What to know about storing users API certificate (pem file)

My side project that I talked about can no longer use auth. This is because the app runs mostly in the background as jobs. I could go with Xero’s partner application but the session may not be long enough so a private application is best. The app uses three stages for authentication with the API: Consumer Key, Secret Key and the Certificate the customer has generated in their terminal/shell.

Things have changed:

I use Rails MessageEncryptor to decrypt/encrpty both keys and upload the cert to my local server. That’s how I can have a user connect to their Xero account through the API. Based on that, what security I should have in place? I know nothing is safe but what’s the best practice and best way forward?

The short answer: don’t do this. It’ll be a headache for you to secure it and it’ll be offputting to your users to have to enter these details. I’d run a mile from any app that required my username/password for another service, let alone a private key. It’s asking too much for the user to give your app this much trust, IMO.

Looking at the Xero link you posted, it has this line:

Partner applications use the same 3-legged authorization process as
public applications, but the 30-minute access tokens can be renewed.
Access tokens can be renewed without further user authorization. This
process of token renewal can occur indefinitely, while the partner
application is in active use

Does that not work for you? Can’t you regenerate the access token in the background every 30 minutes?


Some how my eyes missed that. Ok. So I could regenerate without the user intervention? The aim is once the use authenticates, that auth lasts months or a year. I’ll see what xero says.

Yeah, looks like it – pretty much made for your use case! Maybe once your user signs in, just start a recurring task which grabs a new auth token for that user until their session ends.

Thanks for that. I’ll see what I can cook up.

From the xero website:

Renewing can only be done with the Partner Application. For public, the user has to do it. This means I have to signup to become a partner. Guess I have to wait now (sigh). But for testing, the public app will do (30min token). I’ll confirm in a few days.

No more keys. Connect with xero to authenticate…done :wink:


Nice! Hopefully your users will appreciate the change!

1 Like

Proudly sponsored by Bytemark