2

I am trying to come up with something which will be scheduled to run daily and would import newly created invoices from a database into Xero. To have this run daily, I want to avoid logging in manually i.e entering username and password for logging into Xero, is this possible?

Shardul Virkar
  • 21
  • 3

2 Answers2

3

So if you are reading and writing data to a Xero org on a customer's behalf, they will need to authenticate that connection a single time. From there you can use OAuth 2.0 access_tokens & refresh_tokens to programmatically run scripts that connect to their org via Xero API. We are looking at ways to make this easier while maintaining security standards for use cases like this. But for now you will need to prompt a user login and save the credentials in your database/store.

SerKnight
  • 2,502
  • 1
  • 16
  • 18
  • It is good to hear that you are considering changes in that regard. My client updates from their Point of Sale system via a Windows service, and they really don't want to have everyone knowing Xero logins and passwords, which will be necessary (as I understand it) using the current OAuth2 method, in that they need the connection to continue working even if the accounting staff (who do have passwords) aren't in the office. – droopsnoot Jan 27 '20 at 13:15
  • Yeah - the access_token refresh_token model will only require the Accountant to 'authenticate' the integration a single time.. Once authenticated you can continually programmatically refreshing your tokens REF: < Refreshing access tokens > https://developer.xero.com/documentation/oauth2/auth-flow – SerKnight Jan 27 '20 at 18:37
  • But the problem I think is - if the customers PC loses the connection for whatever reason (say a reboot) someone has to re-authenticate if the token gets too old, which means someone needs to know the credentials. Unless we can have a Xero user that is limited to API access and could not go into the Xero UI and actually do anything - that would work. Anyone could authorise the API update task, but couldn't raise invoices, payments or see confidential information. – droopsnoot Jan 28 '20 at 12:30
  • @droopsnoot while access_tokens have 30 minutes of validity.. they can be refreshed by the access_token, which has a 30 day life.. So to not lose that connection you will need to batch update your access tokens at least once per month, as well as store the new refresh_token. – SerKnight Jan 29 '20 at 16:34
  • Oh, that sounds like it will do the trick. Once every 30 days sounds fine. Now, if I can just find out how to get the API to load into VS without throwing dependency errors, I'll have a go with it. – droopsnoot Jan 30 '20 at 12:03
  • Email api@xero.comif you get too stuck! Recommend using one of the Xero Supported SDK's https://developer.xero.com/documentation/libraries/overview – SerKnight Jan 30 '20 at 16:20
  • I'll try that. I opened a support case a week ago and haven't had a response, and posted on the forum as well with similar response. I'm surprised the required versions aren't documented, and I'm surprised that NuGet can't be made to tell me what it needs. – droopsnoot Jan 30 '20 at 19:18
  • We have had big SDK changes since move to OAuth2. Doing best to document better *___* - So you using c# ( these might help https://github.com/XeroAPI/xero-netstandard-oauth2-samples ) – SerKnight Jan 30 '20 at 19:52
  • No, I'm using VB. I really don't want to have to learn c# to do this, so I'm hoping it will be a reasonably easy process to translate the various parts as required, but if it's not, then I'll have no option. Had a response to the support case, it needs 4.6.1 or later. Except I've tried 4.8 and it still won't load, so maybe VS2013 is the issue. – droopsnoot Jan 31 '20 at 12:37
1

A daily update can be performed without user interaction, but does need the user to authorise your application the first time.

After that, your application can use the 'refresh token' to automatically generate a new access token each day.

2 important things to remember:

  1. you need to specify 'offline_access' in the SCOPE to give you the refresh tokens in the response.

  2. save the refresh token to a db or file, and then use this each day to obtain new set of tokens (without user interaction). When new tokens are obtained, use access token to perform your updates, and save refresh token for tomorrow.

denniseagles
  • 57
  • 1
  • 8