From XU Magazine, 
Online News

Upcoming Security Changes: We’re asking some app partners to change the way they integrate

October 25, 2022

This article originated from the Xero blog. The XU Hub is an independent news and media platform - for Xero users, by Xero users. Any content, imagery and associated links below are directly from Xero and not produced by the XU Hub.
You can find the original post here:

We’re asking some of our app partners that use the Xero API to make changes to the way their integrations interact with Xero, specifically around the creation of Private Apps within third party app platforms, such as Cdata. Here’s what users of these apps need to know ahead of the changes occurring in late 2022.

The Xero API has been around for over 10 years and is used by thousands of integrators. We’ve made a lot of changes and security updates to the API over the years. These security enhancements are about ensuring we meet global standards and expectations to keep our customers’ data safe. We announced a move from OAuth 1.0a to OAuth 2.0 in 2019, we uplifted our security requirements in 2020, and we launched our new Xero App Store, which included further security enhancements, in 2021.

Because of these changes, some of our app partners will need to change the way they structure their integrations to Xero to ensure they comply with our developer platform terms and conditions. For customers of these apps, this means that your app partner could ask you to re-authenticate with them, or change the way that you currently use the Xero API.

These app partners include (but are not limited to):

  • CData
  • Fooman Magento Connect
  • W2X
  • Interfy

Private Apps under OAuth 2.0

A key example of this is where an app partner has previously asked you to set up a ‘private app’ under OAuth 1.0a in order to integrate with a desktop based, locally hosted, piece of software.

The ‘private app’ model is no longer available under OAuth 2.0, but it has been replaced with two more robust options that provide a better user experience and better security in PKCE and Custom Connections. An app partner that was previously asking you to set up a ‘private app’ under OAuth 1.0a will now ask you to reconfigure your integration to use PKCE, or a Custom Connection.

In order to take advantage of the benefits of this improved connection method you may need to re-authenticate to the app partner. This could result in a short period of time where the integration may not be available until you do so.

Where can I get support?

It’s important that you follow the instructions from your app partner, as they will know the correct way for you to set up your improved integration. If you run into any challenges then contact your app partner’s support team to guide you through their setup process.

We’re very grateful that these app partners have committed to providing an improved integration experience to our mutual customers. Your integration will be easier to set up, and more secure as a result of this work. Thank you all in advance.

Why leave it there?

To find out more

Straight to your inbox

Subscribe to our newsletter for updates as they happen
We hate spam too. We NEVER sell our mailing list.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.