1

We are looking build integration for few of our Xero customers. This integration would be seamless for end user i.e. they won't have to log into Xero they will use our system, for certain use-cases, and we will make relevant api calls. With Xero's OAuth 1.0a this is feasible with Private app as authentication works with public-private key pair.

With OAuth 2.0 in Xero it seems only Authorization code grant flow is supported, document : https://developer.xero.com/documentation/oauth2/auth-flow

This would require user to sign into the Xero account each time they use our application. Alternative could be that sign user sign in happens one off when configuring the integration and we would subsequently use refresh token to fetch new token (before toke expires which is 12 minutes) and keep using it seamlessly.

Can Xero guys please confirm if above approach would work ?

Cheers, JK

Jineshk
  • 13
  • 3

1 Answers1

2

The user doesn't need to sign into Xero each time they use your application. As long as you ask for the offline_access scope when you send the user through the initial authorization you'll get a refresh token. Then the user will have the seamless experience you describe.

Adam Moore
  • 371
  • 1
  • 5
  • Hi Adam, can you please confirm if the refresh_token will also expire in 12 minutes? i.e. are we able to persist the latest refresh_token and use it to get another access_token after the previous one has expired? Thanks – Harris K Aug 21 '19 at 03:28
  • 1
    Only the access token expired after 12 minutes. The refresh token only expires after you use it and get a new one – Adam Moore Aug 22 '19 at 00:32
  • @AdamMoore have you any sample code. what did you explain in your answer? – Itz Zaib Jan 22 '20 at 08:19