Skip to content
← Accounting API

I suggest you ...

Accounting API: Authentication

Categories

JUMP TO ANOTHER FORUM

(thinking…)

Create more granular accounting scopes (eg: Sales - Invoice only)

Right now there is a very wide range of APIs wrapped up in the "accounting.transactions" scope, with no way to provide more granular access within these APIs (https://developer.xero.com/documentation/guides/oauth2/scopes#organisation-scopes).

This means that it's not possible to grant access to something quite narrow without also granting access to other things that are often not needed. For example, you cannot grant permission to creating/manipulating Sales Invoices without also giving access to all Bank Transactions at the same time.

This problem is perhaps accentuated for Custom Connections, which are designed to be used for "in house" integrations, as ALL developers with access to maintain such a sales invoice integration would effectively have access to their colleague's salaries and company bank balances and nothing can be done to mitigate against this.

It feels like either there should be an extra layer of scopes such as "accounting.transactions.invoice" or "accounting.transactions.sales" available.

I would also think this is quite easy to implement!

165 votes
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Felix shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
not planned  ·  AdminKelly (Admin, Xero Developer Centre) responded  · 

Following up on this - we've shared the idea with the relevant team, and while we recognise that more granualr scopes could be beneficial for a number of reasons this has wide reaching impacts and unfortunately it's not something we're planning to move forward with right now. We truly appreciate your input, so we'll keep this idea open so others can still vote or add their thoughts, and if priorities shift down the track we may revisit the idea. Thanks again!

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • ramirez mullan commented  ·   ·  Report

    The lack of granular permission controls in some systems can indeed lead to significant security and privacy concerns. When access to one functionality, such as creating Sales Invoices, inadvertently includes access to unrelated sensitive data like Bank Transactions, it opens the door to potential misuse. This issue is especially critical for Custom Connections, where developers require limited access but inadvertently gain broader permissions. Implementing more refined role-based access control (RBAC) systems could help address this challenge. For other structured data solutions, tools like https://arrests-ny.org/ showcase how accessibility and security can be balanced effectively.

  • Trent Bagshaw commented  ·   ·  Report

    In order to provide access to Quotes I have to give access to wage related Bank Transactions. This is... silly? Unless I'm missing something

  • Y V commented  ·   ·  Report

    Please implement this feature

  • Mendy Jacobs commented  ·   ·  Report

    This is very important to us, can you please implement,

  • MV commented  ·   ·  Report

    This is critical please implement this especially for invoices.

  • HC commented  ·   ·  Report

    It is a significant issue for us that we can't grant some users access to create/see invoices only via the API. Our users are effectively over permissioned and we have to ask them not to look at sensitive information (such as account reconciliations). It's not a nice state to exist in.