Xero OAuth Redirect URI Error Fix for Native iOS Apps Using PKCE

Introduction

Xero OAuth 2.0 integration with a native iOS app can become tricky when the redirect URI does not work as expected.

One common issue developers face is the Xero authorization error:

Sorry, something went wrong

In many cases, this happens because the redirect_uri used in the iOS app does not match Xero’s redirect URI requirements. This guide explains how to use PKCE with a native iOS app and how to handle the redirect URI issue correctly.

Quick Fix for Xero OAuth “Sorry Something Went Wrong” Redirect URI Error

If you see this error during Xero OAuth authorization, first check the redirect URI.

Xero does not accept custom iOS URL schemes directly as redirect URIs, such as:

xeroIntegration://xerointegration.satva.solutions

Instead, Xero requires an HTTPS redirect URI, except for localhost. For iOS apps, the practical solution is to use an HTTPS redirect page and then redirect the user back to the app using the iOS URL scheme.

CheckWhat to Verify
Redirect URIMust exactly match the URI saved in Xero Developer Portal
URI FormatUse HTTPS, not direct custom app scheme
Client IDMust match the correct Xero app
ScopeUse valid Xero scopes only
PKCEUse the same code verifier during token exchange
iOS RedirectApp should be able to receive the returned code

What Is Xero API Integration?

Xero is a cloud-based accounting platform used by small businesses, accountants, and finance teams to manage invoices, bills, bank transactions, payroll, and financial reporting.

For custom applications, Xero provides APIs that allow developers to connect business systems, mobile apps, SaaS platforms, and internal tools with Xero data.

What Is PKCE in Xero OAuth 2.0?

PKCE, or Proof Key for Code Exchange, is an OAuth 2.0 security extension used for apps that cannot safely store a client secret, such as native mobile apps.

In an Xero iOS integration, PKCE helps secure the authorization flow by using a temporary code_verifier and code_challenge during login and token exchange.

Why PKCE Is Required for Xero iOS App Integration

According to OAuth’s official website. PKCE was originally designed to protect the authorization code flow in mobile apps and was later recommended to be used by single-page apps as well.

In later years, it was recognized that its ability to prevent authorization code injection makes it useful for every type of OAuth client, even apps running on a web server that uses a client secret.

Because of its history in the use of mobile apps and single-page apps, it is sometimes incorrectly thought that PKCE is an alternative to a client secret.

However PKCE is not a replacement for a client secret, and PKCE is recommended even if a client is using a client secret, since apps with a client secret are still susceptible to authorization code injection attacks.

Problem: Xero Does Not Accept Custom iOS Redirect URI Directly

I wanted to do the XERO OAuth 2.0 integration flow applied in the Native iOS app.

So I went over to Xero’s official SDK documentation page and followed the instructions.

This was my first integration as an iOS developer with Xero API.

I got stuck in one specific problem, where in the Xero Developer portal, within the Redirect URI field I was asked to provide a redirect parameter.

Which I don’t know how an Xero API will redirect users to an iOS app. So I sent an email to the Xero team and I got this reply.

Reply from the Xero team

Hi Hardik

Mobile clients should use the Claimed HTTPS Scheme URI Redirection to register https redirect URIs.

This is supported on both Android (https://developer.android.com/training/app-links/verify-site-associations) and iOS(https://developer.apple.com/library/archive/documentation/General/Conceptual/AppSearch/UniversalLinks.html). Kind regards.

Screenshot of an email from Xero, discussing HTTPS URI redirection for mobile clients with a focus on OAuth 2.0 integration. Includes links for Android and iOS support, and signed by Sally.

After reading an article given by the Xero support team I tried to enter the Claimed HTTPS Scheme URI in App.

Below is a screenshot of the error when I set Redirect URI.

The configuration page of the app displays connection settings with fields for Redirect URIs, Client ID, and an optional login URL for the launcher. Enhanced with Xero OAuth 2.0 integration, it features buttons for adding URIs and saving changes seamlessly.

So the above error became a key problem and blockage for me.

I don’t know What’s the correct redirect url of Xero PKCE integration? How to redirect back in the app after xero login?

Common Xero OAuth Errors and Fixes

ErrorReasonFix
Sorry, something went wrongRedirect URI mismatchMatch the URI in Xero Developer Portal
Invalid redirect_uriCustom scheme used directlyUse HTTPS redirect URI
invalid_grantExpired or reused codeGenerate a new authorization code
invalid_scopeWrong scope valueUse valid Xero OAuth scopes
App does not open after loginiOS URL scheme issueCheck URL Types in Xcode
Token request failsWrong code verifierUse the same PKCE verifier

Solution: Use HTTPS Redirect URI and Route Back to iOS App

Step-by-Step Xero OAuth PKCE Setup for iOS App

  1. Follow xero developer document for OAuth flow.The Proof Key for Code Exchange (PKCE) flow | Xero Developer
  2. Create a developer account on Xero. After that create an app on xero developer account.
  3. Set the redirect url in the application created on xero. In iOS, we use redirect urls such as:
    “xeroIntegration://xerointegration.satva.solutions”. But in xero, this type of redirect url can’t be accepted.

    Code snippet with Xero OAuth 2.0 authentication for an Xcode project. Highlights include URL, token details, client ID, and redirect URI set to "xerointegration:/xerointegration.stava.solutions".
  4. I have changed the redirect url in ios app code which was set in xero application but that still gives the error code 500 (Invalid Redirect URL).
    The login error page on Xero's website shows "Sorry, something went wrong" with error code 500 and a message stating "unauthorized_client: Invalid redirect_uri," indicating a potential issue with Xero OAuth 2.0 integration.

    App Search Programming Guide: Support Universal Links

  5. I tried another solution using the above link. Create a universal redirect url for the ios application.And also set Apple-App-Site-Association on the redirect url of the web page but I can’t get back to the app.
  6. After that, We found the redirect url solution in the ios application. First we set the URL schema to “xeroIntegration” and create a redirect url like “xeroIntegration://xerointegration.satva.solutions”.In the app side, we have set the redirect url in the official API just like the app developed in the xero account.
  7. I talked with one of the expert Xero Developers in my team and we figured out a solution which solves this problem.
  8. It is mandatory requirement that a redirect URI has to be an HTTPS URL. so a web developer helped me create a static secure HTTP site which is just a simple html page as below.
    Web Page URL: https://xerointegration.satva.solutions/
    Page Source Code Screenshot:

    A screenshot of an HTML document displays a JavaScript script that creatively employs xero OAuth 2.0 to replace "https" in the web address with "xeroIntegration," then updates the window location seamlessly.

    Redirecting from HTTPS Callback URL Back to the iOS App

    Javascript Sample Code:

    
    let result = window.location.href.replace(“https”, “xeroIntegration”);
    window.location.href=result;
  9. Please observe a javascript written in a webpage that ensures that before the redirect HTTPS parameter is replaced by iOS URL Schema( in my case it’s xeroIntegration).So the URL which iOS will open in Safari browser would look something like the below:xeroIntegration://xerointegration.satva.solutions?code=sjdjksdhnksdfh
    Screenshot of Xcode project settings featuring sections for build settings, URL types, and application properties. Various fields with string values and keys are displayed, including setup details for integrating Xero OAuth 2.0 authentication.
  10. After that, we set the JavaScript code in the redirect url webpage. It will redirect to the application with the parameter
    “code”.
    Code which you write for authenticate by Xero login:

    Screenshot of Swift code implementing Xero OAuth 2.0 authentication, featuring methods for handling URL requests, challenge responses, and user authentication sessions.
  11. Once We got “code” parameter from Xero and use “code” parameter, we will get the access token of the Xero account. Code which you write for an access token:
    Screenshot of Swift code defining a function to get an access token using URL and JSON decoding, with error handling and completion handlers, illustrating how to integrate Xero OAuth 2.0 for secure authentication.

Download Xero OAuth iOS Sample Code

For reference, You can download the complete Xcode Project at GitHub https://github.com/satva-git/XeroIntegratoin_ios

Also Read: NetSuite OAuth 2.0 Integration in .NET (Step-by-Step Guide)

Your 1 hour of consulting is on us! Get Xero App Consulting now

You can use the sample Xcode project as a reference to understand the complete Xero OAuth flow, including PKCE setup, redirect handling, authorization code capture, and access token exchange.

Do you need help with custom Xero integration service or development? Our Xero integration experts are here to help you!

FAQs

Why does Xero show “Sorry, something went wrong” during OAuth authorization?

This usually happens when the redirect_uri, client ID, or scope is incorrect. For iOS apps, the most common reason is using a custom app URL scheme directly instead of an HTTPS redirect URI.

How do I fix the Xero invalid redirect_uri error?

Use an HTTPS redirect URI in the Xero Developer Portal and make sure the same URI is used in your authorization request and token exchange. The URI should match exactly, including slash, case, and protocol.

Does Xero allow custom iOS URL schemes as redirect URIs?

No. Xero requires HTTPS redirect URIs, except for localhost. For iOS apps, you can use an HTTPS callback page first, then redirect users back to the app using the registered iOS URL scheme.

Why is PKCE required for Xero integration with native iOS apps?

PKCE is used because native mobile apps cannot safely store a client secret. It protects the OAuth flow by using a code_verifier and code_challenge during authorization and token exchange.

What should I check if Xero OAuth token exchange fails?

Check whether the authorization code is expired, the redirect_uri matches exactly, the same code_verifier is used, and the request is sent to the correct Xero token endpoint.

Can I use localhost as a redirect URI in Xero OAuth?

Yes, Xero allows localhost as an exception. However, for production iOS apps, you should use a valid HTTPS redirect URI.

How do I redirect users back to an iOS app after Xero login?

Use an HTTPS callback URL in Xero. After Xero redirects to that page with the authorization code, use JavaScript or app linking logic to open the iOS app with the code parameter.

What is the best way to debug Xero OAuth redirect issues?

Start by comparing the redirect URI in three places: Xero Developer Portal, authorization URL, and token request. Then check scopes, client ID, PKCE verifier, and iOS URL scheme settings.

Article by

Chintan Prajapati

Chintan Prajapati is the Founder and CEO of Satva Solutions and a seasoned computer engineer with over two decades of experience in the software industry. His expertise spans Accounting & ERP Integrations, Robotic Process Automation, and the development of technology solutions built around leading ERP and accounting platforms with a particular focus on responsible AI and machine learning in fintech.Chintan holds a BE in Computer Engineering and carries an impressive roster of certifications, including Microsoft Certified Professional, Microsoft Certified Technology Specialist, Certified Azure Solution Developer, Certified Intuit Developer, Certified QuickBooks ProAdvisor, and Xero Developer.Over the course of his career, he has made a measurable impact on the accounting industry consulting on and delivering integration and automation solutions that have collectively saved thousands of man-hours. His writing aims to offer readers practical, insight-driven advice on harnessing technology to unlock greater business efficiency.When he steps away from the desk, Chintan can be found trekking through mountain trails or watching birds in the wild. Grounded in the philosophy of delivering the highest value to clients, he continues to champion innovation and excellence in digital transformation from his home base in Ahmedabad, India.