xero-mcp-server
Provides tools for interacting with the Xero accounting API, enabling AI agents to manage invoices, contacts, accounts, and payments within a Xero organization.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@xero-mcp-serverlist my recent invoices"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Xero MCP Server
A production-ready Model Context Protocol server for the Xero Accounting API.
This template lets Claude Desktop, Cursor, Windsurf, and other MCP-compatible clients read and write accounting data through controlled Xero tools.
Built as a starter template for teams that want a secure baseline before adding company-specific accounting workflows.
Who this is for
This repository is useful for:
developers building AI accounting assistants,
finance teams experimenting with MCP workflows,
SaaS teams connecting Xero to internal AI agents,
platform engineers who need a clean TypeScript MCP server example,
agencies building custom Xero automations for clients.
Related MCP server: Xero MCP Server
Features
TypeScript + Express MCP server
Xero OAuth 2.0 authorization flow
Refresh-token support
API key protection for
/mcpRate limiting for MCP requests
Health endpoint at
/healthStructured Pino logging
Zod-based environment validation
MCP tools for invoices, contacts, accounts, and payments
Jest test setup with Supertest
GitHub Actions CI workflow
Architecture
flowchart LR
A[Claude / Cursor / MCP Client] -->|POST /mcp| B[Express MCP Server]
B --> C[API Key Guard]
C --> D[Rate Limit Middleware]
D --> E[MCP Tools]
E --> F[Xero Client]
F -->|OAuth Bearer Token| G[Xero Accounting API]
H[Browser] -->|GET /auth/xero| I[Xero OAuth]
I --> J[Token Store]
J --> F
K[MCPForge Verify] --> BSee the larger diagram in docs/architecture.md.
Available MCP tools
Tool | Purpose |
| List invoices with optional status, contact, and page filters. |
| Create a draft or authorised sales invoice / bill. |
| Search and list customers or suppliers. |
| Fetch a chart-of-accounts entry by code or UUID. |
| List accounts filtered by type and status. |
| Record a payment against an authorised invoice. |
Quick start
1. Install dependencies
npm ci2. Configure environment
cp .env.example .envEdit .env:
PORT=3000
NODE_ENV=development
LOG_LEVEL=info
SERVER_BASE_URL=http://localhost:3000
MCP_API_KEY=replace-with-a-long-random-secret
XERO_CLIENT_ID=your-xero-client-id
XERO_CLIENT_SECRET=your-xero-client-secret
XERO_REDIRECT_URI=http://localhost:3000/auth/xero/callback
XERO_SCOPES="openid profile email accounting.transactions accounting.contacts accounting.settings offline_access"
RATE_LIMIT_WINDOW_MS=900000
RATE_LIMIT_MAX=1003. Run locally
npm run dev4. Authorize Xero
Open this URL in your browser:
http://localhost:3000/auth/xeroAfter successful authorization, check status:
curl http://localhost:3000/auth/status5. Check health
curl http://localhost:3000/healthXero OAuth setup
In the Xero Developer Portal:
Create a new app.
Add this redirect URI:
http://localhost:3000/auth/xero/callbackCopy the client ID and client secret into
.env.Make sure your app has access to the scopes used by this server:
openid profile email accounting.transactions accounting.contacts accounting.settings offline_accessFor production, set XERO_REDIRECT_URI to your deployed callback URL, for example:
https://your-domain.com/auth/xero/callbackConnect to Claude Desktop
Build the server first:
npm run buildThen add an MCP server entry in your Claude Desktop configuration.
Example for a local HTTP MCP endpoint:
{
"mcpServers": {
"xero": {
"url": "http://localhost:3000/mcp",
"headers": {
"X-API-Key": "replace-with-your-mcp-api-key"
}
}
}
}Restart Claude Desktop after editing the configuration.
Connect to Cursor
In Cursor, add a new MCP server using the HTTP endpoint:
{
"name": "xero",
"url": "http://localhost:3000/mcp",
"headers": {
"X-API-Key": "replace-with-your-mcp-api-key"
}
}Then restart Cursor or reload the MCP server list.
Security notes
This template is intentionally safer than a minimal demo, but you should still harden it before production use.
Recommended production changes:
Replace the in-memory token store in
src/auth.tswith Redis, Postgres, or another encrypted durable store.Store secrets in a managed secret manager, not in plain
.envfiles.Rotate
MCP_API_KEYregularly.Add per-user or per-tenant authorization if multiple users will access the server.
Restrict write tools such as
xero_create_invoiceandxero_create_paymentbehind approvals.Add audit logs for every tool call.
Use HTTPS in production.
Review scopes and remove anything your use case does not need.
Security Review
You can verify this MCP server with MCPForge:
https://www.mcpforge.tech/verifyMCPForge can help review:
exposed tools,
authentication behavior,
health checks,
compatibility with MCP clients,
risk level of write operations,
security posture before publishing or deployment.
After verification, you can link your public report from this README:
[](https://www.mcpforge.tech/verified/xero-mcp)Full MCPForge guide:
https://www.mcpforge.tech/blog/xero-mcp-serverDeployment
A common production setup:
Deploy this service to Railway, Render, Fly.io, AWS, GCP, Azure, or a private Kubernetes cluster.
Configure environment variables in the hosting provider.
Set
SERVER_BASE_URLto your public HTTPS URL.Set
XERO_REDIRECT_URItohttps://your-domain.com/auth/xero/callback.Add the same callback URL in the Xero Developer Portal.
Run the OAuth flow once to connect the Xero tenant.
Verify
/healthand/mcpbefore connecting production AI clients.Run a public or private verification with MCPForge.
Local development commands
npm run lint
npm run typecheck
npm test
npm run buildAPI endpoints
Method | Path | Description |
|
| Health and Xero connectivity check. |
|
| Start Xero OAuth authorization. |
|
| Xero OAuth callback. |
|
| Current authorization status. |
|
| MCP endpoint protected by |
Repository checklist
Before publishing your fork:
Replace
your-orgin the CI badge URL.Replace the MCPForge badge slug if your public slug is not
xero-mcp.Replace the blog link with your final MCPForge article URL.
Add screenshots or a real verification report once available.
Configure production token storage.
Review Xero scopes.
License
MIT — see LICENSE.
This server cannot be installed
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/kamolc4/xero-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server