Xero Error Guide
How to Fix Xero Error 401 Unauthorized
Xero has stopped working and is showing one of these messages:
"AuthenticationUnsuccessful: Status 401 — Unauthorized"
"401 Unauthorized — Invalid token"
"Xero connection broken — unauthorized_client"
Error 401 means Xero received a request but could not authenticate it — the login session has expired or a connected app's access token is no longer valid. At QuickFix Bookkeeping, the fix depends on where the 401 is appearing: inside Xero itself, or in a connected app.
The QuickFix Bookkeeping Distinction
Xero 401 appears in two completely different scenarios — and the fix is different for each. Most guides only cover one.
Scenario A — Inside Xero
You see 401 when trying to log in or access a Xero page in your browser.
Cause: your Xero session token has expired or corrupted. Fix: log out completely, clear Xero cookies, log back in.
Scenario B — In a Connected App
A connected app (e-commerce, payroll, CRM, Zapier) shows 401 — Xero sync has stopped.
Cause: the app's OAuth access token expired or was revoked. Fix: disconnect and reconnect the Xero integration in the app's settings.
How Xero authentication works: Xero uses OAuth 2.0 — when you or an app connects to Xero, Xero issues two tokens: an access token (valid for 30 minutes) and a refresh token (valid for 60 days). The connected app uses the refresh token to get new access tokens automatically. If the refresh token expires (no activity for 60 days), or is revoked (you disconnected the app, changed your password, or the app developer rotated credentials), the app cannot get a new access token and every request returns 401. The fix is always to re-authorise — start a fresh OAuth flow.
What Is Xero Error 401?
Error code
401
HTTP · Unauthorized
Related: 400 · 403 · 404 · 500
What it means
HTTP 401 "Unauthorized" means the request arrived at Xero's servers but could not be authenticated — there is no valid identity attached to it. Unlike 403 (authenticated but not permitted), 401 means the authentication step itself failed: the session is expired, the token is invalid, or no credentials were provided at all.
Your Xero data is safe. A 401 is an authentication failure — your accounts, transactions, and financial records in Xero are completely unaffected. Re-authenticating restores full access.
What Causes Xero Error 401?
⏱️
OAuth Token Expired
Most common cause — Xero access tokens expire after 30 minutes, and refresh tokens expire after 60 days of inactivity. If a connected app hasn't synced in over 60 days (e.g. seasonal businesses), the refresh token expires and every request returns 401 until re-authorised.
🔌
App Disconnected from Xero
Someone disconnected the app from Xero (intentionally or accidentally) via Xero's Connected Apps settings. Once disconnected, all tokens are permanently revoked — the app must go through the full OAuth flow again to reconnect.
🔑
Xero Password Changed
Changing your Xero account password revokes all active OAuth tokens for security. Every connected app will return 401 after a password change until each app is individually re-authorised.
👤
Connecting User Account Removed
The Xero user account that originally authorised the app connection has been removed from the organisation. The tokens issued to that user are now invalid and all integrations connected via that user return 401.
🔄
App Credentials Rotated
The developer of a connected app rotated their Xero API client credentials (Client ID or Client Secret) without properly migrating existing tokens. All existing connections return 401 until users re-authorise through the app.
🌐
Session Expired in Browser
Your Xero browser session has timed out after inactivity. Xero automatically logs out sessions after extended periods of inactivity for security. Logging back in creates a fresh session and resolves the 401 immediately.
How to Fix Xero Error 401 — Step by Step
Identify your scenario first — browser or connected app — then go directly to the right method.
METHOD 1
Log Out and Back Into Xero
Scenario A — 401 in your Xero browser session
If 401 appears when you are trying to use Xero in your browser, your session has expired. A complete logout and fresh login creates a new valid session token.
1
Click your name/avatar in the top right of Xero → Logout. Do not just close the tab — use the proper logout.
2
Clear your browser's Xero cookies: in Chrome, go to chrome://settings/cookies → search xero.com → delete. (See the Xero Error 400 guide for full browser-by-browser instructions.)
3
Navigate to xero.com → log in fresh. A new valid session is created and the 401 is resolved.
METHOD 2
Reconnect the App to Xero
Scenario B — 401 in a connected app (Shopify, payroll, CRM, etc.)
When a connected app's Xero integration shows 401, the OAuth token has expired or been revoked. The fix is re-authorising the connection — this takes 2 minutes and is safe to do without affecting any data.
1
Go to the settings of the app showing the 401 error. Look for: Integrations, Connections, Connected Accounts, or Accounting in the app's settings menu.
2
Find the Xero connection — it will typically show as "Disconnected", "Error", or "Reconnect required". Click Reconnect, Authorise, or Connect to Xero.
3
You will be redirected to Xero's login page. Log into Xero with the correct account (the one connected to the organisation you want to link). Xero will ask you to Allow Access — click Allow.
4
You are redirected back to the app — the Xero connection should now show as Active/Connected. Trigger a manual sync to confirm data is flowing correctly.
QuickFix tip: Reconnect using a Xero account with Adviser or Standard user role — not a limited access role. Some apps require elevated permissions when initially authorising the connection. Using a restricted account produces a 401 or 403 even after re-authorisation because the token doesn't include sufficient scopes.
METHOD 3
Check Xero Connected Apps and Remove Stale Connections
If reconnect in the app doesn't clear the 401
Sometimes an old, broken connection to the same app exists in Xero's Connected Apps list and is conflicting with the new reconnect attempt. Removing the stale connection from Xero's side forces a completely clean OAuth flow.
1
Log into Xero. Click your organisation name (top left) → Settings → Connected Apps.
2
Find the app that is showing the 401. Click Disconnect to completely remove its access. If you see the same app listed twice — remove both entries.
3
Return to the app and go through the Reconnect flow (Method 2). With the old tokens removed from Xero, the fresh authorisation succeeds cleanly.
METHOD 4
Re-Authorise After a Password Change
If multiple apps failed at the same time
If multiple connected apps all started returning 401 at the same time, a Xero password change is almost certainly the cause — it revokes all OAuth tokens across all apps simultaneously. Each app must be individually re-authorised after a password change.
1
Go to Xero → Settings → Connected Apps. Make a list of every app currently connected.
2
Work through each app and reconnect it using Method 2. This is a one-time task after a password change — once reconnected, each app will auto-refresh its tokens going forward for up to 60 days of inactivity.
METHOD 5
Check User Roles and Organisation Access
If reconnect succeeds but 401 returns immediately
If you reconnect successfully but the 401 returns within minutes, the user account used to authorise the connection does not have sufficient permissions for what the app is trying to do — or was removed from the organisation after the reconnect.
1
In Xero → Settings → Users — confirm the account used to connect the app still exists and has at least Standard user role. If the account is on "Invoice Only" or "Read Only" the OAuth scopes will be too restricted for most apps.
2
If the original connecting user was removed — reconnect using an active Adviser or Standard user account. The new token will have the correct scope.
QuickFix tip: When a staff member who managed Xero integrations leaves the business, ensure all integrations are reconnected under an active user account before removing the departing user. Removing the user immediately revokes all their OAuth tokens and breaks every integration they originally connected — often at the worst possible time.
Quick Reference — Match Your Situation to the Fix
| Your situation |
Most likely cause |
Start with |
| 401 when opening Xero in browser |
Browser session expired |
Method 1 — log out and back in |
| One connected app showing 401 error |
OAuth token expired or revoked |
Method 2 — reconnect in the app |
| App reconnect doesn't clear the 401 |
Stale token still in Xero |
Method 3 — disconnect in Xero first |
| Multiple apps all failed at the same time |
Password change revoked all tokens |
Method 4 — re-authorise each app |
| 401 returns immediately after reconnecting |
User role too restricted or user removed |
Method 5 — check user roles |
Frequently Asked Questions
How is Xero 401 different from Xero 403?
The difference is at the authentication vs authorisation layer. Error 401 means "I don't know who you are" — the request has no valid credentials attached, or the credentials are expired. Error 403 means "I know who you are, but you can't do that" — the request is authenticated, but the authenticated user does not have permission for the requested action. Fix a 401 by re-authenticating (log back in, reconnect OAuth). Fix a 403 by changing permissions or user roles — re-authenticating will not help.
Will reconnecting my app to Xero lose any historical sync data?
No — reconnecting an app simply generates a new OAuth token. It does not delete or reset any data that has already been synced between the app and Xero. Your historical invoices, contacts, transactions, and reconciliation records in Xero are unaffected. What may happen is a re-sync of recent transactions once the connection is restored — check the app's sync settings to confirm whether it will attempt to backfill any missed transactions from the period when 401 was active, and whether that could create duplicates.
How do I prevent Xero 401 from happening again?
Three practices prevent most recurring 401s. For seasonal businesses that don't use connected apps year-round — manually trigger a sync or log into each connected app at least once every 60 days to prevent refresh token expiry. When a staff member who manages Xero integrations leaves — reconnect all integrations under an active user account before removing the departing user. When changing your Xero password — schedule time immediately after to reconnect all connected apps, as all tokens are revoked simultaneously. If you manage many integrations, keep a list of all connected apps (Xero → Settings → Connected Apps) so you know exactly how many need reconnecting after a password change.
Related Xero Errors
Xero Integration Broken? Data Not Syncing?
401 Persisting After All Five Methods?
Let QuickFix Bookkeeping Restore Your Connection.
Certified Xero Advisors · Xero Integration Specialists
Complex 401 issues — particularly those involving removed users, rotated credentials, or multi-app failures — need specialist diagnosis. At QuickFix Bookkeeping, our certified Xero Advisors restore broken integrations and ensure your financial data is flowing correctly again.
Book a Free 30-Minute Consultation
No obligation. Same-day response. Xero connection restored fast.
