A Postman collection for authenticating to the Xero API.
Follow these steps to quickly get up and running with the Xero API and Postman:
Click the button below and select the Desktop version of Postman (Chrome extension doesn't support environment variables). This will also install the Collection and Environment we'll be using.
Alternatively, you can download the Xero OAuth2.0.postman_collection and OAuth 2.0.postman_environment JSON files above and import them via the Import button in the top left of the Postman Workplace sceen.
2. Create an OAuth2 app at https://developer.xero.com/myapps
Go to the Xero developer portal and create an OAuth2 app.
If you haven't already signed up for a xero account you can do so here.
Use the following values:
- App Name - your choice, but can't contain the word 'Xero'
- Company or application URL - this needs to be an https address, but isn't used.
- OAuth 2.0 redirect URI - also needs to be https but won’t be used in Postman
Click Create App
Then:
- Click Configuration from the left hand side of the screen
- Click Generate a secret
- Keep the page open
Copy the Client id, Client secret and OAuth 2.0 redirect URI from the My Apps screen into the environment variables in Postman. To add these details to the Environment, make sure you have the OAuth 2.0 Environment selected, click the eye button, then edit.
Our Developer Center lists the available scopes here. For getting started you will need at least:
offline_access accounting.transactions
In addition, to make further test calls we would also suggest adding:
openid profile email accounting.contacts accounting.settings
Add the scopes required to the scopes environment variable.
- Double-click on the GET Get Started request under the Xero OAuth 2.0 Collection
- Select the Authorization tab
- Scroll down to the Configure New Token section
- Add the Variable names surrounded by {{}} from your Environment into the fields, as shown in the screenshot below
- Add https://login.xero.com/identity/connect/authorize to the Auth URL field
- Add https://identity.xero.com/connect/token to the Access Token Field
- Click Get New Access Token
At this stage you will be prompted to log in to Xero.
You'll then be taken through to the Organisation Select window. If you've included the openid profile email scopes, you'll be asked to access your basic profile information as well as other data relevant to the scopes requested.
Select the Organisation you want to connect to. If you want to connect to more than one Organisation, you can repeat the steps above and select another Organisation.
Once complete you'll be passed back to Postman.
We now have the last remaining tokens needed to access the Xero API. These need to be set to the Environment Variables, to do this:
- Highlight the Access Token
- Right-click on it
- Select Set: OAuth 2.0 > access_token
Scroll down the Manage Access Tokens pop up and follow a similar process for the Refresh Token:
- Highlight the Refresh Token
- Right-click on it
- Select Set: OAuth 2.0 > refresh_token
- Double-click on the GET Connections request
- Click Send (If this results in an error you may need to run the Token Refresh call first)
- Like we did for the Access and Refresh Tokens, highlight the tenantId from the response, right click and select Set > OAuth 2.0 > xero-tenant-id
Congrats! You're now authenticated and can start making API calls. Your access token will last for 30mins, after which time you'll need to refresh the token.
- Double-click to load the GET Invoices request
- Ensure No Auth is set on the Authorization tab
- Click Send
- Double-click to load the POST Refresh token request
- Ensure No Auth is set on the Authorization tab
- Click Send
- We use the built in OAuth 2.0 support to get the token, however we then set this as an environment variable. So we don't need to use this support when making the normal API calls.