Skip to content

Xero Tenant ID Token

Service Name: Xero

Service Description: Xero is a cloud-based accounting software platform for small and medium-sized businesses that offers a range of financial management tools including invoicing, expense tracking, payroll, and financial reporting.

Service Address: https://www.xero.com/

Validation Type: API Auth

IP Allow list: Does not exist at the token level, but IP restrictions can be configured at the organization level through Xero's security settings.

Secret Access Scope: Grants access to specific organization (tenant) data within Xero's API. The tenant ID identifies which specific organization's data the API token can access.

Secret Revokement URL: https://developer.xero.com/app/manage

Secret Example: 6d79757a-e95c-4a3f-8c7b-2f11a4bd2c98

Suspicious Activity Investigation Instructions:

  • Review Xero activity logs for unauthorized access or unusual operations
  • Check for unexpected API calls or data exports in the Xero audit history
  • Verify if there are any new user accounts or changed permissions
  • Monitor for unusual transaction patterns or financial data modifications
  • Review connected app authorizations in the Xero dashboard

Mitigation Instructions:

  • Log in to your Xero developer account at https://developer.xero.com/
  • Navigate to "My Apps" and select the application associated with the token
  • Click on "Revoke Access" to invalidate the token

  • Generate a new tenant ID token if needed for legitimate applications

  • Review and update API access permissions for the application
  • Enable two-factor authentication for all Xero accounts
  • Audit all connected applications and remove unnecessary integrations
  • Update passwords for all Xero users with administrative access