Playing about on Xero's demo accounts at the moment, and I'm trying to subscribe to the Invoice Update webhooks. Xero does not offer a way to provide a X-WORKFLOW-API-KEY so I've had to set the workflow trigger to public, but now the next hurdle is XERO's intent-to-recieve workflow.
Unlike a few other people, I've actually managed to set up Oauth2.0 without a custom resource, do I now need to essentially recreate a custom authentication call as the first step of the workflow in order to pass and return the intent-to-recieve? Has anyone else achieved this?
if anyone else wants a go, you can set up a xero demo account here - Xero Central
You don’t need to rebuild your OAuth flow for the “intent-to-receive” step. Xero just wants to verify that your webhook endpoint can accept and validate requests.
Here’s what you need to do:
Accept the POST request from Xero exactly as it’s sent (raw body, no parsing).
Take the raw body + your webhook key, generate an HMAC-SHA256 hash, then Base64 encode it.
Compare that value to the X-Xero-Signature header.
If they match, return HTTP 200 with an empty body.
If they don’t, return HTTP 401.
Once Xero gets a few successful 200 responses, the webhook status will change to OK and you can start receiving real events. No extra custom authentication call is needed.