Rather have us handle this? We set this up for clients every day.
See the Service
Guides / Xero

Xero API Setup

Step-by-step instructions for creating a Xero app and configuring OAuth 2.0 access for integration.

Last verified: April 2026

What You’re Setting Up

Xero uses OAuth 2.0 for API access, which means you’ll create an “app” in Xero’s developer portal that gives us permission to read and write data in your Xero organization. Don’t worry — this isn’t a real application you need to build. It’s just Xero’s way of managing API access.

This takes about 15 minutes.

Prerequisites

  • You need an Advisor or Standard user role in Xero with access to the organization we’ll be integrating
  • A Xero login that can access the developer portal

Step-by-Step Setup

1. Go to the Xero Developer Portal

  1. Open your browser and go to developer.xero.com
  2. Log in with the same Xero credentials you use for your accounting

2. Create a New App

  1. Navigate to My Apps in the top navigation
  2. Click New app
  3. Fill in the details:
    • App name: Something like “AcuCoders Integration” — this is just a label for your reference
    • Integration type: Select Web app (this is important — we need server-side access, not a desktop or mobile app)
    • Company or application URL: Enter your company’s website URL
    • Redirect URI: We’ll provide this to you. It will look something like a URL on our domain. Do not guess this — ask us for the exact value before proceeding.
  4. Agree to the terms and click Create app

3. Copy Your Client ID and Client Secret

After creating the app, you’ll land on the app’s configuration page.

  1. Your Client ID is displayed on the page — copy it
  2. Click Generate a secret to create your Client Secret
  3. Copy the Client Secret immediately. Xero only shows it once. If you lose it, you’ll need to generate a new one.

Send both the Client ID and Client Secret to us through the secure link we provide. Never send these over email.

4. Authorize the Connection

Once we have your credentials, we’ll send you an authorization link.

  1. Click the link we send you
  2. Log into Xero if prompted
  3. Select the organization you want to connect (if you have multiple Xero orgs, make sure you pick the right one)
  4. Review the permissions and click Allow access

This grants our integration access to the selected organization. You can revoke this at any time from within Xero.

5. Scopes We Typically Need

When we configure the integration on our end, we request specific scopes depending on what the integration does. Common ones include:

  • accounting.transactions — invoices, bills, credit notes, payments
  • accounting.contacts — customers and suppliers
  • accounting.settings — chart of accounts, tax rates, currencies
  • accounting.journals.read — journal entries (read-only)
  • offline_access — allows us to refresh the connection without asking you to re-authorize

We’ll only request what the integration needs. You can see exactly what was authorized in your Xero developer portal under the app’s configuration.

Let's talk about your systems. Tell us what tools you're using and what's not working. We'll tell you what's possible.
Get in touch

Common Issues

Wrong Organization Connected

If you have multiple Xero organizations (common if you manage books for more than one entity), make sure you select the correct one during the authorization step. If you connect the wrong one, revoke access and we’ll send a new authorization link.

To check which organization is connected: go to Settings, then Connected Apps in your main Xero account (not the developer portal).

Missing Scopes

If we report that certain API calls are failing, it usually means the integration needs an additional scope that wasn’t included during authorization. We’ll send a new authorization link with the updated scopes — you just need to click it and approve again.

OAuth Token Refresh

Xero’s OAuth tokens expire after 30 minutes. Our integration handles this automatically by using a refresh token. If the refresh token itself expires (after 60 days of inactivity), you’ll need to re-authorize by clicking a new link. We monitor for this and will reach out proactively if it’s about to happen.

“Access Denied” Errors

Make sure the Xero user who authorized the app has sufficient permissions in the connected organization. If you’re a restricted user, some API operations may be blocked.

Next Steps

Need help with the full integration?

This guide covers the setup. If you want us to handle the integration end to end, we can do that.

See Integration Services