Skip to main content

Configuration

To set up the Xero source, provide the following configuration parameters:
KeyDescriptionSample ValueRequired
client_idClient ID issued when you create your Xero app.abcdefg
client_secretClient secret generated when you create your Xero app.abcdefg
tenant_idTenant ID associated with your Xero organization.abcdefg
start_dateThe start date for syncing data. Format: YYYY-MM-DDTHH:MM:SSZ.2021-01-01T00:00:00Z
refresh_tokenOAuth refresh token (required if refresh_token_secret_name is not provided).abcdefg⚠️
refresh_token_secret_nameName of the Mage secret containing the refresh token (recommended for production).XERO_REFRESH_TOKEN⚠️
You must provide either refresh_token or refresh_token_secret_name. Using refresh_token_secret_name is recommended because Xero uses rotating refresh tokens (each token can only be used once), and this option automatically persists the new token after each refresh.

Option 1: Direct Refresh Token

client_id: YOUR_CLIENT_ID
client_secret: YOUR_CLIENT_SECRET
tenant_id: YOUR_TENANT_ID
start_date: "2021-01-01T00:00:00Z"
refresh_token: YOUR_REFRESH_TOKEN
Xero refresh tokens are single-use. Each time the token is refreshed, a new one is issued and the old one is invalidated. With this option, the new token is only stored in memory during the sync, so subsequent pipeline runs may fail if the token has been rotated.
client_id: YOUR_CLIENT_ID
client_secret: YOUR_CLIENT_SECRET
tenant_id: YOUR_TENANT_ID
start_date: "2021-01-01T00:00:00Z"
refresh_token_secret_name: XERO_REFRESH_TOKEN
First, create a secret in Mage. You can choose any name for your secret:
  1. Open a pipeline edit page
  2. Expand the right side panel
  3. Click the “Secrets” tab
  4. Click “Add new secret”
  5. Enter your chosen secret name (e.g., XERO_REFRESH_TOKEN) and your initial refresh token as the value
  6. Copy the secret name to your Xero config’s refresh_token_secret_name field
The tap will automatically update the secret with the new refresh token after each sync, ensuring reliable long-term operation.

Supported Streams

The Xero source supports the following streams:

Incremental Streams

These streams support incremental syncing based on the start_date configuration and bookmark state:
StreamPrimary KeyReplication Key
accountsAccountIDUpdatedDateUTC
bank_transactionsBankTransactionIDUpdatedDateUTC
bank_transfersBankTransferIDCreatedDateUTC
contactsContactIDUpdatedDateUTC
credit_notesCreditNoteIDUpdatedDateUTC
employeesEmployeeIDUpdatedDateUTC
expense_claimsExpenseClaimIDUpdatedDateUTC
invoicesInvoiceIDUpdatedDateUTC
itemsItemIDUpdatedDateUTC
journalsJournalIDJournalNumber
linked_transactionsLinkedTransactionIDUpdatedDateUTC
manual_journalsManualJournalIDUpdatedDateUTC
overpaymentsOverpaymentIDUpdatedDateUTC
paymentsPaymentIDUpdatedDateUTC
prepaymentsPrepaymentIDUpdatedDateUTC
purchase_ordersPurchaseOrderIDUpdatedDateUTC
quotesQuoteIDUpdatedDateUTC
receiptsReceiptIDUpdatedDateUTC
usersUserIDUpdatedDateUTC

Full Table Streams

These streams are fully synced on each run (no incremental support):
StreamPrimary Key
branding_themesBrandingThemeID
contact_groupsContactGroupID
currenciesCode
organisationsOrganisationID
repeating_invoicesRepeatingInvoiceID
tax_ratesTaxType
tracking_categoriesTrackingCategoryID

How to Generate Credentials

To use this source, you need to create a Xero OAuth app and complete the OAuth flow.

1. Create a Xero App

Go to the Xero Developer Portal and create a new app. Note down your Client ID and Client Secret.

2. Configure OAuth2 Scopes

When setting up your Xero app, grant the following OAuth2 scopes:
ScopeRequired For
accounting.settings.readOrganisation settings, currencies, etc.
accounting.transactions.readInvoices, bank transactions, payments
accounting.contacts.readContacts
accounting.reports.readReports
accounting.journals.readJournals
accounting.attachments.readAttachments
offline_accessLong-lived access via refresh tokens
  • The minimum scope required for discovery is accounting.settings.read.
  • You only need scopes for the streams you plan to sync.
  • Missing scopes for a selected stream will result in 401 or 403 errors.
Example Scope String:
accounting.settings.read accounting.transactions.read accounting.contacts.read accounting.reports.read accounting.journals.read accounting.attachments.read offline_access

3. Complete the OAuth2 Authorization Flow

Follow Xero’s OAuth2 Auth Flow Guide to obtain your initial access_token and refresh_token.
Make sure to request the offline_access scope to receive a refresh token.

4. Get Your Tenant ID

The tenant_id uniquely identifies your Xero organization. After completing OAuth authentication:
  1. Call the connections endpoint:
curl -X GET "https://api.xero.com/connections" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/json"
  1. Extract the tenantId from the response:
[
  {
    "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "tenantType": "ORGANISATION",
    "tenantName": "Your Company Name"
  }
]
If your app is connected to multiple Xero organizations, the response will contain multiple entries. Choose the tenantId for the organization you want to sync data from.
KeyDescriptionSample ValueRequired
access_tokenOAuth access token used to authenticate API requests.abcdefg
id_tokenToken containing user identity details (if OpenID Connect scopes are requested).abcdefg
start_dateThe start date for syncing data. Format: YYYY-MM-DDTHH:MM:SSZ.2021-01-01T00:00:00Z
client_idClient ID issued when you create your Xero app.abcdefg
client_secretClient secret generated when you create your Xero app.abcdefg
tenant_idTenant ID associated with your Xero organization.abcdefg
refresh_tokenRefresh token used to renew the access token after expiration (requires offline_access scope).abcdefg

Required Xero OAuth2 Scopes

To use this source, you must grant your Xero app the following OAuth2 scopes.

Minimum Scope for Discovery

  • accounting.settings.read Required for the /Currencies endpoint, which is called during discovery to verify:
    • Your access_token is valid
    • Your tenant_id is authorised
    • The app has the correct scopes
If this scope is missing, discovery will fail before any sync begins.

Scopes for Syncing All Streams

To sync all available streams, grant the following scopes:
ScopeRequired For
accounting.settings.readOrganisation settings, currencies, etc.
accounting.transactions.readInvoices, bank transactions, payments
accounting.contacts.readContacts
accounting.reports.readReports
accounting.journals.readJournals
accounting.attachments.readAttachments
offline_accessLong-lived access via refresh tokens
Note:
  • You only need scopes for the streams you plan to sync.
  • Missing scopes for a selected stream will result in 401 or 403 errors.

Example Scope String

accounting.settings.read
accounting.transactions.read
accounting.contacts.read
accounting.reports.read
accounting.journals.read
accounting.attachments.read
offline_access

How to Generate Credentials

Follow Xero’s OAuth 2.0 Authentication Flow guide to generate the required credentials:
  1. Register a new Xero app to get your client_id and client_secret.
  2. Set up the OAuth scopes your app requires.
  3. Complete the OAuth 2.0 authorization flow to obtain your access_token, refresh_token, id_token, and tenant_id.
  4. Store these securely in your configuration.

Additional Notes

  • The start_date determines how far back data will be synced.
  • Ensure that the offline_access scope is enabled to receive a refresh_token.
  • Tokens expire after a set period; use the refresh_token to obtain new access_token and id_token values automatically.
  • During setup, the connector calls the /Currencies endpoint to validate platform access before syncing.