Cameo can now piggy-back onto Xero automated bank feeds. Xero is a business accounting service which can now use the UK’s Open Banking initiative to obtain bank statement transactions from any bank that offers them. Cameo can fetch the previous day’s transactions from a Xero account once it has obtained them, so Cameo’s bank accounts are also be kept up-to-date and in sync with Xero.

Set up

In principle, this is the same as the other three existing feed types in Cameo (for PayPal, GoCardless and Stripe): in the Bank accounts section of Organisation settings, select the import feed provider as Xero for the account or accounts serviced by Xero (Fig 1: 1), and provide credentials for access (Fig 2: 2).

Fig 1: adding Xero import to a bank account

However, obtaining the required credentials from Xero is complicated. This is because they have used an authorization method which is intended for interactive logins to the service (where a real person authorises access) and bolted on a way of using that in an automated way. You have to manually authorise the feed once when you set it up using a special app provided for this purpose.

Also, Xero credentials are valid for only sixty days. If the feed is not active for more than 60 days, the manual authorization process has to be repeated. If it is done daily, as intended, it should continue indefinitely.

Credentials required

Five or six items are required for the credentials box. Don’t try to type any of these, always copy and paste.

  • client id: a long random string provided by Xero
  • client secret: another long random string provided by Xero
  • refresh token: a third long random string provided by Xero
  • account id: a fourth long random string provided by Xero, which identifies the bank account to download transactions for
  • earliest date from which to obtain transactions. Most feeds will use an early start date if there isn’t a previous one, but Xero does not allow dates more than a year ago, so this tells Xero when to start, after which feed will be obtained for one day, daily.
  • reconcile pattern (optional), a regular expression which, if it matches the transaction description, will mark the transaction as already reconciled (all outgoing payments are also pre-reconciled).

Obtaining credentials from Xero

Step 1: Create an “Oauth2” app at (Fig 2: 1). Copy the client id (Fig 2: 2) and create and copy the client secret to Cameo’s credentials boxes for these (Fig 2: 3; you won’t be able to see the secret again, so make sure you copy it now). In Xero’s field for URI (Fig 2: 4), put http://localhost:8080/callback. Save.

Fig 2: creating a Xero “OAuth2” app

Step 2: Go to the Xero dashboard and click the link to go to the bank account you want to run the feed for (you can do more than one for different Cameo bank accounts using the same credentials from step 1 and step 5). Copy the account id from the end of the URL in the browser address bar (Fig 3).

Fig 3: obtain the account id from the Xero dashboard

Step 3: On a computer where you have access to a browser, download and unpack a command-line app, xoath, from (Installation section).

Step 4: Open a terminal window and run the app like this (Fig 4):

./xoauth setup xero

and provide the details requested:

  • Authority: the default
  • Client ID: as noted in step 1
  • Grant type: authorization_code
  • Client secret: as noted in step 1
  • Scope: ‘’, Enter, then press d. (Note: there is a similar procedure for publishing Cameo’s reconciled transactions to Xero; for that case put ‘accounting.transactions’ here).
Fig 4: run xoauth

Step 5: run the app again, with different options as follows:

./xoauth connect xero

This will open a browser page asking you to log in to Xero, if you aren’t already, and when you have logged in it will display a page of data. The same data is shown in the terminal window (Fig 5).

Look for the line that looks like this:

"refresh_token": "E4F1E19714B6CDD8530191099FBC09D8C64617CA"

Copy the string of letters and numbers between (not including) the quotes and put this in the Cameo credentials refresh token box. Ignore all the rest.

Administrators can test immediately this in Import Statements in Accounting tasks. Otherwise, it should do the first download early the following day if the details have been entered correctly.