I asked this in Xero's developer forums, but it looks like Xero are not supporting developers any more. Quite a few questions going unanswered. I thought this might be a better place to discuss with developers.
We created an app for a client prior to the Oauth2 change, so we completely rejigged it using the suggested new Oauth2 workflow where we login to Xero, grant access to the Xero account, and then store the renewal token in a database. Then routinely refresh the token. We did this via the client granting full access to their Org for our Xero account so they didn't have to go through the process of doing the initial connection.
Now that they have this connection setup, the customer wants to remove our access to their Xero org. And have done so. But since then we are seeing grant_type errors from any attempt to contact Xero.
Am I right in thinking that once access is revoked to an org, any token created by that user now has no access? And if so, what is the exact suggested plan here? Create a new account just for API usage that is never revoked? I don't think I've come across an API used for building M2M applications that requires the non-technical client to actually connected to the API itself.
If a user wants to disconnect your API app from connecting to their org and they revoke it through the Settings < Connected Apps < Disconnect button then that just revokes that specific access_token from making any future calls and disables the refresh_token from creating new valid access_token's.
Might need a bit more context to guide you to the best solution for your scenario, but if you were to re-authenticate from the user's perspective and re-save the newly generated OA2 token_set your API access for that user/org should be reinstated.