Skip to content
A short and simple example using node and express with openid-client to complete the OAuth flow on Xero's OAuth 2 API without the use of an SDK.
Branch: master
Clone or download
Latest commit 9ad38a8 Aug 26, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
.DS_Store first commit Aug 26, 2019
.gitignore first commit Aug 26, 2019
config.json first commit Aug 26, 2019
index.js first commit Aug 26, 2019
package-lock.json first commit Aug 26, 2019
package.json first commit Aug 26, 2019 readme Aug 26, 2019


This is a simple example of accessing Xero's API via OAuth2 in node with a generic OpenId Connect (OIDC) client and http request client.

It demonstrates how to:

  • retrieve a user authorized API access token,
  • retrieve an ID token with the user's identity details
  • fetch the Xero Organisations which the user authorized access to
  • make a request to the Xero API using an Organisation ID as the tenantId required in the header for API calls made with OAuth 2 tokens
  • use the refresh token to collect a new active access token from the API.


Install Node Modules

In the project directory run

npm install

Setup config.json

Configure your OAuth 2 credentials in My Apps at In the credentials page set your callback URL to the callback URL you would like to test with (ex: 'http://localhost:5000/callback') and immediately save the generated clientId and client secret as the secret will only be viewable this one time upon generation. If you need to generate a new secret you can.

Paste your clientId and client secret into the config.json file with the matching callback URL in the 'REDIRCT_URL' field.

note: I wouldn't recommend using a config.json for storing sensitive credentials in a production app. In production as an industry best practice its better to use a .env file, this is just a proof of concept example.


You can use the default scopes included in this example config.json, but to expirement with the full list of scopes and what they do please see this list.

some explanations:

"openid profile email" - access openid and user info (idtoken)

"offline_access" - receive a refresh token to enable "partner app" style refresh


npm start

From the app root page click through the OAuth flow and return to the console to see the results from the API printed. The accessToken and idToken are encoded JSON web tokens (JWT), so the idToken 'claims' are decoded and printed as well to show the details inside. Once the OAuth flow is complete try getting API data back or refreshing the token with the buttons on the /home page.


press control + c in bash to stop express server

You can’t perform that action at this time.