Headless/Server Environment: OAuth flow requires browser, no documented headless auth path

[KonsultDigital]

Problem

The Xero CLI OAuth flow requires a browser for authentication, which makes it impossible to use in headless/server environments where no browser is available.

Our Environment

• Server: Ubuntu headless (no GUI, no browser installed)
• Use case: Internal accounting automation for Konsult Digital Pty Ltd
• Goal: Authenticate via CLI to access accounting data (invoices, contacts, payroll)

What We Tried

1. Installed @xeroapi/xero-command-line globally via npm
2. Attempted OAuth authorization — requires browser redirect to localhost callback
3. Tried setting up a server-side callback handler at https://our-domain/xero/auth/callback
4. Xero Developer Portal rejects our redirect URI with unauthorized_client: Invalid redirect_uri

The Core Issue

There is no documented path for headless/server authentication:

• No device code flow (like GitHub CLI uses)
• No API key / service account option
• OAuth redirect URIs must be pre-registered, but headless servers can't receive localhost callbacks
• The CLI appears designed exclusively for developer workstations with browsers

Request

Please provide one of the following:

1. Device authorization grant support (OAuth 2.0 device flow) — user authorizes on phone/another device, CLI polls for token
2. Service account / API key authentication for internal/automated use
3. Clear documentation on how to authenticate in headless environments (if already possible)
4. Support for non-localhost redirect URIs with clear instructions on registration

Impact

This blocks automated accounting workflows for businesses that run on servers/cloud environments. The current browser-only approach assumes all users have local GUI browsers, which isn't true for:

• CI/CD pipelines
• Server automation
• Docker containers
• Remote/cloud workstations

---

Related: The webhook setup documentation also assumes a local development environment. A server deployment guide would be valuable.