ml-connector
XeroSlack

Xero and Slack integration

Xero runs your accounting, and Slack runs your team. Connecting the two brings financial events into the conversations where decisions are made. Invoices, payments, and manual journals from Xero post to designated channels so the finance team stays current without logging in separately. ml-connector handles the OAuth2 dance for both systems, verifies Slack message authenticity, and ensures every notification reaches the right channel.

How Xero works

Xero exposes invoices, purchase orders, payments, contacts, accounts, and manual journals through the Xero Accounting API over REST with JSON responses. Authentication uses OAuth2 with access tokens valid for 30 minutes and refresh tokens valid for 60 days when the offline_access scope is granted. Xero publishes webhooks for Contact, Invoice, Payment, ManualJournal, PurchaseOrder, and BankTransaction events on CREATE and UPDATE; webhook payloads contain only metadata and a resource ID, so full records are fetched via a follow-up GET. Xero requires the Xero-tenant-id header on every call to target the correct organization, and enforces rate limits of 5 concurrent calls, 60 per minute, and 5000 per day per tenant. Deleted records are not returned by default. Webhook signing keys are separate from OAuth credentials and must be obtained from the Developer portal app settings.

How Slack works

Slack provides team messaging, channels, and workflow automation through the Slack Web API and Events API. Authentication uses OAuth2 to issue a non-expiring bot token prefixed xoxb- and optionally a user token prefixed xoxp-; tokens remain valid until revoked by the workspace administrator or the auth.revoke endpoint. Slack supports two delivery models: push via the Events API, which sends HTTP POST callbacks to a registered HTTPS endpoint with HMAC-SHA256 signature verification and requires HTTP 2xx response within 3 seconds, and pull via REST methods such as conversations.list and users.list. Webhooks retry up to 3 times with exponential backoff on failure, and request timestamps must not be older than 5 minutes. The chat.postMessage method is rate-limited at 1 call per second per channel. Socket Mode is available as an alternative for apps that cannot expose a public HTTPS endpoint.

What moves between them

Xero invoice, payment, and manual journal events flow into Slack. When an event occurs in Xero, ml-connector receives the webhook notification or polls the API, retrieves the full record, formats it as a human-readable message, and posts it to a pre-configured Slack channel. Payment notifications include the contact name, amount, invoice reference, and date. Invoice posts show invoice number, amount, due date, and status. Manual journals include the account codes, line descriptions, and amounts. The flow is one-way: Slack does not send data back to Xero. Posts are threaded by invoice or contact so related notifications stay grouped.

How ml-connector handles it

ml-connector authenticates to Xero using OAuth2, stores the refresh token encrypted, and reuses the access token until the 30-minute window closes, then silently refreshes. When Xero sends a webhook notification, ml-connector verifies the signing key matches, extracts the resource ID, fetches the full record via the Accounting API, and formats it as a Slack message block. For Slack, ml-connector trades the Xero OAuth client ID and secret for a Slack bot token that never expires, stores it encrypted, and uses Bearer authentication on every POST to chat.postMessage. Before each post, ml-connector verifies that the target channel exists via conversations.info and respects the 1-per-second rate limit per channel by queuing posts and consuming the queue at safe intervals. Slack Events API webhook requests arrive with a timestamp and signature in the X-Slack-Signature header; ml-connector computes HMAC-SHA256 over the timestamp and request body using the Slack signing secret, verifies it matches constant-time, and responds 2xx within 3 seconds. If a post to Slack fails due to transient error or rate limiting, ml-connector stores the formatted message and retries with exponential backoff, and includes a full audit log of every post attempt.

A real-world example

A small accounting firm uses Xero for client bookkeeping and Slack for team coordination. Before the integration, invoices and payments were email notifications to the finance team, which were often missed or buried in the inbox. With Xero and Slack connected, every new invoice and payment posts automatically to a client-financials channel where the team can see it in context with related messages. When a payment is recorded, the client-financials channel gets a brief message with the client name, amount, and date, and team members can discuss exceptions right there. Month-end manual journal entries post in a dedicated thread so the full audit trail is visible to anyone who needs it. The finance team no longer relies on email to stay informed and can spot late payments or double-entries in real time.

What you can do

  • Post Xero invoices and purchase orders to Slack channels with invoice number, amount, due date, and status.
  • Send payment notifications to Slack with contact name, amount, invoice reference, and payment date.
  • Deliver manual journal entries to Slack with account codes, line descriptions, and amounts for audit visibility.
  • Authenticate Xero with OAuth2 and manage token refresh, and authenticate Slack with non-expiring bot tokens and HMAC-SHA256 signature verification.
  • Queue posts to respect Slack's 1-per-second rate limit per channel and replay failed posts with exponential backoff and full audit trail.

Questions

Which direction does data flow between Xero and Slack?
Data flows one way: from Xero to Slack. Invoices, payments, and manual journals from Xero are formatted and posted to Slack channels as messages. Slack does not send data back to Xero; Slack is the notification endpoint, not a data source.
How does ml-connector handle Xero and Slack token expiry?
Xero access tokens expire after 30 minutes, so ml-connector caches the refresh token and silently refreshes the access token when needed. Slack bot tokens do not expire; they remain valid until revoked by the workspace administrator or explicitly revoked via the auth.revoke endpoint.
What happens if a Slack post fails or exceeds the rate limit?
ml-connector queues the formatted message and respects Slack's 1-per-second limit per channel by consuming the queue at safe intervals. If a post fails due to a transient error or reaches the rate limit, ml-connector retries with exponential backoff, and every attempt is logged in the audit trail so you can verify delivery.

Related integrations

More Xero integrations

Xero and Adobe CommerceXero and ADPXero and AdyenXero and AirbaseXero and Amazon Seller CentralXero and AnaplanXero and SAP AribaXero and AsanaXero and AvalaraXero and AvidXchangeXero and BambooHRXero and Basware

Other systems that connect to Slack

Acumatica and SlackDATEV and SlackDeltek and SlackMicrosoft Dynamics 365 Business Central and SlackMicrosoft Dynamics 365 F&O and SlackMicrosoft Dynamics GP and SlackMicrosoft Dynamics NAV and SlackEpicor Kinetic and SlackExact Online and SlackFreshBooks and SlackIFS Cloud and SlackInfor CloudSuite and Slack

Connect Xero and Slack

Free to use. Add your credentials, ping your real systems, and see if we fit.

Get started