Xero MCP Server
Official Xero accounting MCP server with invoicing, contacts, payroll, and financial reporting
Score Breakdown
Server Info
- Package
- @xeroapi/xero-mcp-server
- Registry
- npm
- Repository
- XeroAPI/xero-mcp-server
- Maintainer
- XeroVendor
- Category
- Finance & Payments
- Tags
- accountinginvoicesfinancial
- Last Scanned
- 7 Apr 2026
Findings
6 issuesAuthentication & Identity
HIGHNo per-request auth - requires instance-per-user
Supports two auth modes: OAuth2 client_credentials flow (XERO_CLIENT_ID + XERO_CLIENT_SECRET) or static bearer token (XERO_CLIENT_BEARER_TOKEN). Stdio transport only. Client credentials are exchanged for access tokens against identity.xero.com. Token refresh is handled automatically. For multi-tenant deployment, the platform must spawn a separate server instance per user.
Add HTTP/SSE transport to accept per-request Authorization headers, or implement the MCP OAuth spec.
Tool Schema Quality
MEDIUMOnly 1 of 51 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
LLM Safety
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remove instructional language. Descriptions should be purely factual.
Data Exposure
MEDIUM24 list operations lack pagination
Only list-invoices (page param, 10 per page) and list-contacts (page param, 100 per page) have pagination. The remaining 24 list tools return all records with no pagination or limit parameters. Responses return full records with no field selection. Financial reports (P&L, balance sheet, trial balance) return full reports.
Add limit/offset or cursor-based pagination.
LOWNo field selection on responses
Responses return full records rather than projected fields.
Implement field selection to return only relevant fields.
Maintenance & Trust
MEDIUM9 dependency vulnerabilities (7 high)
npm audit found 7 high severity CVEs.
Update vulnerable dependencies.
Tools
51 total| Name | Description | Risk |
|---|---|---|
| delete-timesheet | Delete an existing payroll timesheet in Xero by its ID. | admin |
| get-timesheet | Retrieve a single payroll timesheet from Xero by its ID. This provides details such as the timesheet ID, employee ID, start and end dates, total hours, and the last updated date. | read |
| list-accounts | Lists all accounts in Xero. Use this tool to get the account codes and names to be used when creating invoices in Xero | read |
| list-contacts | List all contacts in Xero. This includes Suppliers and Customers. | read |
| list-credit-notes | List credit notes in Xero. | read |
| list-invoices | List invoices in Xero. This includes Draft, Submitted, and Paid invoices. | read |
| list-items | List items in Xero. | read |
| list-manual-journals | List manual journals in Xero. | read |
| list-quotes | List quotes in Xero. | read |
| list-tax-rates | List tax rates in Xero. | read |
| list-trial-balance | List trial balance in Xero. | read |
| list-payments | List payments in Xero. | read |
| list-profit-and-loss | List profit and loss report in Xero. | read |
| list-bank-transactions | List bank transactions in Xero. | read |
| list-payroll-employees | List payroll employees in Xero. | read |
| list-report-balance-sheet | List balance sheet report in Xero. | read |
| list-organisation-details | List organisation details in Xero. | read |
| list-payroll-employee-leave | List payroll employee leave in Xero. | read |
| list-payroll-leave-periods | List payroll leave periods in Xero. | read |
| list-payroll-employee-leave-types | List payroll employee leave types in Xero. | read |
| list-payroll-employee-leave-balances | List payroll employee leave balances in Xero. | read |
| list-payroll-leave-types | List payroll leave types in Xero. | read |
| list-aged-receivables-by-contact | List aged receivables by contact in Xero. | read |
| list-aged-payables-by-contact | List aged payables by contact in Xero. | read |
| list-payroll-timesheets | List payroll timesheets in Xero. | read |
| list-contact-groups | List contact groups in Xero. | read |
| list-tracking-categories | List tracking categories in Xero. | read |
| create-contact | Create a contact in Xero. | write |
| create-credit-note | Create a credit note in Xero. | write |
| create-manual-journal | Create a manual journal in Xero. | write |
| create-invoice | Create an invoice in Xero. When an invoice is created, a deep link to the invoice in Xero is returned. | write |
| create-quote | Create a quote in Xero. | write |
| create-payment | Create a payment in Xero. | write |
| create-item | Create an item in Xero. | write |
| create-bank-transaction | Create a bank transaction in Xero. | write |
| create-payroll-timesheet | Create a payroll timesheet in Xero. | write |
| create-tracking-category | Create a tracking category in Xero. | write |
| create-tracking-options | Create tracking options in Xero. | write |
| update-contact | Update a contact in Xero. | write |
| update-credit-note | Update a credit note in Xero. | write |
| update-invoice | Update an invoice in Xero. Only works on draft invoices. | write |
| update-manual-journal | Update a manual journal in Xero. | write |
| update-quote | Update a quote in Xero. | write |
| update-item | Update an item in Xero. | write |
| update-bank-transaction | Update a bank transaction in Xero. | write |
| approve-payroll-timesheet | Approve a payroll timesheet in Xero. | write |
| add-timesheet-line | Add a line to a payroll timesheet in Xero. | write |
| update-payroll-timesheet-line | Update a line on a payroll timesheet in Xero. | write |
| revert-payroll-timesheet | Revert a payroll timesheet in Xero. | write |
| update-tracking-category | Update a tracking category in Xero. | write |
| update-tracking-options | Update tracking options in Xero. | write |
Deploy Xero MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow