Xero Practice Manager API Integration: Access, Scopes & Approval Guide

April 23, 2026 7 min read
API access workflow with security review, approval process, and pricing tier setup for secure integration and data access

Xero Practice Manager (XPM) API Integration Guide

Integration with Xero Practice Manager (XPM) is not a typical API implementation.

While it uses the same OAuth model as Xero Accounting APIs, scope access is restricted and controlled through an approval-driven process.

This creates a gap between what developers expect and what actually happens.

This guide documents the actual process, key constraints, and the impact on development, with a focus on the real blocker: access and communication.

What Developers Usually Expect from Xero Practice Manager API

Expected XPM API integration flow showing create Xero app, implement OAuth 2.0, add scopes, and start building process

Most developers start with this mindset:

  1. Create a Xero app
  2. Implement OAuth 2.0
  3. Add required scopes: practicemanager.client, practicemanager.contact
  4. Start building APIs
This works perfectly for Xero Accounting APIs. But not for XPM.

Reality Check: XPM APIs are not openly accessible. Even after a successful OAuth setup and scope configuration, you will NOT get access immediately. Access is gated behind manual approval, security validation, and commercial requirements.

Actual XPM API access process showing OAuth setup, scope request issues, approval delay, security assessment, and access granted

Many developers assume that Xero Practice Manager API access works the same way as the standard Xero Accounting API.

That assumption is one of the biggest reasons XPM integration timelines get underestimated.

With Xero Accounting APIs, developers can usually create an app, configure OAuth 2.0, add the required scopes, and begin development. Xero Practice Manager API works differently.

Even after OAuth is configured, XPM-related scopes may not be available until Xero reviews and approves the access request.

AreaXero Accounting APIXero Practice Manager API
OAuth 2.0 setupRequiredRequired
Scope configurationUsually available from the developer appRequires additional approval
Manual access requestUsually not required for standard scopesRequired
Security assessmentDepends on the app and use caseRequired for XPM API access
Development startCan usually begin earlierMay be blocked until approval
Timeline riskLowerHigher because approval is external

This is why Xero Practice Manager API integration should be planned as an approval-led integration, not only a development task.

1. How Xero Practice Manager API Scope Access Actually Works

Requesting scopes such as these practicemanager.client.read does not grant access. You must submit the Xero Practice Manager API Access Form as the initial step.

After submission:

  • Your request is acknowledged.
  • You are redirected to a formal approval pipeline.
  • Development effectively pauses until approval is granted.
Even for an internal app, Xero confirms that this is the required process, and access is not granted without completing all steps.

Common Xero Practice Manager API Scopes You May Need

Before submitting the access request, it is important to identify which XPM scopes your integration actually needs.

Requesting unclear or unnecessary scopes can create extra back-and-forth during approval, while missing required scopes can delay development later.

Common XPM API scope requirements may include:

ScopePurpose
practicemanager.client.readRead client records from Xero Practice Manager
practicemanager.clientCreate or update client-related data, depending on the API use case
practicemanager.contact.readRead contact records linked with clients
practicemanager.contactCreate or update contact-related data, depending on the API use case

For example, if your application only needs to pull client and contact details into another system, read-only scopes may be enough.

But if your application needs to create or update records inside XPM, write-level access may be required.

The best approach is to define the integration use case first, map each feature to the required scope, and then submit the access request with a clear explanation.

2. Security Requirements for Xero Practice Manager API Access

This is the biggest and most underestimated requirement. To access XPM APIs, you must complete the Xero API Consumer Annual Security Assessment.

This includes approximately 21 detailed questions provided by Xero (see XPM Access Security Assessment Sample Document), covering:

  • Multi-Factor Authentication (MFA)
  • Secure token storage (encrypted at rest)
  • Secure coding and infrastructure practices

Important: Even for internal tools or proof of concept projects, this step is mandatory. There are no exemptions.

These requirements align with modern secure API integration practices, especially when dealing with financial and client-sensitive data.

How to Prepare for the XPM API Security Assessment

The security assessment should not be treated as a formality. It can directly affect how quickly your XPM API access request moves forward.

Before submitting your request, prepare answers and supporting details around these areas:

Security areaWhat to prepare
AuthenticationExplain how users log in and how access is controlled
MFAConfirm whether multi-factor authentication is enabled
Token storageDescribe how access tokens and refresh tokens are stored securely
EncryptionExplain whether sensitive data is encrypted at rest and in transit
LoggingShow how API activity, errors, and access events are monitored
Access controlDefine who can access client or contact data inside your system
Data retentionExplain how long XPM data is stored and how it is removed when no longer needed
Infrastructure securityShare how servers, environments, and deployments are protected

For SaaS products and client-facing applications, it is also useful to prepare a short architecture summary.

This helps explain how XPM data moves between systems and how sensitive information is protected.

Preparing these details early can reduce review delays and avoid repeated clarification requests.

3. Xero Practice Manager API Pricing and Tier Requirements

Access to XPM APIs is limited to apps on the Advanced tier or higher. You can read more about this in the Xero Developer FAQs on pricing and policy updates.
This is a non-technical blocker that can delay projects if not planned early.

In many cases, businesses that are already investing in ERP to accounting integration solutions should factor in these additional API access costs during planning.

4. Step-by-Step Process to Access Xero Practice Manager API

Here is the real-world process you must follow:

  1. Create Xero app
  2. Implement OAuth 2.0
  3. Connect to a Xero organization (demo org allowed)
  4. Build working API calls.
  5. Submit the XPM access request form.
  6. Wait for the review response.
  7. Complete security assessment
  8. Address feedback (if any)
  9. Get approval
  10. XPM scopes enabled
  11. Start actual API integration development.
End to end XPM API integration process with OAuth setup, request access, security review, approval, and API endpoint access

Xero Practice Manager API Integration Checklist

Use this checklist before starting XPM API integration:

Checklist itemStatus
Xero developer app createdPending / Done
OAuth 2.0 flow implementedPending / Done
Demo or test organization connectedPending / Done
Required XPM scopes identifiedPending / Done
XPM access request form submittedPending / Done
Security assessment details preparedPending / Done
Advanced tier or higher requirement reviewedPending / Done
Mock API response structure preparedPending / Done
Client communication plan createdPending / Done
Buffer added for approval delaysPending / Done

This checklist is especially useful when the project has a fixed delivery timeline.

Since XPM scope approval is outside the development team’s control, teams should avoid committing to production dates before access is confirmed.

5. How Long Does Xero Practice Manager API Approval Take?

After submission:

  • No fixed timeline is provided
  • Responses may take days or weeks.
  • Follow-ups are required
This introduces uncertainty in delivery planning.

How Xero Practice Manager API Impacts Development

Development Limitations Without API Access

You cannot fully test unless you have scope approval for:
  • Clients API
  • Contacts API

Blocked API Calls

APIs may fail or return empty/unauthorized responses until scopes are approved.

Timeline Risks Due to Approval Delays

External dependency on Xero approval creates unpredictable delivery dates.

What to Do While Waiting for XPM API Approval

XPM approval delays do not mean development has to stop completely.

While waiting for scope access, the development team can still prepare the integration foundation.

Here are practical tasks to complete during the approval period:

TaskWhy it matters
Build the OAuth 2.0 flowKeeps the authentication layer ready
Create mock API responsesAllows frontend and business logic development to continue
Finalize data mappingReduces rework once real API access is available
Prepare error handlingHelps manage unauthorized, empty, or failed API responses
Define retry and logging logicMakes testing easier once access is approved
Document scope assumptionsKeeps clients and internal teams aligned
Prepare test scenariosSpeeds up validation after scopes are enabled

This approach helps reduce idle time and keeps the project moving even when final API access is pending.

Key Insights Before Starting XPM API Integration

XPM is not only an API. It is:

  • A controlled ecosystem
  • With compliance requirements
  • And approval-driven access

Think of it as: A partner integration, not a plug-and-play API. Plan your timelines and architecture accordingly.

What I Would Do Differently for XPM API Integration

If starting again:

  • Apply for XPM access on Day 1
  • Prepare security readiness in parallel.
  • Avoid committing to fixed timelines early.
  • Build a mock-driven architecture while awaiting scope approval.
XPM integration is less about coding and more about process navigation. If you are working on XPM integration and facing similar blockers, you are not alone. This process is not obvious until you go through it.

This is where a structured integration consulting approach can significantly reduce delays and rework.

Final Thoughts on Xero Practice Manager API Integration

Once you complete the required process, including approval and security checks, XPM scopes are enabled. After that, integration works as expected. The key is to follow the process early to avert delays.

Xero Practice Manager API FAQs

Is XPM API access the same as Xero Accounting API access?
No. While both use the same OAuth 2.0 model, XPM APIs require a separate approval process, including a security assessment and formal scope request. Xero Accounting API scopes are available immediately after app creation.
How long does the XPM approval process take?
There is no fixed timeline. Responses can take days to weeks. It is recommended to apply on Day 1 of your project and build mock-driven architecture while waiting.
Can I bypass the security assessment for a proof of concept?
No. Xero requires a security assessment even for internal tools and proof-of-concept projects. There are no exemptions to this requirement.
What pricing tier is required for XPM API access?
XPM API access is limited to apps on the Advanced tier or higher. Check Xero’s developer FAQ for current pricing and policy details.


Chintan Prajapati
Article by

Chintan Prajapati

Chintan Prajapati is the Founder and CEO of Satva Solutions and a seasoned computer engineer with over two decades of experience in the software industry. His expertise spans Accounting & ERP Integrations, Robotic Process Automation, and the development of technology solutions built around leading ERP and accounting platforms with a particular focus on responsible AI and machine learning in fintech.Chintan holds a BE in Computer Engineering and carries an impressive roster of certifications, including Microsoft Certified Professional, Microsoft Certified Technology Specialist, Certified Azure Solution Developer, Certified Intuit Developer, Certified QuickBooks ProAdvisor, and Xero Developer.Over the course of his career, he has made a measurable impact on the accounting industry consulting on and delivering integration and automation solutions that have collectively saved thousands of man-hours. His writing aims to offer readers practical, insight-driven advice on harnessing technology to unlock greater business efficiency.When he steps away from the desk, Chintan can be found trekking through mountain trails or watching birds in the wild. Grounded in the philosophy of delivering the highest value to clients, he continues to champion innovation and excellence in digital transformation from his home base in Ahmedabad, India.