ml-connector
XeroUKG

Xero and UKG integration

Xero handles accounting and finance. UKG handles payroll and HR. Connecting them keeps your general ledger and payroll aligned. Payroll GL journals produced after each pay run post into Xero automatically, allocated to the correct accounts and cost centers. Employee records stay synchronized between systems so Xero's contact records reflect UKG hires, terminations, and rehires. ml-connector bridges the very different authentication schemes on each side and moves data on a schedule tied to your payroll calendar.

How Xero works

Xero is a cloud accounting platform that exposes contacts, invoices, accounts, purchase orders, payments, and general ledger entries through the Xero Accounting API as REST with JSON responses. Authentication uses OAuth2 Authorization Code flow with 30-minute access tokens and 60-day refresh tokens when offline_access scope is granted. The API enforces a 5 concurrent call limit and 60 requests per minute per organization, with page-based pagination of 100 records per page. Xero supports webhooks for Contact, Invoice, CreditNote, Payment, ManualJournal, and PurchaseOrder events, containing metadata only and requiring a follow-up GET to fetch the full record. Webhook signing is verified with a key obtained from the Xero Developer portal, separate from the OAuth client secret.

How UKG works

UKG is an HR and payroll platform with separate API surfaces for HRIS and payroll. It exposes employee master data, compensation details, pay statements, cost centers, and GL payroll journal entries via REST APIs. Authentication supports HTTP Basic Auth with two custom API key headers - US-CUSTOMER-API-KEY at the tenant level and US-USER-API-KEY for the service account - or OAuth2 client_credentials flow with tokens expiring in 1 hour. Key payroll entities are accessed through /personnel/v1 and /payroll/v1 endpoints at tenant-specific hostnames. GL postings are retrieved via a file-based export template or the /services/payroll/v1/thirdpartypay endpoint, which contains GL account segments and debit/credit amounts. Webhooks are available through the UKG Webhooks platform with 14-day event retention and HMAC SHA-256 signing.

What moves between them

The primary data flow moves from UKG into Xero. After each payroll run, ml-connector reads UKG's GL payroll journal entries and posts them into Xero's general ledger as manual journal entries, mapped to the matching Xero GL accounts and cost centers from UKG's cost center master data. Employee records including demographic details and compensation information flow from UKG into Xero's contact base so Xero reflects current headcount, hires, and terminations. Reference data such as cost centers and payment groups is aligned so every payroll journal line references a GL account and cost center that already exists in Xero. GL data is read-only in UKG, so ml-connector never writes financial entries back to payroll.

How ml-connector handles it

ml-connector stores both credential sets encrypted and can use either HTTP Basic Auth with the two custom UKG API keys or OAuth2 client credentials on the UKG side, refreshing the bearer token when it expires after 1 hour. On the Xero side it handles OAuth2 token refresh on 30-minute expiry and validates the Xero-tenant-id header requirement for multi-org deployments. UKG's employee ID endpoint returns internal UUIDs that require a second call per employee to retrieve the full profile, so ml-connector batches these two-pass fetches and caches the results. Cost centers and accounts are mapped first so every payroll journal line references a GL account in Xero that already exists. Because both systems support webhooks, ml-connector can receive near real-time events from UKG Webhooks Premium and confirm successful delivery to Xero, though it also implements secondary polling on UKG's delta endpoint /personnel/v1/employees/changed for zero-tolerance integrations where 14-day webhook retention is not sufficient. Xero's 60 requests per minute rate limit and 5 concurrent call constraints are respected with intelligent queuing. Every record carries a full audit trail and can be replayed if a downstream journal post fails.

A real-world example

A mid-sized professional services firm runs Xero for accounting and finance across three regional offices, and uses UKG for payroll processing and HR. Before the integration, the finance team manually exported payroll GL journals from UKG each pay period and entered the totals into Xero by hand, mapping each journal line to the correct office and department code. This manual process created reconciliation delays and month-end close took extra days chasing differences between what payroll reported and what appeared in the ledger. With Xero and UKG connected, each payroll run's GL journal flows into Xero automatically, with cost centers pre-mapped to the correct regional office codes, and employee updates keep contact records current. Month-end close begins with labor accounts already reconciled, and the re-keying step is eliminated.

What you can do

  • Post UKG payroll GL journal entries into Xero's general ledger after every pay run, allocated to the correct accounts and cost centers.
  • Keep Xero contact records aligned with UKG employee hires, terminations, rehires, and demographic updates.
  • Map UKG cost centers, pay groups, and compensation details to Xero GL accounts and tracking categories so payroll lands on valid dimensions.
  • Authenticate Xero with OAuth2 and UKG with HTTP Basic Auth or OAuth2, handling token refresh and credential encryption.
  • Sync on a schedule tied to your payroll calendar, with webhook support, polling fallback, retries, and a full audit trail on every record.

Questions

Which direction does data move between Xero and UKG?
The main flow is from UKG into Xero. Payroll GL journals and employee records move from UKG into Xero, while cost centers and accounts are aligned so payroll allocations land on valid Xero dimensions. Xero's general ledger is read-only from UKG, so ml-connector does not write financial entries back into payroll.
How does the integration handle UKG's two authentication schemes and 1-hour token expiry?
ml-connector supports both HTTP Basic Auth with the US-CUSTOMER-API-KEY and US-USER-API-KEY headers, and OAuth2 client credentials flow with automatic token refresh. OAuth tokens are refreshed when they approach the 1-hour expiry, and Basic Auth credentials are stored encrypted. This ensures authentication is never a blocker for payroll syncs.
Does UKG's two-pass employee fetch and 14-day webhook retention affect sync reliability?
Yes. UKG's employee ID endpoint returns only internal UUIDs, so ml-connector batches a second call to each ID to retrieve the full profile. For webhook reliability, ml-connector implements secondary polling on UKG's /personnel/v1/employees/changed delta endpoint to ensure zero-tolerance integrations are not affected by the 14-day webhook retention window.

Related integrations

More Xero integrations

Xero and Adobe CommerceXero and ADPXero and AdyenXero and AirbaseXero and Amazon Seller CentralXero and AnaplanXero and SAP AribaXero and AsanaXero and AvalaraXero and AvidXchangeXero and BambooHRXero and Basware

Other systems that connect to UKG

Acumatica and UKGDATEV and UKGDeltek and UKGMicrosoft Dynamics 365 Business Central and UKGMicrosoft Dynamics 365 F&O and UKGMicrosoft Dynamics GP and UKGMicrosoft Dynamics NAV and UKGEpicor Kinetic and UKGExact Online and UKGFreshBooks and UKGIFS Cloud and UKGInfor CloudSuite and UKG

Connect Xero and UKG

Free to use. Add your credentials, ping your real systems, and see if we fit.

Get started