Skip to main content
Clever Ops
API keys

How to set up API access to Xero Practice Manager

Xero Practice Manager (XPM) has an API that lets an approved tool read your practice data, such as clients, jobs, tasks, staff, and time, without anyone logging in by hand. Unlike many products, XPM API access is not self-serve. Xero gates it: before any app can connect, you (or the developer building the connection) must pass a security self-assessment against the Security standard for Xero API Consumers and have the specific use case approved by Xero. Once that is done, an OAuth 2.0 app is created in the Xero dev portal, which issues a client id and a client secret that the connected tool uses to authorise. Those credentials can be revoked at any time, and you stay in control of which Xero organisation the app is connected to. This guide explains the approval path and how to get started safely.

Allow a few business days to weeks for Xero to review and approve
Time to complete
4
Steps
Book Free AssessmentAll guides

Keep this credential safe

An OAuth 2.0 client secret is like a password: anyone who has it can connect to the data the app is approved for. Request only the practicemanager scope you genuinely need and frame the use case as read-only where the work allows. Share the client id and secret through a secure method such as a password-manager share link, never plaintext email or chat. Rotate the secret if you suspect it has leaked, and delete the app or disconnect it when it is no longer needed.

Access to grant

OAuth 2.0 app credentials (client id and client secret) with the practicemanager scope, granted only after Xero approves the use case. Start read-focused.

Who you're granting access to

  • The developer, consultant, or tool vendor who will read your data through the XPM API and arrange the approval with Xero.

Before you start

  • An active Xero Practice Manager subscription with admin rights in your practice.
  • A staff member with the "Connect third-party add-ons" (API access) privilege enabled in XPM.
  • A clear, specific use case for what the connected tool will read or do, which Xero will review and approve.
  • A developer, consultant, or vendor who can complete the security self-assessment and build the OAuth 2.0 app, unless your tool already has approved XPM access.

Step by step

  1. 1

    Confirm your use case and contact Xero to start

    XPM API access is approval-gated, so the first step is to define what the connected tool needs to read or do, then contact Xero to begin. As the official Xero docs state, you must pass a self-assessment against the Security standard for Xero API Consumers and have your use case approved by their team. Start the conversation through Xero developer support (the contact options on developer.xero.com). If you are working with a developer or tool vendor, they can lead this conversation on your behalf.

  2. 2

    Complete the security self-assessment

    Xero requires whoever holds the credentials to pass a security self-assessment against the Security standard for Xero API Consumers. This checks that the data will be stored and handled safely. Your developer or vendor usually completes this. Keep the requested access as narrow as possible: ask only for the practicemanager scope you actually need, and frame the use case as read-only where the work allows.

  3. 3

    Create the OAuth 2.0 app and copy the credentials

    Once Xero approves the use case and applies the practicemanager scope, create an OAuth 2.0 app in the Xero dev portal at developer.xero.com/myapps. Set an app name (it cannot contain the word "Xero") and an https redirect URI. Click Create app, then Generate a secret. Copy the client id and client secret straight away. The secret is shown once, behaves like a password, and should be shared only through a secure method such as a password-manager share link, never plaintext email or chat.

  4. 4

    Turn on API access for the connecting staff member

    In Xero Practice Manager, open your staff list, click the staff member who will authorise the connection, scroll to the bottom of their settings, and toggle on "Connect third-party add-ons". Without this, the OAuth flow returns "no Xero Practice Manager accounts". The connected tool then runs the OAuth 2.0 sign-in once, you choose which organisation to connect, and access tokens flow from there. No password is ever shared with the tool.

Removing access afterwards

  1. To stop a single connection, sign in to Xero, go to your connected apps and disconnect the XPM app from that organisation. Access ends immediately.
  2. To rotate the secret, open the app in the dev portal at developer.xero.com/myapps and generate a new secret, then update the connected tool. The old secret stops working once replaced.
  3. To shut the app down entirely, delete the OAuth 2.0 app in the dev portal. This breaks every connection that used those credentials.
  4. In XPM itself, you can turn off "Connect third-party add-ons" for a staff member to cut their ability to authorise add-ons.

If that option is not available

Because XPM API access is not self-serve, the simplest path is to ask your implementer, developer, or the tool vendor to arrange the approval and security self-assessment with Xero on your behalf. Many established tools already hold approved XPM access, in which case you only authorise the connection rather than build an app. While the API partnership is being arranged, you can grant a read-only login to your practice so an adviser can review data without programmatic access. See our read-only access guides for that interim step.

Frequently Asked Questions

Xero treats Practice Manager data as sensitive, so access is approval-gated rather than self-serve. Per the official docs, you must pass a security self-assessment against the Security standard for Xero API Consumers and have your use case approved by Xero before any app can connect. Start by contacting Xero developer support from developer.xero.com.

Usually your developer, consultant, or the tool vendor leads it, because they complete the security self-assessment and build the OAuth 2.0 app. Your job is to confirm the use case, make sure you have admin rights, and authorise the connection to your organisation when it is ready.

Treat the client secret like a password. Anyone who has it can connect to the data the app is approved for. Share it only through a secure method such as a password-manager share link, never plaintext email or chat, scope the app to the least access you need, and rotate or delete the secret as soon as it is no longer required.

Disconnect the app from the organisation in your connected apps to stop a connection immediately. To rotate, generate a new secret in the dev portal at developer.xero.com/myapps and update the tool. To remove access entirely, delete the OAuth 2.0 app, which breaks every connection that used it.

Request only the practicemanager scope you actually need and frame the approved use case around reading data, not changing it. Keeping the scope and use case narrow is the safest way to set this up, and it makes the security self-assessment easier to pass.

Related guides

How to create a Xero API key (Custom Connection)How to create a Typeform API key (personal access token)How to create a monday.com API tokenHow to create a Stripe restricted API key

Steps last checked against Xero Practice Manager on 2026-06-10.

Based on official Xero Practice Manager documentation: Xero Developer: Practice Manager 3.1 API overview, Xero Developer: Security standard for Xero API consumers, XeroAPI on GitHub: XPM API OAuth 2.0 prerequisites and app setup, Xero Developer: Steps to becoming an app partner. Xero Practice Manager is a trademark of its respective owner; this guide is independent and for instruction only.

Want this handled for you?

Clever Ops connects and automates the systems mid-market businesses already run. Book a free assessment and we will map your stack.

Book Free Assessment