Skip to content

Xero API Key

Service Name: Xero

Service Description: Xero is a cloud-based accounting software platform for small and medium-sized businesses that allows users to manage invoicing, bank reconciliation, inventory, purchasing, expenses, bookkeeping, and financial reporting.

Service Address: https://www.xero.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the application level in Xero's OAuth 2.0 settings.

Secret Access Scope: Grants programmatic access to Xero accounting data, including invoices, contacts, bank transactions, and financial reports based on the scopes defined during OAuth setup.

Secret Revokement URL: https://developer.xero.com/app/manage

Secret Example: xero_api_key_1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p

Suspicious Activity Investigation Instructions:

  • Review API access logs in the Xero developer portal for unusual activity.
  • Check for unexpected API calls or data access patterns.
  • Monitor for unauthorized connections from unfamiliar IP addresses.
  • Verify if there are any unexpected changes to financial data or contacts.
  • Review the OAuth scopes that have been granted to the application.

Mitigation Instructions:

  • Log in to your Xero developer account at https://developer.xero.com/app/manage.

  • Locate the affected application in your list of connected apps.

  • Click on the application name to access its settings.
  • Navigate to the "API Keys" or "Authentication" section.
  • Click "Revoke" or "Delete" next to the compromised API key.
  • Generate a new API key if needed.
  • Update your application with the new API key.
  • Consider implementing more restrictive OAuth scopes to limit access.
  • Enable IP whitelisting for API access if available.