We’re asking some of our app partners that use the Xero API to make changes to the way their integrations interact with Xero, specifically around the creation of Private Apps within third party app platforms, such as Cdata. Here’s what users of these apps need to know ahead of the changes occurring in late 2022.

The Xero API has been around for over 10 years and is used by thousands of integrators. We’ve made a lot of changes and security updates to the API over the years. These security enhancements are about ensuring we meet global standards and expectations to keep our customers’ data safe. We announced a move from OAuth 1.0a to OAuth 2.0 in 2019, we uplifted our security requirements in 2020, and we launched our new Xero App Store, which included further security enhancements, in 2021.

Because of these changes, some of our app partners will need to change the way they structure their integrations to Xero to ensure they comply with our developer platform terms and conditions. For customers of these apps, this means that your app partner could ask you to re-authenticate with them, or change the way that you currently use the Xero API.

These app partners include (but are not limited to):

• CData
• Fooman Magento Connect
• W2X
• Interfy

Private Apps under OAuth 2.0

A key example of this is where an app partner has previously asked you to set up a ‘private app’ under OAuth 1.0a in order to integrate with a desktop based, locally hosted, piece of software.

The ‘private app’ model is no longer available under OAuth 2.0, but it has been replaced with two more robust options that provide a better user experience and better security in PKCE and Custom Connections. An app partner that was previously asking you to set up a ‘private app’ under OAuth 1.0a will now ask you to reconfigure your integration to use PKCE, or a Custom Connection.

In order to take advantage of the benefits of this improved connection method you may need to re-authenticate to the app partner. This could result in a short period of time where the integration may not be available until you do so.

Where can I get support?

It’s important that you follow the instructions from your app partner, as they will know the correct way for you to set up your improved integration. If you run into any challenges then contact your app partner’s support team to guide you through their setup process.

We’re very grateful that these app partners have committed to providing an improved integration experience to our mutual customers. Your integration will be easier to set up, and more secure as a result of this work. Thank you all in advance.

‍