Skip to content
 

Developer

See all pages
Try Xero Free

OAuth Issues

Some common OAuth issues and explanations as to how you can fix them.

Token Rejected (token_rejected)

There are a number of conditions where this can be seen:

Error: The access token has not been authorized:
oauth_problem=token_rejected&oauth_problem_advice=The access token has not been authorized, or has been revoked by the user
There are a number of scenarios where this can occur:

  1. A user has revoked access: a standard or financial user with access to the organisation in Xero can revoke authorisation from the network settings page in Xero.
  2. User permissions changed: if the user who has authorized the connection between the API application and the Xero organisation is removed from accessing the organisation in Xero, or their role changes so that they are no longer a standard or financial adviser user, then the access token will no longer be authorized.
  3. A second authentication has taken place: an access token is a unique pairing of the API application and the organisation in Xero. If, under a separate login/instance of your application, a user attempts to authenticate a connection to the same organisation in Xero, this will replace the previous access token, generating the above error condition.

Resolution: There is no technical solution to the above conditions – you should ensure your application can handle a situation where the authentication session has been lost gracefully, and prompt the user to re-authenticate. If this is happening because of one of the above scenarios on a regular basis, you might need to examine more closely the reasons why, and educate users accordingly.

Error: Does not match an expected access token:
oauth_problem=token_rejected&oauth_problem_advice=Token THISISANCCESSTOKEN does not match an expected REQUEST token
This error will occur in a partner API application when an attempt to renew the access token is made, but the Xero API is expecting the access token to be swapped out that is not the same as the one presented, so somehow your application may have lost track of what the most recently expired token is eg:

  1. Get new token access token 1
  2. Swap for access token 2, but somehow your application does not save access token 2
  3. Attempt to renew token with access token 1, but we now expect access token 2, so we throw the above error

Resolution: The key thing is to understand how your application may lose track of a given access token – potentially a race condition exists where an access token renewal is made in parallel, or the current token is not being saved to a persistent storage object.


Timestamp Refused (timestamp_refused)

This error can occur when the OAuth timestamp you present to the Xero API is either 5mins slower or 5mins faster than the actual time. This time is not timezone dependent – the timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT. It should therefore be correct unless the clock on your server is out of sync with the actual time by 5mins or more.

Error: Too old
oauth_problem=timestamp_refused&oauth_problem_advice=The timestamp is too old, it must be at most 300 seconds before the server’s

Error: Too new
oauth_problem=timestamp_refused&oauth_problem_advice=The timestamp is too far in the future, it must be at most 300 seconds after the server’s current date and time

Resolution: You should ensure that your server clock is up to date. If you are unsure if the timestamp generated by your server is correct, you can check it at UnixTimeStamp.com.


Signature Method Rejected (signature_method_rejected)

Error: No certificates have been registered for the consumer:
oauth_problem=signature_method_rejected&oauth_problem_advice=No certificates have been registered for the consumer
This can be encountered if the public private key pair X509 certificate used for Private and Partner applications has an expiry date that has passed.

Resolution: You will need to upload a new certificate. Read our guide on adding an application on the Xero Developer Centre site to learn more about creating a new X509 public key certificate. Once created, the public key will need to be uploaded to your application: go to My Applications in the Xero Developer Centre, and edit the application in question (you should see a message that the certificate no longer exists if the previous one has expired).


Signature Invalid (signature_invalid)

This can be quite generic reason for a number of signature generation errors. The best tip here is using an up to date version of one of our recommended code samples as they take care of signature generation.

Error: Failed to validate signature:
oauth_problem=signature_invalid&oauth_problem_advice=Failed to validate signature
Some possible causes:

  1. The public-private keypair used to sign requests does not match the public key uploaded to your application in the Xero Developer Centre

Resolution: No easy way to advise on the specific issues here. Again we recommend using a code sample if possible, but if you are still stuck having gone through the possible causes above, ask a question in our developer community.