Enable per-request Xero authentication to support multi-tenant usage #85
Description
Problem
The current Xero MCP server uses a global singleton client that authenticates once using environment variables (XERO_CLIENT_ID/XERO_CLIENT_SECRET or XERO_CLIENT_BEARER_TOKEN). This design limits the server to a single Xero account/user, making it unsuitable for multi-tenant applications where different users need to access their own Xero organizations.
Proposed Solution
Modify the server architecture to accept authentication tokens as parameters in tool calls rather than relying solely on environment variables at startup. This would allow:
- Multiple users to use the same server instance with their own Xero credentials
- Dynamic token handling (refresh, rotation, etc.)
- Better resource utilization (single server vs. multiple instances)
- Support for SaaS applications with multiple Xero integrations
Suggested Implementation
- Add
bearer_tokenparameter to all tool schemas - Modify handlers to create Xero client instances per request instead of using global client
- Maintain backward compatibility with environment variable authentication as fallback
- Update tool documentation to reflect the new authentication options
Benefits
- Enables multi-tenant usage
- Better scalability and resource management
- Supports dynamic authentication scenarios
- Maintains security isolation between users
- Reduces infrastructure complexity for applications serving multiple users
Backward Compatibility
The implementation should maintain compatibility with current environment variable-based authentication when bearer_token is not provided in tool calls.