code application type.
- Enter a name for your application and the URL of your company. This information is displayed to users when they connect.
- Register the Redirect URI appropriate for the product you are using.
After you click Save, you are shown your OAuth Client ID and can create a new OAuth Client Secret.
Register a PKCE Application: Headless Machines
In addition to the default auth code application type, you can also create applications using PKCE. This is recommended for developers writing client side applications because PKCE does not require a client secret.
Registering a PKCE application is the similar to the process for registering an OAuth application. The only difference that Xero does not return an OAuthClientSecret because it is not used in the PKCE flow.