Xero public applications authenticate with the Xero’s API using three-legged oAuth 1.0A. This is an authentication process where the user explicitly logs into Xero to authorize access by the application (the consumer). This authorization lasts 30 minutes until the access token expires.

Creating an API client in node.js is straight-forward and only requires the standard oauth package. The diagram below summarizes the process:

To start, register a public application with the Xero API to obtain a Xero consumer token and secret. These are the app’s credentials that are used to obtain a Request Token.

Then:

1. Create an endpoint in your application where the user initiates the authentication request.

   eg. create a Connect to Xero button to GET’s this endpoint. It’s essential that the user initiates the request; the three-legged protocol depends on a web view and redirection of the user’s requests.

   You set up oauth module to make a synchronous (blocking) request to Xero to get a Request Token for your app, then redirect to user to Xero’s authorize page with that token parameter.

2. Create an endpoint where Xero will callback to your application with the request token and a verifier.

   When the user logs into Xero and authorizes your app Xero will redirect the user to this end-point with the request token and verifier as parameters.

   You set up the oauth module to make a synchonous (blocking) request to Xero to exchange the Request Token for an Access Token. If successful, this endpoint will redirect the user to the next page in your app, while you can then initiate any asynchronous or other work with the API. All future requests to the API use the oauth module and the access token.

It’s essential to persist the tokens across multiple requests. A session object is the simplest place to store this data.

A detailed diagram of this whole process is in the oauth bible.

Example application

I’ve posted a example application on github that demonstrates the process and configuration of the oauth module.

The application uses hapi.js as a web framework, but the code should also be very familiar to anyone using express or koa. It uses the hapi.js yar plugin for session management.

Configuration of the endpoints: The end-point URLs are arbitrary, but the callback URL here needs to match the one passed to Xero as one of the oAuth request parameters (see below). Also, the domain of the callback URL must match the callback domain specified in Xero’s app configuration. For testing a public application, you’ll have to set the callback domain in Xero so it matches your testing URL.

Setup oAuth module so it works with Xero’s API: The constants here are those provided by Xero to access the API. HMAC-SHA1 is used for signing the requests. In this gist we set ‘oauth._authorize_callback’ to the URL we need Xero to redirect to (and provide the request token parameter). This points to the application’s other endpoint. It also must match the callback domain specified above.

Finally, for the authentication operations: When the user accesses the authenticate endpoint, we use the oauth module to get a Request Token, then redirect the user to Xero’s authorize page. That’s where they’ll login to Xero and authorize the app.

Xero will redirect them to the callback: When the user is redirected to the callback, we use the oauth module to get the Access Token (exchange the request token for access), then direct the user to our success/next page.

Once we have and store the access token, we access the api using oauth.get() etc.

Download the full source on github.

See also Launch Festival Day One and Launch Festival Day Two.

These are my rough notes on the Day Three pitches at the Launch Festival 2015.

Opinions are my own, ill-informed and probably ignorant.

Abra

Overall Winner

Peer to peer transactions via mobile devices, demonstrated using USD. Their innovation is “crowdsourced(?)” tellers that process the deposits/withdrawals from/to cash. Anyone can register as a teller and perform the to/from cash transaction in the local denomination. This could work well. Security for tellers is obviously a concern, but they explained that most tellers are people that have to deal with cash transactions (eg. a 7-eleven is a good fit).

Website: https://www.goabra.com/

DataNovo

Patent analysis and analytics, analytics supporting patent strategy, analytics on the patent lawyers and judges I think it’s great, but it’s targeted towards lawyers. Would be interesting if it was free and open, or very cheap so every startup had this in their arsenal.

48 hour hackathon finalists

These were all surprisingly good.

Etch

Money transfer via iWatch. using pattern to establish identity/authenticity

Orbit

Demonstrated provision of an iOS development environment very quickly. High school team.

Kikr

Gamification of action sports via motion trackign sensors and video. Great concept, lots of work to go

The Interview Club

Real time video interview with real time coding via an expert. Get an expert to interview and test programming candidates.

PreHire

Hackathon Winner

Job simulation for pre-employment interview processes. Used Google web to speech API to demonstrate their effectiveness handling a call and metrics from the test. Good product.

PreHire and Abra were popular with the judges.

Rocketbook

A pre-printed paper note book that allows very fast scanning via mobile (because of the layout of indicators on the page). The real innovation was that the book can be erased by microwaving it, allowing reuse up to ~20 times. I like this, as my main reason for not using similar easy-to-scan books is they’re too expensive.

OneDrop

Best Design Winner

They’ve designed a new glucose monitor (fashion focused) and accompanying app. The meter is bluetooth and syncs with the app. Users can manually enter too. The app helps understand patterns between readings and food/drink consumption. Some social components mixed in… It’s pretty a good app agnostic of the source of the BSL source.

AutoLotto

Fast way to buy lotto tickets on phone, and schedule auto payments. Simple interface. Load the app via credit card and can cash out (somehow?) Can set up pools quickly. Not sure how they not break terms of service for Lotto?

HandUp This was an alumni update that won best social impact last year.

Demo pit - 1 min pitches

MixMatch

Demo Pit Winner

Cool, going back to the 90’s visibal basic in emails, this actually allows interactive widgets in email in a (presumably) secure way and presumably only email.
The email author must use a plugin to compose while in Gmail. It then embed emails friendly html (for gmail).

Cloudponics

Grow, water dose and harvest plants automatically. The $1000 unit suites plants that are worth growing yourself.

First Derm

Gets a dermatologist to check photo taken on app. I recall a similar app was banned recently that claimed to do diagnosis automatically. This one sends photos out to real experts on-demand.

Neuro:On

Sleep monitor using a mask over eyes. Much better accuracy than a band.

THEIA

3D property visualisation. I stopped taking notes.

MixMax, OneDrop very popular with the judges. Autolotto interesting if it’s legal.

See also Launch Festival Day One

These are my rough notes on the Day Two pitches at the Launch Festival 2015.

Unfortunately I missed the final batch of pitches so this list is incomplete today.

Opinions are my own, ill-informed and probably ignorant.

BenchMade Modern

Modular sofa furniture custom (configured) design, delivered in 24 hours in LA. Built to order using a line of 7 people with a capacity of ~10 per week (but scalable). It’s cool, pretty high risk and probably way ahead of the curve. I probably wouldn’t use it myself today unless the sofa’s were amazing, but it’s good that they’re learning how to design processes and retail for made-to-order furniture.

Assist

Real-time recommendations from local experts for restaurants. (and other categories?) They say search is like a conversation and demo’d finding some suggestions and booking within messaging. Messaging is the future of search, they say, as People are better than Algorithms. Like Yahoo once thought? Very well delivered pitch.

Highly

Annotation of websites, collaborative / social. In Safari, it’s integrated into the share panel in iOS which is great. ie. highly some text on any webpage in safari and add it to your highlights list Looks very, very polished and great design. I’d use it (but not pay for it).

Captiv8

Social media metrics across all networks targeting high social-worth individuals. Intelligent Curation of posts based on most successful content Facilitates cross-communication with other social leaders Facilitates communication with brands to monitize social network

Fiskkit

Social Impact Award

“Crowdsourced fact checking of news articles” Website annotation (fisking) Tagging of comments. Analytics of the tagging on the article Conversation within structured data How does it work with publishers (needs to feed their engagement, not take it)

Captiv8, BenchMade, Fiskkit were popular with judges

REscour

Best B2B Winner

Market intelligence and decision engine for commercial real estate Like zillow for commercial property with analytics They have analysed every commercial property across the US Impressive product, must be 2.0 (1.5M seed)

Rally

Organize tonight. Friends indicate availability for tonight. Agree location / plans (Exactly like the Tonight app in Sydney) Share photos, Find each other. Tracks your location and photos across the night so you can see them in context the day after - this is pretty novel.

WhereIGo

Aggregate content of where friends go Share/aggregate places to go Sponsored lists/follow others lists Find places to go from your friends/experts

Crowdcast

Makes it simpler to start a video cast, have a Q&A (with timestamp videos) and run polls during the event. You can also find virtual “conferences” / search Uses google hangout embedded in their page Very good use of google hangouts actually. There’s definitely a business model and strong use case here (unless google wrap hangouts with free conferencing/collaboration tools)

Crowdcast and REscour were popular with the judges. Both seem very strong.

I missed the presentations for the other pitches. These were: Minbox, Glimpse, Nova, Whever and Givme

See next Launch Festival Day Three