Xero Error Guide
How to Fix Xero Error 403 Forbidden
Xero has blocked an action and returned one of these messages:
"403 Forbidden — You are not authorised to access this resource"
"Status 403: AuthenticationUnsuccessful"
"403 Forbidden — insufficient permissions to access this organisation"
Error 403 means Xero knows who you are — but won't let you do what you are trying to do. At QuickFix Bookkeeping, the fix depends on whether the 403 is in Xero itself (user role issue) or in a connected app (OAuth scope or wrong organisation).
The QuickFix Bookkeeping Distinction
Error 403 has three distinct causes — each needs a different fix. Most guides only cover one.
Cause 1 — User Role
Your Xero user role doesn't have permission for this action.
Fix: ask an Admin to upgrade your role, or have an Admin perform the action.
Cause 2 — OAuth Scopes
A connected app is trying to do something its OAuth token doesn't have permission for.
Fix: reconnect the app requesting the missing scope during re-authorisation.
Cause 3 — Wrong Organisation
App is authenticated to a different Xero organisation than the one it is trying to access.
Fix: reconnect the app selecting the correct Xero organisation.
How 403 differs from 401: These two errors are the most confused pair in Xero. 401 Unauthorized = "I don't know who you are" — the token is missing, expired, or invalid. Re-authenticate to fix. 403 Forbidden = "I know exactly who you are, but you are not allowed to do this." Re-authenticating will not fix a 403 — the identity is confirmed, but the permissions are insufficient. Fix 403 by changing permissions or scopes, not by logging in again.
What Is Xero Error 403?
Error code
403
HTTP · Forbidden
Related: 400 · 401 · 404 · 500
What it means
HTTP 403 "Forbidden" means the request was received and the caller was identified — but the action is not permitted. Xero confirmed who is making the request and then denied it based on permissions. This is an authorisation failure, not an authentication failure.
Your Xero data is safe. A 403 is an access control decision — Xero prevented an action, which means the data you were trying to access or modify remains unchanged.
What Causes Xero Error 403?
👤
Insufficient Xero User Role
Most common for end users — Xero has five role levels (Standard, Invoice Only, Adviser, Admin, Read Only). Certain actions — chart of accounts editing, payroll, reporting settings, user management — require Adviser or Admin. A Standard user attempting these gets 403.
🔑
Missing OAuth Scope
Most common for connected apps — the app's OAuth token was granted without requesting the scope needed for the action. For example, a token with only accounting.transactions.read attempting to create an invoice returns 403.
🏢
Wrong Xero Organisation
The connected app authenticated to Organisation A but is sending requests with the tenant ID of Organisation B. Xero returns 403 because the authenticated token doesn't cover the requested organisation.
🔒
Organisation Restricted API Access
The Xero organisation has restricted which apps can connect or which actions are permitted. Some enterprise organisations apply restrictions via practice management settings that block third-party API access to certain data.
📋
Xero Plan Limitation
The action requires a Xero plan feature that the organisation's subscription does not include. For example, payroll API access requires a Xero Payroll subscription. Attempting to access payroll endpoints without the subscription returns 403.
🔄
Connecting User Had Insufficient Permissions
The Xero user who originally authorised the connected app had a restricted role. The OAuth token inherits that user's permissions — so even if the app requests the right scope, the token is limited by the role of the user who authorised it.
How to Fix Xero Error 403 — Step by Step
Identify your scenario first — is the 403 appearing inside Xero itself, or in a connected app?
METHOD 1
Check and Upgrade Your Xero User Role
403 inside Xero — trying to access a feature
If you are seeing 403 while trying to use a feature inside Xero — editing accounts, running certain reports, managing payroll, or changing settings — your user role is likely too restricted for that action.
Xero user roles and what they can access:
Read Only — view data only. No edits.
Invoice Only — raise invoices and quotes only.
Standard — most bookkeeping tasks. No settings access.
Adviser — full accounting access including chart of accounts and reports.
Admin — Adviser access plus user management and subscription settings.
Payroll Admin — full payroll access (separate from accounting roles).
1
Ask a Xero Admin to go to Settings → Users → find your name → click your role → upgrade it to Adviser or Payroll Admin as appropriate for what you need to do.
2
If you are the only user and cannot upgrade your own role — check that you are listed as Admin under Settings → Users. If not, contact Xero Support to restore admin access to the organisation.
QuickFix tip: The most commonly blocked actions by role: Standard users cannot edit the chart of accounts, lock periods, change VAT/GST settings, or manage users. Invoice Only users cannot see bank accounts, run P&L reports, or access any settings. If you are regularly hitting 403 on core bookkeeping tasks, an Adviser role is likely the right fit.
METHOD 2
Reconnect the App with Correct OAuth Scopes
403 in a connected app — scope missing
If a connected app returns 403, its OAuth token was likely granted without the scope needed for the action it is trying to perform. The fix is to disconnect and reconnect the app — during re-authorisation, the app should request the correct scope. You cannot add scopes to an existing token — a fresh OAuth flow is required.
1
In Xero → Settings → Connected Apps → find the app → click Disconnect. This revokes the existing token.
2
Return to the app and go through the Connect to Xero / Authorise flow again. When Xero shows the permissions screen — review what the app is requesting. It should now include the scope that was missing.
3
Complete the authorisation using an Adviser or Admin Xero account — not a Standard or Invoice Only account. The OAuth token inherits the authorising user's permissions, so a restricted user produces a restricted token even if the scope is correct.
QuickFix tip: If you reconnect the app and still get 403 on the same action — the app developer may not have updated the scope request. Contact the app's support team and ask them to confirm the required Xero scope for the failing action is included in their OAuth authorisation request.
METHOD 3
Verify the Correct Xero Organisation is Connected
If you manage multiple Xero organisations
If you have access to multiple Xero organisations and a connected app returns 403, it may be authenticated to the wrong organisation. The token is valid for Organisation A but the request references Organisation B.
1
In the connected app, go to its Xero integration settings. Check which organisation is listed as connected — confirm it matches the one you intend to sync.
2
If the wrong organisation is shown — disconnect and reconnect. During the Xero authorisation flow, Xero will ask you to select which organisation to grant access to. Select the correct organisation from the dropdown before clicking Allow.
METHOD 4
Check Xero Plan and Payroll Subscription
403 on payroll or premium features
Some Xero features — particularly payroll, projects, and expenses — require specific Xero plan subscriptions beyond the base accounting subscription. Attempting to access these via the API or interface without the required subscription returns 403.
1
In Xero → click your organisation name (top left) → Settings → Subscription. Confirm the active plan includes the feature you need (Payroll, Projects, Expenses).
2
If the required feature is not included — upgrade the Xero plan. If payroll access is needed, add a Payroll subscription. After upgrading, the 403 for that feature will clear immediately.
METHOD 5
Reconnect Using an Adviser or Admin Account
403 returns immediately after reconnecting
If you reconnected the app but 403 persists on the same actions, the user who performed the re-authorisation had a restricted Xero role. OAuth tokens inherit the permissions of the authorising user — a Standard user's token cannot perform Adviser-level actions even if the app requests the correct scope.
1
In Xero → Settings → Connected Apps → disconnect the app.
2
Log into Xero as an Adviser or Admin user. Go through the app's Connect to Xero flow and complete the authorisation. The new token is issued under the Adviser/Admin's permissions and the 403 clears.
Quick Reference — Match Your Situation to the Fix
| Your situation |
Most likely cause |
Start with |
| 403 in Xero when editing accounts or settings |
User role too restricted |
Method 1 — upgrade user role |
| Connected app returns 403 on specific action |
Missing OAuth scope |
Method 2 — reconnect with correct scope |
| You manage multiple Xero orgs |
Wrong organisation connected |
Method 3 — verify correct org |
| 403 on payroll, projects, or expenses only |
Plan doesn't include feature |
Method 4 — check subscription |
| 403 returns immediately after reconnecting app |
Reconnected with restricted user |
Method 5 — reconnect as Adviser/Admin |
Frequently Asked Questions
How is Xero 403 different from Xero 401?
The difference is at the authentication vs. authorisation layer. Error 401 means Xero doesn't know who you are — the token is missing, expired, or invalid. Logging in again or refreshing the token fixes 401. Error 403 means Xero knows exactly who you are but won't allow the action — the identity is confirmed, but the permissions are insufficient. Logging in again will not fix 403 because the identity is not the problem. Fix 403 by changing the user role, OAuth scopes, or plan — not by re-authenticating.
Why does my connected app get 403 even after I reconnected it successfully?
Two common reasons. First, the user who performed the reconnect had a Standard or Invoice Only Xero role — the OAuth token is issued with that user's permissions, so Adviser-level actions return 403 even with a valid connection. Reconnect using an Adviser or Admin account instead. Second, the app developer may not have updated the scope list in their OAuth request — the token was issued without the specific scope needed for the failing action. In this case, the fix requires the app developer to add the required scope to their authorisation request, then you reconnect.
Can I limit what a connected app can do in Xero?
Yes — through two mechanisms. First, the OAuth scopes the app requests determine what the connection can access. A well-designed app requests only the scopes it needs. If an app requests excessive permissions during authorisation, you can review them on the Xero permissions screen before clicking Allow. Second, the Xero user role of the account used to authorise the app caps the app's effective permissions. If you authorise a third-party app using an Invoice Only account, the app can only perform Invoice Only level actions, even if it requests broader scopes. This is useful for limiting app access in environments where you don't want third-party tools to have full accounting access.
Related Xero Errors
Xero Access Issues Holding Up Your Work?
403 Persisting After All Methods?
Let QuickFix Bookkeeping Sort It Out.
Certified Xero Advisors · Xero Setup and Integration Specialists
Complex 403 issues — particularly those involving multi-org setups, scope mismatches, or plan restrictions — need specialist diagnosis. Our certified Xero Advisors resolve access issues and ensure your Xero integrations are working correctly.
Book a Free 30-Minute Consultation
No obligation. Same-day response. Xero access restored fast.
