Our aim to facilitate machine-to-machine communciation between our backend services and Xero API for a large number of Xero organisations (1000+).
One model which has been proposed is:
- Build a custom Web App in developer portal
- Advise each client to go to the web app, Authorize the Web App for their Xero organisation and log in
- Retrieve the refresh_token and access_token (with offline_access)
- Securely persist the refresh_token in our backend secrets store
- When M2M API access is required, use the refresh_token to update the access_token and use access_token to talk to the Xero API
- If refresh token not utilized for say 55 days, then automatically refresh it to keep it alive.
We've heard about developers getting this solution to work but uncomfortable with committing to this approach without some reassurances. Questions:
- Is this method of M2M authentication (with initial user intervention) approved by Xero, or will it be disallowed in future?
- Given the need to support access to 1000+ organisations, would the Web App need to become certified?
- Similarly, would this trigger a security audit? (ie. https://developer.xero.com/partner/security-standard-for-xero-api-consumers )
- Would a security audit be limited to the solution we built or other non-Xero-API apps?
- Is there any limit to the number of times a refresh_token can be extended/refreshed or can we rely on this to be kept alive indefinitely (assuming our systems auto-refresh before 60 days)?
- What are the pros and cons of this approach vs. Custom Connections?
We have tried to communciate with the Xero support team but so far failed to get clear answers to these questions.
