--- title: "Xero Practice Manager (XPM) API: Approval Process, Challenges & Solutions" url: "https://satvasolutions.com/blog/xero-practice-manager-api-integration-guide" date: "2026-04-23T01:29:08-04:00" modified: "2026-04-23T01:29:08-04:00" author: name: "Chintan Prajapati" url: "https://satvasolutions.com" categories: - "Accounting Integration" tags: - "Xero Practice Manager" - "Xero Practice Manager API" word_count: 911 reading_time: "5 min read" summary: "TABLE OF CONTENTS Introduction Scope Request Access Mandatory Security Assessment Pricing Tier Requirement Full Integration Flow Expect Delays Impact on Development Key ..." description: "Planning XPM Practice Manager API integration? This guide breaks down approval timelines, required assessments, and how to handle development delays." keywords: "Xero Practice Manager API, Xero Practice Manager" language: "en" schema_type: "Article" --- # Xero Practice Manager (XPM) API: Approval Process, Challenges & Solutions _Published: April 23, 2026_ _Author: Chintan Prajapati_ ![API access workflow with security review, approval process, and pricing tier setup for secure integration and data access](https://satvasolutions.com/wp-content/uploads/2026/04/api-access-workflow-security-review-approval-pricing-tier-integration-768x609.webp) ## Xero Practice Manager (XPM) API Integration Guide Integration with Xero Practice Manager (XPM) is not a typical API implementation. While it uses the same OAuth model as Xero Accounting APIs, scope access is restricted and controlled through an approval-driven process. This creates a gap between what developers expect and what actually happens.This guide documents the actual process, key constraints, and the impact on development, with a focus on the real blocker: access and communication. ### What Developers Expect from Xero Practice Manager API ![Expected XPM API integration flow showing create Xero app, implement OAuth 2.0, add scopes, and start building process](https://satvasolutions.com/wp-content/uploads/2026/04/xpm-api-integration-flow-xero-app-oauth2-scopes-start-building.webp)Most developers start with this mindset: 1. Create a Xero app 2. Implement OAuth 2.0 3. Add required scopes: `practicemanager.client`, `practicemanager.contact` 4. Start building APIs This works perfectly for Xero Accounting APIs. **But not for XPM.****Reality Check:** XPM APIs are **not openly accessible**. Even after a successful OAuth setup and scope configuration, you will NOT get access immediately. Access is gated behind manual approval, security validation, and commercial requirements. ![Actual XPM API access process showing OAuth setup, scope request issues, approval delay, security assessment, and access granted](https://satvasolutions.com/wp-content/uploads/2026/04/xpm-api-access-process-oauth-scope-request-approval-delay-security-assessment.webp) ## 1. How Xero Practice Manager API Scope Access Actually Works Requesting scopes such as `practicemanager.client.read` does not grant access. You must submit the [Xero Practice Manager API Access Form](https://docs.google.com/forms/d/e/1FAIpQLScYgIhdUIblM8uC-pIZcJVXEszl6YUvRPL7GXqUPLoB5KDoyA/viewform) as the initial step.**After submission:** - Your request is acknowledged. - You are redirected into a formal approval pipeline. - Development effectively pauses until approval is granted. Even for an internal app, Xero confirms that this is the required process, and access is not granted without completing all steps. ## 2. Security Requirements for Xero Practice Manager API Access This is the biggest and most underestimated requirement. To access XPM APIs, you must complete the **Xero API Consumer Annual Security Assessment**.This includes approximately 21 detailed questions provided by Xero (see [XPM Access Security Assessment Sample Document](https://assets.ctfassets.net/4ai1kvq7ogob/77nTC5x2zkWyPxZmffxSOg/f8a3a051b785e7317c5d95de1c2ba6d3/XPM_Access_Security_Assessment_Sample_Document.pdf)), covering: - Multi-Factor Authentication (MFA) - Secure token storage (encrypted at rest) - Secure coding and infrastructure practices **Important:** Even for internal tools or proof-of-concept projects, this step is mandatory. There are no exemptions. These requirements align with modern secure [API integration](https://satvasolutions.com/api-integration-services) practices, especially when dealing with financial and client-sensitive data. ## 3. Pricing Requirements for Xero Practice Manager API Access to XPM APIs is limited to apps on the **Advanced tier or higher**. You can read more about this in the [Xero Developer FAQs on pricing and policy updates](https://developer.xero.com/faq/pricing-and-policy-updates).This is a **non-technical blocker** that can delay projects if not planned early. In many cases, businesses already investing in [ERP to accounting integration](https://satvasolutions.com/erp-integrations) solutions should factor in these additional API access costs during planning. ## 4. Step-by-Step Process to Access Xero Practice Manager API Here is the real-world process you must follow: 1. Create Xero app 2. Implement OAuth 2.0 3. Connect to a Xero organization (demo org allowed) 4. Build working API calls. 5. Submit the XPM access request form. 6. Wait for the review response. 7. Complete security assessment 8. Address feedback (if any) 9. Get approval 10. XPM scopes enabled 11. Start actual API integration development. ![End to end XPM API integration process with OAuth setup, request access, security review, approval, and API endpoint access](https://satvasolutions.com/wp-content/uploads/2026/04/xpm-api-end-to-end-integration-process-oauth-approval-api-access.webp) ## 5. How Long Does Xero Practice Manager API Approval Take? **After submission:** - No fixed timeline is provided - Responses may take days or weeks. - Follow-ups are required This introduces uncertainty in delivery planning. ## How Xero Practice Manager API Impacts Development ### Development Limitations Without API Access You cannot fully test unless you have scope approval for:- Clients API - Contacts API ### Blocked API Calls APIs may fail or return empty/unauthorized responses until scopes are approved. ### Timeline Risks Due to Approval Delays External dependency on Xero approval creates unpredictable delivery dates. ## Key Insights Before Starting XPM API Integration XPM is not only an API. It is: - A **controlled ecosystem** - With **compliance requirements** - And **approval-driven access** **Think of it as:** A **partner integration**, not a plug-and-play API. Plan your timelines and architecture accordingly. ## What I Would Do Differently for XPM API Integration If starting again: - Apply for XPM access on Day 1 - Prepare security readiness in parallel. - Avoid committing to fixed timelines early. - Build a mock-driven architecture while awaiting scope approval. XPM integration is less about coding and more about **process navigation**. If you are working on XPM integration and facing similar blockers, you are not alone this process is not obvious until you go through it. This is where a [structured integration consulting](https://satvasolutions.com/xero-integration-service) approach can significantly reduce delays and rework. ## Final Thoughts on Xero Practice Manager API Integration Once you complete the required process, including approval and security checks, XPM scopes are enabled. After that, integration works as expected. The key is to follow the process early to avert delays. ## Xero Practice Manager API FAQs
Is XPM API access the same as Xero Accounting API access?
No. While both use the same OAuth 2.0 model, XPM APIs require a separate approval process, including a security assessment and formal scope request. Xero Accounting API scopes are available immediately after app creation.
How long does the XPM approval process take?
There is no fixed timeline. Responses can take days to weeks. It is recommended to apply on Day 1 of your project and build mock-driven architecture while waiting.
Can I bypass the security assessment for a proof of concept?
No. Xero requires a security assessment even for internal tools and proof-of-concept projects. There are no exemptions to this requirement.
What pricing tier is required for XPM API access?
XPM API access is limited to apps on the Advanced tier or higher. Check Xero’s developer FAQ for current pricing and policy details.
--- _View the original post at: [https://satvasolutions.com/blog/xero-practice-manager-api-integration-guide](https://satvasolutions.com/blog/xero-practice-manager-api-integration-guide)_ _Served as markdown by [Third Audience](https://github.com/third-audience) v3.5.4_ _Generated: 2026-04-23 05:29:09 UTC_