Log inApply for Beta
Back to home
Integration · Xero

Xero

TAO connects to Xero through OAuth 2.0 using the granular scope model that becomes mandatory on 2 March 2026. We request only the specific accounting scopes our features need — contacts, invoices, reports, journals, and settings — and never bundle in payroll, files, or bank feeds unless you deliberately enable them. Your financial data stays inside your Xero organisation; TAO uses it to drive quoting and reconciliation, nothing else.

Apply for Beta All data & permissions

How the connection works

OAuth 2.0 with PKCE against Xero's identity platform. Users select which Xero organisation(s) to connect, and TAO stores a refresh token per connection. From 2 March 2026 TAO requests granular scopes only; insufficient_scope responses trigger an in-app re-authorisation prompt rather than a silent failure.

Scopes TAO requests

We request only the scopes the connected features actually use. Each scope, why we ask for it, and which tier it sits in for Xero:

ScopeTierWhat it's for
openididentitySign the user in via OpenID Connect
profileidentityRead the user's Xero display name
emailidentityRead the user's Xero email for account matching
offline_accessidentityIssue a refresh token so the connection survives the browser
accounting.contactsgranularRead and reconcile Xero contacts with TAO's contact graph
accounting.transactionsgranularCreate and read invoices, credit notes, and payments raised from TAO
accounting.reports.readgranular-readRead P&L, balance sheet, and aged receivables for TAO dashboards
accounting.settings.readgranular-readRead tax rates, branding themes, and tracking categories to format invoices correctly

What TAO accesses

The connected features read specific Xero data — and only what's needed for the operational record visible inside TAO.

  • Contacts, organisations, and contact persons to keep TAO and Xero in sync
  • Invoices, credit notes, and payments raised from TAO jobs and quotes
  • Financial reports (P&L, balance sheet, aged receivables) for TAO dashboards
  • Tax rates, branding themes, and tracking categories so invoices match your Xero setup

What TAO never does with this data

Some commitments are easier to read as a list.

  • We do not request payroll scopes — employee, pay item, and timesheet data stays in Xero
  • We do not request the files or assets scopes — Xero attachments are not pulled into TAO
  • We do not request bankfeeds or the bank transactions write scopes
  • We do not train models on your accounting data or share it with third parties
  • We do not retain a full ledger copy — only the records linked to active TAO jobs

Use of data — disclosure

TAO uses Xero data only to deliver the accounting workflows visible inside TAO — quoting, invoicing, reconciliation, and reporting. We follow Xero's principle of scope minimisation and request granular scopes that match the exact feature you're using. We don't sell or rent your accounting data, we don't train models on it, and we don't transfer it outside TAO except where you initiate the transfer or law requires it.

OAuth consent screen + listing

The exact configuration TAO submits to Xero for every customer connection — keep this aligned with the public site for reviewers and consent dialogs.

  • App name = TAO, listed under The Artificial Organisation in the Xero App Store
  • Privacy policy URL = https://theartificialorganisation.com/privacy linked in the listing
  • Support email and support URL monitored and resolved within one business day
  • Granular scopes listed individually at consent time — no broad accounting.transactions bundle
  • Xero "Connected app" badge displayed per Xero brand guidelines, with TAO as the dominant brand

Verification + review path

TAO is registered as a Xero app partner with a published App Store listing. We track Xero's granular scope deadline (2 March 2026 for new apps, September 2027 for the broad-scope cutover) and have already migrated TAO to granular scopes ahead of the deadline. Our listing carries the certified Connected badge and is reviewed by Xero against the App Store listing requirements.

How to disconnect

Open https://login.xero.com/connectedapps, find TAO, and click Disconnect. You can also disconnect from inside TAO at Settings → Integrations → Xero → Disconnect; TAO revokes the refresh token, drops the per-organisation connection, and permanently deletes cached Xero data within 24 hours.

Reference: Xero developer documentation

Canonical Xero reference: https://developer.xero.com/documentation/guides/oauth2/scopes/

See also the full Data & Permissions page for the side-by-side comparison across all providers TAO connects to, and the Privacy Policy for retention, deletion, and your rights.

You might also want

QuickBooks OnlineIntuit OAuth 2.0 with realm-scoped accounting access.Google WorkspaceGmail, Calendar, Contacts, Drive — through reviewed OAuth.

Want to see this running on the apps you already use? Apply for the beta, or tell us what your team is trying to run from one place.

Apply for Beta All data & permissions
Sign inApply for Beta