Skip to content
 

Developer

See all pages
Try Xero Free

API Overview

The Xero API is located at https://api.xero.com. This url is used as the API and a website to register applications and test the API.

All calls to the API use the following base URL – https://api.xero.com/api.xro/2.0/

The API is a RESTful service, making use of HTTP methods such as GET, PUT and POST. Data is sent and received through the API endpoints in an easy to understand XML format – making it quick and easy to integrate your application with Xero.

To enable easy authentication with other web applications, we use OAuth (v1.0a) for authentication and support the following scenarios:

Public applications – use the standard 3 legged OAuth process where a user can authorise your application to have access to their Xero organisation. Public applications can either be web based or desktop/mobile installed. Access tokens expire after 30 minutes by default

Partner applications – are public applications that have been upgraded to support long term access tokens for use with many Xero organisations. Apply to become a Xero Network partner to have your application upgraded.

Private applications – use 2 legged OAuth and bypass the user authorization workflow in the standard OAuth process. Private applications are linked to a single Xero organisation (chosen from a list of organisations you have standard user rights to). With this approach access tokens don’t expire so this works well for unattended applications that push or sync data with Xero periodically. e.g. creating invoices for billing each night.

We suggest you follow our getting started guide for developers to get up and running with our API.


API Usage Limits

There is a daily limit of 1000 API calls that a provider can make against a particular Xero organisation in a rolling 24 hour period. If you exceed this rate limit you will receive a HTTP 401 response with the message “oauth_problem=rate%20limit%20exceeded&oauth_problem_advice=please%20wait%20befor
e%20retrying%20the%20xero%20api” in the http response body.

In addition to the daily limit, each OAuth access token can be used up to 60 times for each 60 second period. If you exceed this rate, the API will return HTTP 401 (unauthorized) with the message “oauth_problem=rate limit exceeded” in the http response body.

A single POST to the API has a size limit of 3.5MB.


Xero System Limits

Invoicing
Xero is designed for volumes of between 200 – 500 invoices per month, dependent also on the frequency of invoicing during the month, variability of amounts and the frequency of sales tax reporting requirements.

Bank Transactions – Spend & Receive Money
Xero is designed for volumes of up to around 1,000 bank transactions per month, also dependent on the frequency of transactions during the month and variability of transaction values.

Inventory Items
Inventory item lists of greater than 1,000 could cause performance issues for users invoicing via methods other than the API.

Contacts
Contact lists of greater than 5,000 could cause performance issues for users utilizing Xero via methods other than the API.

Xero will work with higher levels than this but the performance of some features and reports may become degraded.

Revoking Authorization

There are a number of ways that your application can have access revoked from a Xero organisation. If your application can no longer get access to the API please check the following conditions:

  • The access token has expired. This is typically after 30 minutes for public applications.
  • The user has explicitly revoked access to your application from the main Xero application (Settings > General Settings > Xero Network).
  • The user that authorized your application has been removed from the organisation or has been downgraded to either Employee or Read Only roles.