OAuth providers

Xero

Set up Xero OAuth for accounting, invoicing, and bank reconciliation

Overview

Connect your users to Xero for accounting, invoicing, and bank reconciliation.

Property	Value
Provider ID	`xero`
Category	Finance
PKCE	Supported (S256)
Token refresh	Automatic (rotating refresh tokens, requires `offline_access`)
Redirect URI	Shown in Developer Portal

Go to the Xero Developer Portal

Navigate to My Apps in the Xero Developer Portal and sign in.

Create a new app

Click New app, enter the app name, and choose Web app as the integration type.

Configure the application

Enter the company or application URL and add the Alter callback URL (from the Developer Portal) to the Redirect URI field.

Get credentials

Open the app’s Configuration page, copy the Client ID, and generate a Client Secret. The secret is only shown once.

Open the Developer Portal

Go to portal.alterauth.com and navigate to the application.

Add Xero provider

Go to OAuth Providers > Add Provider > Xero.

Enter credentials

Select scopes

Choose the scopes the application needs. Always include offline_access.

Save

Click Save. The provider is now active.

Scope	Description
`openid`	Authenticate via OpenID Connect
`profile`	The user’s first name and last name
`email`	The user’s email address
`offline_access`	Issue a refresh token (required — access tokens expire after 30 minutes)

Scope	Description
`accounting.contacts.read`	Read-only access to customers and suppliers
`accounting.contacts`	Read/write access to customers and suppliers
`accounting.invoices.read`	Read-only access to invoices, credit notes, quotes, purchase orders, and items
`accounting.invoices`	Read/write access to invoices, credit notes, quotes, purchase orders, and items
`accounting.payments.read`	Read-only access to payments, batch payments, overpayments, and prepayments
`accounting.payments`	Read/write access to payments, batch payments, overpayments, and prepayments
`accounting.banktransactions.read`	Read-only access to bank transactions and bank transfers
`accounting.banktransactions`	Read/write access to bank transactions and bank transfers
`accounting.manualjournals.read`	Read-only access to manual journals
`accounting.manualjournals`	Read/write access to manual journals
`accounting.settings.read`	Read-only access to organisation settings, the chart of accounts, and tax rates
`accounting.settings`	Read/write access to organisation settings, the chart of accounts, and tax rates
`accounting.attachments.read`	Read-only access to attachments
`accounting.attachments`	Read/write access to attachments
`accounting.journals.read`	Read-only access to the accounting journal
`accounting.budgets.read`	Read-only access to budgets
`accounting.reports.aged.read`	Read-only access to aged receivables and payables reports

Scope	Description
`files.read` / `files`	Read-only / read-write access to files and folders
`assets.read` / `assets`	Read-only / read-write access to fixed assets
`projects.read` / `projects`	Read-only / read-write access to projects and time entries

Always request offline_access — Xero access tokens expire after 30 minutes and the refresh token is the only way to keep the grant alive.
Xero rotates refresh tokens on every refresh. Alter Vault stores the latest token automatically.
Apps created on or after March 2, 2026 must use the granular accounting scopes shown above; the broad accounting.transactions and accounting.reports.read scopes are rejected for new apps and retire in September 2027.
Each user grants access to one or more Xero organisations at consent time; API calls carry a xero-tenant-id header identifying the organisation.
Uncertified apps are limited to 25 connected organisations.
See the Xero OAuth documentation for more details.