Xpenser API: Authentication

Xpenser offers two authentication methods: HTTP Basic Auth and OAuth.

HTTP Basic Authentication

One way to access the Xpenser APIs is via the use of HTTP Basic Authentication. For example, here's a simple way to record a new expense:

curl -i -u "user@test.com:password" "http://xpenser.com/api/v1.0/expense/?q=test+expense+15+my+notes"

where user@test.com is the username and password is the password.

HTTP Basic Authentication is one of the oldest and simplest ways to authenticate for web access and is well supported by just about every programming language. However, it requires the username and password to be available when accessing the API, leading to the password anti-pattern: requiring the user to give their password to a third party (in this case, the application you're creating using the Xpenser APIs) is very bad practice.

Xpenser supports HTTP Basic Auth in order to accommodate scenarios where OAuth is not well supported and the username/password are not sent to a third party - for example, when developing on mobile devices.

If you are using .Net please take a look at this page on using basic http authentication in HttpWebRequest in C# for sample code on enabling basic auth.


OAuth is a newer method for gaining access to protected resources. It offers several advantages over HTTP Basic Authentication - in particular, it does not require the user's username and password be known when invoking the APIs. We encourage you to make use of OAuth instead of HTTP Basic Auth where possible.

In order to use OAuth to gain access to Xpenser APIs you will need a consumer and secret key. Please contact us at api@xpenser.com to get setup.

The Xpenser OAuth endpoints are:

Ruby Sample Code

The following Ruby code accesses the Xpenser APIs using OAuth:

require 'oauth'
@consumer=OAuth::Consumer.new "consumer_key", "secret", {:site=>"http://xpenser.com"}
auth_url = @request_token.authorize_url({:oauth_callback =>

# Now go to auth_url using a browser and authorize the request
# you should get redirected to http://your_address_here.com/callback/ on success


You may find the OAuth Explorer tool helpful in testing OAuth access.