SureTaxAPI

API Authentication

The SureTaxAPI supports the following forms of authentication

OAuth

OAuth 2.0

OAuth (Open Authorization) is an open standard for access delegation. It allows users to grant third-party applications limited access to their resources without sharing their credentials. OAuth is commonly used for token-based authentication. Follow the steps below to configure OAuth 2.0

Step 1: Client Registration
To use the API, Wolters Kluwer and the SureTax Solution Team will need to register your application.

What You Need to Provide

  • Application Name
  • Application Description
  • Redirect URL

What You Will Receive

After registration, you will receive your Client Credentials: a Client ID and a Client Secret.

Step 2: Obtain Authorization from the Resource Owner
Having received your **Credentials** , it is now time to obtain authorization to the SureTax API Gateway.

What You Need to Do

  • Redirect the User: Direct the user to the authorization server's authorization endpoint, sending in the Client ID, requested Scopes, and Redirect URI that you received in the previous step.

  • Handle the Redirect: After the user grants permission, handle the redirect from the authorization server, which includes an Authorization Code.

Step 3: Exchange Authorization Code for Access Token
In this step, the customer's application will exchange the authorization code for an access token.

What the Customer Needs to Do:

  • Token Request: Make a POST request to your token endpoint. Include the following parameters in the request body:
    • authorization_code: The authorization code received from the authorization server.
    • client_id: Your application's client ID.
    • client_secret: Your application's client secret.
    • redirect_uri: The URI where the authorization code was sent.

What to Expect from Your API:

  • Response: Upon successful exchange, your API will return a JSON response containing:
    • access_token: The token used to authenticate API requests.
    • token_type: The type of the token, usually "Bearer".
    • expires_in: The lifetime of the access token in seconds.
    • refresh_token: A token used to obtain a new access token when the current one expires.
    • scope: The scopes granted by the access token.

Example of a Response:

{
  "access_token": "ACCESS_TOKEN_HERE",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "REFRESH_TOKEN_HERE",
  "scope": "requested_scopes"
}
Step 4: Access Protected Resources

The customer’s application uses the access token to access protected resources.

What the Customer Needs to Do:

  • API Request: Include the access token in the Authorization header of API requests to your protected resources.