Major Security Update for Xero API Could Break Existing Integrations

If you're using the Xero API to share financial data with your other solutions or products... you need to be aware of changes to the Xero API that could result in broken connections.

Xero are working on a plan to update their API security certificates to a more secure version. This is good news, because it's been found that the technique previously used to sign security certificates (SHA-1) is becoming dangerously weak in the face of ever increasing computing speeds.

The problem is so bad, that many browsers and operating systems are beginning to show warnings and error messages when connecting to sites and services using the old SHA-1 certificates. In fact, Google, Microsoft and Mozilla have all announced they'll be removing support for SHA-1 certificates, meaning people visiting websites using old certificates will see the following warnings:

However, when Xero attempted to update their API portal to use a new SHA-2 security certificate, they found a large number of API consumers could no longer connect — many of the 3rd party libraries available for integrating with Xero don't support the relatively new SHA-2.

Xero have opened a community forum thread to help developers migrate their services, and are now planning to make the final switch to SHA-2 certificates by the end of this year.

What does this mean for you?

If your application sends data to and from Xero, you may need to make sure it will still work by the time Xero make the change. Fortunately, Xero are providing a testing version of their API which will be using the new security certificate. This means developers will be able to easily test whether a system will work with the new security certificate.

Get in touch if you'd like help assessing the compatibility of your connection.

Write a response...