Creating a Xero API public application with node.js

10 June 2015

Xero public applications authenticate with the Xero’s API using three-legged oAuth 1.0A. This is an authentication process where the user explicitly logs into Xero to authorize access by the application (the consumer). This authorization lasts 30 minutes until the access token expires.

Creating an API client in node.js is straight-forward and only requires the standard oauth package. The diagram below summarizes the process:

Flow diagram of three-legged oAuth with Xero API

To start, register a public application with the Xero API to obtain a Xero consumer token and secret. These are the app’s credentials that are used to obtain a Request Token.


  1. Create an endpoint in your application where the user initiates the authentication request.

    eg. create a Connect to Xero button to GET’s this endpoint. It’s essential that the user initiates the request; the three-legged protocol depends on a web view and redirection of the user’s requests.

    You set up oauth module to make a synchronous (blocking) request to Xero to get a Request Token for your app, then redirect to user to Xero’s authorize page with that token parameter.

  2. Create an endpoint where Xero will callback to your application with the request token and a verifier.

    When the user logs into Xero and authorizes your app Xero will redirect the user to this end-point with the request token and verifier as parameters.

    You set up the oauth module to make a synchonous (blocking) request to Xero to exchange the Request Token for an Access Token. If successful, this endpoint will redirect the user to the next page in your app, while you can then initiate any asynchronous or other work with the API. All future requests to the API use the oauth module and the access token.

It’s essential to persist the tokens across multiple requests. A session object is the simplest place to store this data.

A detailed diagram of this whole process is in the oauth bible.

Example application

I’ve posted a example application on github that demonstrates the process and configuration of the oauth module.

The application uses hapi.js as a web framework, but the code should also be very familiar to anyone using express or koa. It uses the hapi.js yar plugin for session management.

Configuration of the endpoints: The end-point URLs are arbitrary, but the callback URL here needs to match the one passed to Xero as one of the oAuth request parameters (see below). Also, the domain of the callback URL must match the callback domain specified in Xero’s app configuration. For testing a public application, you’ll have to set the callback domain in Xero so it matches your testing URL.

The callback domain is important

Setup oAuth module so it works with Xero’s API: The constants here are those provided by Xero to access the API. HMAC-SHA1 is used for signing the requests. In this gist we set ‘oauth._authorize_callback’ to the URL we need Xero to redirect to (and provide the request token parameter). This points to the application’s other endpoint. It also must match the callback domain specified above.

Finally, for the authentication operations: When the user accesses the authenticate endpoint, we use the oauth module to get a Request Token, then redirect the user to Xero’s authorize page. That’s where they’ll login to Xero and authorize the app.

Xero will redirect them to the callback: When the user is redirected to the callback, we use the oauth module to get the Access Token (exchange the request token for access), then direct the user to our success/next page.

Once we have and store the access token, we access the api using oauth.get() etc.

Download the full source on github.


Launch Festival 2015: Day Three Pitches

6 March 2015

See also Launch Festival Day One and Launch Festival Day Two.

These are my rough notes on the Day Three pitches at the Launch Festival 2015.

Opinions are my own, ill-informed and probably ignorant.


Overall Winner

Peer to peer transactions via mobile devices, demonstrated using USD. Their innovation is “crowdsourced(?)” tellers that process the deposits/withdrawals from/to cash. Anyone can register as a teller and perform the to/from cash transaction in the local denomination. This could work well. Security for tellers is obviously a concern, but they explained that most tellers are people that have to deal with cash transactions (eg. a 7-eleven is a good fit).



Patent analysis and analytics, analytics supporting patent strategy, analytics on the patent lawyers and judges I think it’s great, but it’s targeted towards lawyers. Would be interesting if it was free and open, or very cheap so every startup had this in their arsenal.

48 hour hackathon finalists

These were all surprisingly good.


Money transfer via iWatch. using pattern to establish identity/authenticity


Demonstrated provision of an iOS development environment very quickly. High school team.


Gamification of action sports via motion trackign sensors and video. Great concept, lots of work to go

The Interview Club

Real time video interview with real time coding via an expert. Get an expert to interview and test programming candidates.


Hackathon Winner

Job simulation for pre-employment interview processes. Used Google web to speech API to demonstrate their effectiveness handling a call and metrics from the test. Good product.

PreHire and Abra were popular with the judges.


A pre-printed paper note book that allows very fast scanning via mobile (because of the layout of indicators on the page). The real innovation was that the book can be erased by microwaving it, allowing reuse up to ~20 times. I like this, as my main reason for not using similar easy-to-scan books is they’re too expensive.


Best Design Winner

They’ve designed a new glucose monitor (fashion focused) and accompanying app. The meter is bluetooth and syncs with the app. Users can manually enter too. The app helps understand patterns between readings and food/drink consumption. Some social components mixed in… It’s pretty a good app agnostic of the source of the BSL source.


Fast way to buy lotto tickets on phone, and schedule auto payments. Simple interface. Load the app via credit card and can cash out (somehow?) Can set up pools quickly. Not sure how they not break terms of service for Lotto?

HandUp This was an alumni update that won best social impact last year.

Demo pit - 1 min pitches


Demo Pit Winner

Cool, going back to the 90’s visibal basic in emails, this actually allows interactive widgets in email in a (presumably) secure way and presumably only email.
The email author must use a plugin to compose while in Gmail. It then embed emails friendly html (for gmail).


Grow, water dose and harvest plants automatically. The $1000 unit suites plants that are worth growing yourself.

First Derm

Gets a dermatologist to check photo taken on app. I recall a similar app was banned recently that claimed to do diagnosis automatically. This one sends photos out to real experts on-demand.


Sleep monitor using a mask over eyes. Much better accuracy than a band.


3D property visualisation. I stopped taking notes.

MixMax, OneDrop very popular with the judges. Autolotto interesting if it’s legal.


Launch Festival 2015: Day Two Pitches

4 March 2015

See also Launch Festival Day One

These are my rough notes on the Day Two pitches at the Launch Festival 2015.

Unfortunately I missed the final batch of pitches so this list is incomplete today.

Opinions are my own, ill-informed and probably ignorant.

BenchMade Modern

Modular sofa furniture custom (configured) design, delivered in 24 hours in LA. Built to order using a line of 7 people with a capacity of ~10 per week (but scalable). It’s cool, pretty high risk and probably way ahead of the curve. I probably wouldn’t use it myself today unless the sofa’s were amazing, but it’s good that they’re learning how to design processes and retail for made-to-order furniture.


Real-time recommendations from local experts for restaurants. (and other categories?) They say search is like a conversation and demo’d finding some suggestions and booking within messaging. Messaging is the future of search, they say, as People are better than Algorithms. Like Yahoo once thought? Very well delivered pitch.


Annotation of websites, collaborative / social. In Safari, it’s integrated into the share panel in iOS which is great. ie. highly some text on any webpage in safari and add it to your highlights list Looks very, very polished and great design. I’d use it (but not pay for it).


Social media metrics across all networks targeting high social-worth individuals. Intelligent Curation of posts based on most successful content Facilitates cross-communication with other social leaders Facilitates communication with brands to monitize social network


Social Impact Award

“Crowdsourced fact checking of news articles” Website annotation (fisking) Tagging of comments. Analytics of the tagging on the article Conversation within structured data How does it work with publishers (needs to feed their engagement, not take it)

Captiv8, BenchMade, Fiskkit were popular with judges


Best B2B Winner

Market intelligence and decision engine for commercial real estate Like zillow for commercial property with analytics They have analysed every commercial property across the US Impressive product, must be 2.0 (1.5M seed)


Organize tonight. Friends indicate availability for tonight. Agree location / plans (Exactly like the Tonight app in Sydney) Share photos, Find each other. Tracks your location and photos across the night so you can see them in context the day after - this is pretty novel.


Aggregate content of where friends go Share/aggregate places to go Sponsored lists/follow others lists Find places to go from your friends/experts


Makes it simpler to start a video cast, have a Q&A (with timestamp videos) and run polls during the event. You can also find virtual “conferences” / search Uses google hangout embedded in their page Very good use of google hangouts actually. There’s definitely a business model and strong use case here (unless google wrap hangouts with free conferencing/collaboration tools)

Crowdcast and REscour were popular with the judges. Both seem very strong.

I missed the presentations for the other pitches. These were: Minbox, Glimpse, Nova, Whever and Givme

See next Launch Festival Day Three


Launch Festival 2015: Day One Pitches

3 March 2015

These are my rough notes on the Day One pitches at the Launch Festival 2015.


A16Z trends

25 January 2015

When I was reading the full stack startup post by @chrisdixon I stumbled upon the other trends a16z have identified:


Full Stack Startup and other trends

23 January 2015

I was reading this post by @chrisdixon that describe fullstack startups, those that attack the question:


Company Transparency - Unbounce's 2014 Year in Review

21 January 2015

Unbounce, an online business that provides landing pages for A/B testing, has published their Year in Review on their public blog. It’s a spectacular example of company transparency, more than I’ve ever seen. Probably more than I’d be comfortable with myself to be honest.

It’s an interesting read and example of transparency: Unbounce Year in Review 2014


Curated posts of the day

20 January 2015

I usually just tweet or favourite interesting posts I see. Today was a good day though:


The lingering guilt there's something more important to do

19 December 2014

It’s time to get this site going again.


A little inspired

20 February 2012

I felt inspired to write something today, but I can’t justify the time to takes to articulate original thought. Instead here’s a copy of a few notes I keep stuck on the wall above my desk.


New startup accelerators & incubators in Australia

9 October 2011

Many new accelerators and incubators for tech startups are popping up in Australia at the moment. I’m not sure if I’ve just noticed more of them because of the media coverage and my interest, or if there’s really a groundswell. I asked around to get some opinions on what’s going on here.


Increase productivity. Use Git.

23 September 2011

Git is a version control system that most software developers would have heard of. It’s the tool of choice for the team behind the Linux kernel and comes with the associated prestige and sets a high floor for the technical competence of its users.


Back to school with Corporate Finance

10 September 2011

I start the 3rd trimester of my MBA studes this week. Corporate Finance. This is an area I already find interesting and have been anticipate. I’ve read a of adhoc information on the topic, practiced a bit and even completed a few basic courses, but I hope this bring about new ways of looking at problems. The first good sign that I’ll enjoy it is much of the recommended “viewing” were movies I love:


An outsourcing experiment with

6 September 2011

I recently ran a project on as an outsourcing experiment.


Continuous Delivery

31 August 2011

Today I attended a webinar by ThoughtWorks on Continuous Delivery. This is a practice of trying to minimize the duration between an idea and it’s release into a production system, without being reckless. The benefits are consistent with lean practices and customer development in that they get real feedback as quickly as possible to minimize waste.


I’m in love with a mocking framework

21 August 2011

I was recently introduced to Mockito by our new Java developers. Mocking frameworks are used to isolate unit tests to only exercise the code under test. Anything outside is replaced with a mock object that returns an expected result where needed. It’s a simple form of test isolation that’s more productive than stubbing out code. Any testing that needs to cross a boundary are software integration tests (quite distinct from real world integration tests that engineers know and love).


How to spot good cofee

15 August 2011

I was walking through my local shops recently, took a different path and stumbled upon this cafe. In a moment I knew they made good coffee.


Capital Raising and Exit Conference Points

8 August 2011

I recently attended a one day course by MBE Education on Capital Raising and Exit Strategies. It followed the standard pattern: the course was cheap, provides enough information to inspire attendees, but not enough specific information for them to really do anything. At the end of the day, they offer the one-time opportunity to take the real course at a expensive price. This time the real course was $6,000 per month for 3 months. Wow.


Mailchimp DOM Hack: How to bulk delete a segment of a list

7 August 2011

At the moment Mailchimp doesn’t include a way to delete a large segment of subscribers in a list. You can delete an entire list, unsubscribe a list of emails or delete subscribers one page at a time. Deleting an entire list that contains history is usually a bad idea and unsubscribing may affect how you add the subscribers to the same list later. Deleting subscribers is okay, but it’s limited to 100 subscribers at a time.