Xero Practice Manager (XPM) API: Approval Process, Challenges & Solutions

April 23, 2026 4 min read
API access workflow with security review, approval process, and pricing tier setup for secure integration and data access

Xero Practice Manager (XPM) API Integration Guide

Integration with Xero Practice Manager (XPM) is not a typical API implementation.

While it uses the same OAuth model as Xero Accounting APIs, scope access is restricted and controlled through an approval-driven process.

This creates a gap between what developers expect and what actually happens.

This guide documents the actual process, key constraints, and the impact on development, with a focus on the real blocker: access and communication.

What Developers Expect from Xero Practice Manager API

Expected XPM API integration flow showing create Xero app, implement OAuth 2.0, add scopes, and start building process

Most developers start with this mindset:

  1. Create a Xero app
  2. Implement OAuth 2.0
  3. Add required scopes: practicemanager.client, practicemanager.contact
  4. Start building APIs
This works perfectly for Xero Accounting APIs. But not for XPM.

Reality Check: XPM APIs are not openly accessible. Even after a successful OAuth setup and scope configuration, you will NOT get access immediately. Access is gated behind manual approval, security validation, and commercial requirements.

Actual XPM API access process showing OAuth setup, scope request issues, approval delay, security assessment, and access granted

1. How Xero Practice Manager API Scope Access Actually Works

Requesting scopes such as practicemanager.client.read does not grant access. You must submit the Xero Practice Manager API Access Form as the initial step.

After submission:

  • Your request is acknowledged.
  • You are redirected into a formal approval pipeline.
  • Development effectively pauses until approval is granted.
Even for an internal app, Xero confirms that this is the required process, and access is not granted without completing all steps.

2. Security Requirements for Xero Practice Manager API Access

This is the biggest and most underestimated requirement. To access XPM APIs, you must complete the Xero API Consumer Annual Security Assessment.

This includes approximately 21 detailed questions provided by Xero (see XPM Access Security Assessment Sample Document), covering:

  • Multi-Factor Authentication (MFA)
  • Secure token storage (encrypted at rest)
  • Secure coding and infrastructure practices

Important: Even for internal tools or proof-of-concept projects, this step is mandatory. There are no exemptions.

These requirements align with modern secure API integration practices, especially when dealing with financial and client-sensitive data.

3. Pricing Requirements for Xero Practice Manager API

Access to XPM APIs is limited to apps on the Advanced tier or higher. You can read more about this in the Xero Developer FAQs on pricing and policy updates.
This is a non-technical blocker that can delay projects if not planned early.

In many cases, businesses already investing in ERP to accounting integration solutions should factor in these additional API access costs during planning.

4. Step-by-Step Process to Access Xero Practice Manager API

Here is the real-world process you must follow:

  1. Create Xero app
  2. Implement OAuth 2.0
  3. Connect to a Xero organization (demo org allowed)
  4. Build working API calls.
  5. Submit the XPM access request form.
  6. Wait for the review response.
  7. Complete security assessment
  8. Address feedback (if any)
  9. Get approval
  10. XPM scopes enabled
  11. Start actual API integration development.
End to end XPM API integration process with OAuth setup, request access, security review, approval, and API endpoint access

5. How Long Does Xero Practice Manager API Approval Take?

After submission:

  • No fixed timeline is provided
  • Responses may take days or weeks.
  • Follow-ups are required
This introduces uncertainty in delivery planning.

How Xero Practice Manager API Impacts Development

Development Limitations Without API Access

You cannot fully test unless you have scope approval for:
  • Clients API
  • Contacts API

Blocked API Calls

APIs may fail or return empty/unauthorized responses until scopes are approved.

Timeline Risks Due to Approval Delays

External dependency on Xero approval creates unpredictable delivery dates.

Key Insights Before Starting XPM API Integration

XPM is not only an API. It is:

  • A controlled ecosystem
  • With compliance requirements
  • And approval-driven access

Think of it as: A partner integration, not a plug-and-play API. Plan your timelines and architecture accordingly.

What I Would Do Differently for XPM API Integration

If starting again:

  • Apply for XPM access on Day 1
  • Prepare security readiness in parallel.
  • Avoid committing to fixed timelines early.
  • Build a mock-driven architecture while awaiting scope approval.
XPM integration is less about coding and more about process navigation. If you are working on XPM integration and facing similar blockers, you are not alone this process is not obvious until you go through it.

This is where a structured integration consulting approach can significantly reduce delays and rework.

Final Thoughts on Xero Practice Manager API Integration

Once you complete the required process, including approval and security checks, XPM scopes are enabled. After that, integration works as expected. The key is to follow the process early to avert delays.

Xero Practice Manager API FAQs

Is XPM API access the same as Xero Accounting API access?
No. While both use the same OAuth 2.0 model, XPM APIs require a separate approval process, including a security assessment and formal scope request. Xero Accounting API scopes are available immediately after app creation.
How long does the XPM approval process take?
There is no fixed timeline. Responses can take days to weeks. It is recommended to apply on Day 1 of your project and build mock-driven architecture while waiting.
Can I bypass the security assessment for a proof of concept?
No. Xero requires a security assessment even for internal tools and proof-of-concept projects. There are no exemptions to this requirement.
What pricing tier is required for XPM API access?
XPM API access is limited to apps on the Advanced tier or higher. Check Xero’s developer FAQ for current pricing and policy details.



Chintan Prajapati
Article by

Chintan Prajapati

Chintan Prajapati, a seasoned computer engineer with over 20 years in the software industry, is the Founder and CEO of Satva Solutions. His expertise lies in Accounting & ERP Integrations, RPA, and developing technology solutions around leading ERP and accounting software, focusing on using Responsible AI and ML in fintech solutions. Chintan holds a BE in Computer Engineering and is a Microsoft Certified Professional, Microsoft Certified Technology Specialist, Certified Azure Solution Developer, Certified Intuit Developer, Certified QuickBooks ProAdvisor and Xero Developer.Throughout his career, Chintan has significantly impacted the accounting industry by consulting and delivering integrations and automation solutions that have saved thousands of man-hours. He aims to provide readers with insightful, practical advice on leveraging technology for business efficiency.Outside of his professional work, Chintan enjoys trekking and bird-watching. Guided by the philosophy, "Deliver the highest value to clients". Chintan continues to drive innovation and excellence in digital transformation strategies from his base in Ahmedabad, India.