Receive Xero Webhook

POST /api/webhooks/xero/:instanceUuid

Public webhook receiver for Xero events. No authentication — Xero calls this endpoint directly.

Signature verification: The x-xero-signature header must contain a valid HMAC-SHA256 signature of the raw request body using the instance's stored signing key (or the previous key during rotation grace period).

Rate limit: 120 requests per minute.

Behavior:

Returns 200 OK if the signature is valid (even for malformed payloads — Xero uses this for Intent-to-Receive validation)
Returns 401 Unauthorized if signature is invalid, instance not found, webhooks are disabled, or no signing key
Events are persisted as XeroWebhookEvent records and dispatched for async processing
If integration is inactive, events are recorded as 'ignored' but 200 is returned to prevent Xero from disabling the webhook

Request

Responses

Successful response

Receive Xero Webhook

/api/webhooks/xero/:instanceUuid

Request​

Responses​

Request

Responses