Changes to Xero Accounting API Scopes

Xero have recently introduced a change to the authentication scopes for new Xero OAuth Apps that were created on or after March 2, 2026. They are replacing the previous broad scopes with more  granular scopes to give you more control and security.

If you are using fmAccounting Link (Xero Edition) v2.32 or earlier and trying to authenticate with an OAuth App created on or after March 2, 2026 you will likely encounter this error:'

To resolve this you will need to change the $url variable in the script Xero Authentication - OAuth 2.0 Start to use the following calculation:

fmAccounting Link (Xero Edition) Single Organisation.fmp12 file

"https://login.xero.com/identity/connect/authorize?response_type=code&client_id=" & Interface::ClientID & "&redirect_uri=" & Interface::RedirectURI & "&scope=accounting.invoices accounting.payments accounting.banktransactions accounting.manualjournals accounting.reports.executivesummary.read accounting.reports.trialbalance.read accounting.settings accounting.contacts accounting.attachments payroll.employees payroll.timesheets payroll.settings offline_access&state=" & Get ( PersistentID )

fmAccounting Link (Xero Edition) Multiple Organisations.fmp12 file

"https://login.xero.com/identity/connect/authorize?response_type=code&client_id=" & Organisations::ClientID & "&redirect_uri=" & Organisations::RedirectURI & "&scope=accounting.invoices accounting.payments accounting.banktransactions accounting.manualjournals accounting.reports.executivesummary.read accounting.reports.trialbalance.read accounting.settings accounting.contacts accounting.attachments payroll.employees payroll.timesheets payroll.settings offline_access&state=" & Get ( PersistentID )

This will then allow you to successfully authenticate with your Xero OAuth App. Existing apps created before 2 March 2026 will be assigned the new granular scopes by the end of April 2026 and will have until September 2027 to switch over the scopes they’re using.

After you have updated the granular scopes in your fmAccounting Link file make sure you Authenticate with the Xero API again to get a new Access Token for the new granular scopes.

Xero have also made an update related to Authorisation on 29 June 2026. Xero are aligning authorisation on several endpoints with the roles and permissions described on Xero Central. No code changes are required. However, if a connection was authorised by a user without the required permissions, affected calls will fail with an authorisation error, and that user will need their roles and permissions updated within Xero. For example the BankAccountAdmin permission will be required for any calls that create or update contact bank account details, whether via the Contacts endpoint or through document endpoints such as Invoices and CreditNotes.You can read more about this change on the Xero Developer site here.

N.B. the new scopes do not include the accounting.journals.read scope by default anymore. Access to the Journals API requires a Xero security assessment (initial and annual) and use case approval, and is only available starting at the more expensive Advanced tier. Most fmAccounting Link customers will be on the Starter tier which is free but does not include access to the Journals API endpoint.

You can get more information about the changes to the Xero Accounting API Scopes here:

• Upcoming changes to Xero Accounting API Scopes
• Scopes API Reference