Xeroom uses the Xero API to make communication calls into Xero from WooCommerce using the OAuth 2.0 protocol which is the industry-standard protocol for authorisation. Oauth2.0 uses a very secure protocol called Transport Layer Security. TLS is the cryptographic protocol that provides end-to-end communications security over networks and is widely used for internet communications and online transactions. It is a standard intended to prevent eavesdropping, tampering and message forgery. Common applications that employ TLS include Web browsers, instant messaging, email and VOIP. TLS 1.1 is used by most browsers TLS1.2 is a stronger protocol now enforced for card transactions and we also use it for Xeroom.
The secure pipeline for the messages is setup using a Client ID and a Client Secret which are known as credentials both of which are cryptographically generated by Xero in the App:
- The Client ID is a public identifier for apps. Even though it’s public, it is best that it isn’t guessable by third parties.
- The Client Secret is a secret known only to the application and the authorisation server. It is hidden by Xero once saved and so no longer viewable but can be deleted and a new one created.