Date Updated: May 30th 2014

How to Authenticate

The EXO API can be used on premise or online via the LiveRelay. We've worked really hard to keep things simple and in both instances authentication is the same and simply requires three headers to be included in each request. The first is the EXO Token which is generated via the EXO Business application, the second is the encoded username and password of the user and the last is the developer key which is generated for the application via

These access tokens need to be present in the header of each request and is used to identify the application, system to connect to, user details and device information. Any request without these token will be refused access.

Required Headers

Authorization:Basic [Base64Encode(username:password)]Base 64 encoded username and password of the user.
x-myobapi-key:[dev_key]the developer key identifying the application
x-myobapi-exotoken:[access_token]the access token that identifies the user, system, device etc as configured in EXO Business

An example of this could look like:

Authorization: Basic RXhvQWRtaW46RXhvQW!288H1
x-myobapi-key: ABCta353c5R6YXRvcjo=
x-myobapi-exotoken: 123AA353c5R6YXRsTAQ18*%
Note: The values above are examples only; you will need to replace with your own credentials.

Generating Headers

Before staring work on a new app, or making your existing app work with the EXO API, you first need to register your app and receive an API key, and an API secret. These are used when authenticating your application and are set in the headers for all calls to the API.

Applying for your Key

  1. Enter your details to register for API Access
  2. We'll create a MYOB login, which will give you access to my.myob (If you own any MYOB Product you will already have an my.myob login, please let us know this in your registration)
  3. Login to my.myob
  4. Click on the Developer tab, then click the Register App button
  5. Enter your app's details, including the app's name and redirect URL, then click Register App
  6. The API key and secret for your app are generated and displayed on the page, along with information about app usage, quotas and limits
Note: You need to register each application you develop. To register another application simply log back into and under the developer tab register your application. Use this new token to identify your new application.

Generating your EXO Token

Each person using the API will need to obtain a EXO Token which identifies the system, user, device and permissions to use. This token is generated in using the EXO Config application (versions 8.7+) or using the EXO Mobile Config application packaged in the API installation (versions  < 8.7)

Note: Unlike the application key this is unique to each user and system so your application should provide a way for for users to update it in case a configuration change is made in EXO Business.

Refreshing Tokens

MYOB EXO Business licences are renewed annually. Since the expiry date of access tokens is based on expiry date of the EXO API and EXO Mobile modules, the tokens become invalid after a year and must be refreshed. A call to the token endpoint automatically refreshes the token used in the call and returns the refreshed token as a string.

Basic Authentication

Along with the EXO Token you need to provide a Base64Encoded username and password. This is validated on each request.

Note: Your application should provide a way for users to update their username and password in case these change in EXO Business.