ClawHub

Xero

Xero API integration with managed OAuth. Manage contacts, invoices, payments, accounts, and run financial reports. Use this skill when users want to interact with Xero accounting data. For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway).

MIT-0 · Free to use, modify, and redistribute. No attribution required.
10 · 17.2k · 9 current installs · 11 all-time installs
by@byungkyu
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description say this is a Xero integration and the SKILL.md exclusively documents calls to Maton gateway endpoints (gateway.maton.ai and ctrl.maton.ai) using a MATON_API_KEY. Requesting a Maton API key is proportional to proxying Xero API calls.
Instruction Scope
All runtime instructions are network requests to the Maton gateway/control endpoints and examples for using the gateway to reach Xero. The instructions do not ask the agent to read local files, environment variables other than MATON_API_KEY, or system config, nor do they direct data to unexpected endpoints beyond the documented Maton URLs.
Install Mechanism
There is no install spec and no code is written to disk (instruction-only SKILL.md). This minimizes install-time risk.
Credentials
The skill requires a single env var (MATON_API_KEY), which matches the documented gateway authentication model. Minor note: the registry metadata does not mark a primary credential but the MATON_API_KEY is effectively the primary secret — ensure you treat it like a sensitive API key since it grants access to proxied Xero data.
Persistence & Privilege
always:false and no install-time persistence is requested. The skill can be invoked autonomously (platform default), which is expected for a usable integration; there is no evidence it modifies other skills or system-wide settings.
Assessment
This skill proxies Xero API calls through Maton and requires you to provide a MATON_API_KEY. Before installing, confirm you trust Maton (gateway.maton.ai / ctrl.maton.ai) because proxied requests and any data sent will be visible to that service. Use a least-privilege API key, restrict or rotate the key if possible, and revoke it if you stop using the skill. Note that the skill can be invoked by agents automatically (platform default) — only enable it for agents you trust. If you need stronger assurance, ask the publisher for a homepage or source repository and verify Maton's privacy/security practices and OAuth flow URLs.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.4
Download zip
latestvk97b9kydbs0qxed3ttktsr3c5h80xc2n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvMATON_API_KEY

SKILL.md

Xero

Access the Xero API with managed OAuth authentication. Manage contacts, invoices, payments, bank transactions, and run financial reports.

Quick Start

# List contacts
python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request('https://gateway.maton.ai/xero/api.xro/2.0/Contacts')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF

Base URL

https://gateway.maton.ai/xero/{native-api-path}

Replace {native-api-path} with the actual Xero API endpoint path. The gateway proxies requests to api.xero.com and automatically injects your OAuth token and Xero-Tenant-Id header.

Authentication

All requests require the Maton API key in the Authorization header:

Authorization: Bearer $MATON_API_KEY

Environment Variable: Set your API key as MATON_API_KEY:

export MATON_API_KEY="YOUR_API_KEY"

Getting Your API Key

  1. Sign in or create an account at maton.ai
  2. Go to maton.ai/settings
  3. Copy your API key

Connection Management

Manage your Xero OAuth connections at https://ctrl.maton.ai.

List Connections

python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request('https://ctrl.maton.ai/connections?app=xero&status=ACTIVE')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF

Create Connection

python <<'EOF'
import urllib.request, os, json
data = json.dumps({'app': 'xero'}).encode()
req = urllib.request.Request('https://ctrl.maton.ai/connections', data=data, method='POST')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
req.add_header('Content-Type', 'application/json')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF

Get Connection

python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request('https://ctrl.maton.ai/connections/{connection_id}')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF

Response:

{
  "connection": {
    "connection_id": "21fd90f9-5935-43cd-b6c8-bde9d915ca80",
    "status": "ACTIVE",
    "creation_time": "2025-12-08T07:20:53.488460Z",
    "last_updated_time": "2026-01-31T20:03:32.593153Z",
    "url": "https://connect.maton.ai/?session_token=...",
    "app": "xero",
    "metadata": {}
  }
}

Open the returned url in a browser to complete OAuth authorization.

Delete Connection

python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request('https://ctrl.maton.ai/connections/{connection_id}', method='DELETE')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF

Specifying Connection

If you have multiple Xero connections, specify which one to use with the Maton-Connection header:

python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request('https://gateway.maton.ai/xero/api.xro/2.0/Contacts')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
req.add_header('Maton-Connection', '21fd90f9-5935-43cd-b6c8-bde9d915ca80')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF

If omitted, the gateway uses the default (oldest) active connection.

API Reference

Contacts

List Contacts

GET /xero/api.xro/2.0/Contacts

Get Contact

GET /xero/api.xro/2.0/Contacts/{contactId}

Create Contact

POST /xero/api.xro/2.0/Contacts
Content-Type: application/json

{
  "Contacts": [{
    "Name": "John Doe",
    "EmailAddress": "john@example.com",
    "Phones": [{"PhoneType": "DEFAULT", "PhoneNumber": "555-1234"}]
  }]
}

Invoices

List Invoices

GET /xero/api.xro/2.0/Invoices

Create Invoice

POST /xero/api.xro/2.0/Invoices
Content-Type: application/json

{
  "Invoices": [{
    "Type": "ACCREC",
    "Contact": {"ContactID": "xxx"},
    "LineItems": [{
      "Description": "Service",
      "Quantity": 1,
      "UnitAmount": 100.00,
      "AccountCode": "200"
    }]
  }]
}

Accounts

List Accounts

GET /xero/api.xro/2.0/Accounts

Payments

List Payments

GET /xero/api.xro/2.0/Payments

Bank Transactions

List Bank Transactions

GET /xero/api.xro/2.0/BankTransactions

Reports

Profit and Loss

GET /xero/api.xro/2.0/Reports/ProfitAndLoss?fromDate=2024-01-01&toDate=2024-12-31

Balance Sheet

GET /xero/api.xro/2.0/Reports/BalanceSheet?date=2024-12-31

Trial Balance

GET /xero/api.xro/2.0/Reports/TrialBalance?date=2024-12-31

Organisation

GET /xero/api.xro/2.0/Organisation

Invoice Types

  • ACCREC - Accounts Receivable (sales invoice)
  • ACCPAY - Accounts Payable (bill)

Code Examples

JavaScript

const response = await fetch(
  'https://gateway.maton.ai/xero/api.xro/2.0/Contacts',
  {
    headers: {
      'Authorization': `Bearer ${process.env.MATON_API_KEY}`
    }
  }
);

Python

import os
import requests

response = requests.get(
    'https://gateway.maton.ai/xero/api.xro/2.0/Contacts',
    headers={'Authorization': f'Bearer {os.environ["MATON_API_KEY"]}'}
)

Notes

  • Xero-Tenant-Id header is automatically injected
  • Dates are in YYYY-MM-DD format
  • Multiple records can be created in a single request using arrays
  • Use where query parameter for filtering
  • IMPORTANT: When using curl commands, use curl -g when URLs contain brackets (fields[], sort[], records[]) to disable glob parsing
  • IMPORTANT: When piping curl output to jq or other commands, environment variables like $MATON_API_KEY may not expand correctly in some shell environments. You may get "Invalid API key" errors when piping.

Error Handling

StatusMeaning
400Missing Xero connection
401Invalid or missing Maton API key
429Rate limited (10 req/sec per account)
4xx/5xxPassthrough error from Xero API

Troubleshooting: API Key Issues

  1. Check that the MATON_API_KEY environment variable is set:
echo $MATON_API_KEY
  1. Verify the API key is valid by listing connections:
python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request('https://ctrl.maton.ai/connections')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOF

Troubleshooting: Invalid App Name

  1. Ensure your URL path starts with xero. For example:
  • Correct: https://gateway.maton.ai/xero/api.xro/2.0/Contacts
  • Incorrect: https://gateway.maton.ai/api.xro/2.0/Contacts

Resources

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…