Skip to main content

Takapuna office closure | Takapuna office closure. The Takapuna office is relocating to a new address so will be closed from 22 November 4pm to 26 November 4pm. From 27 November you can find the new office at: 74 Taharoto Road Smales Farm, One NZ Building, Takapuna.

Some services unavailable 23 - 24 November | myIR, gateway services and our self-service phone line will not be available from 3pm Saturday 23 November to 9am Sunday 24 November while we do planned system testing. This will not affect any tax entitlements or payments scheduled during this time.

APIs and web services are accessed over the internet. Security is applied in stages and layers to keep our systems and customer information safe.

Our services are restricted

Digital service providers wanting to integrate with us need to go through an approval process.

Security protocols

The following security protocols apply when using our gateway services:

Aspect Standard/protocol Version
Transport layer encryption TLS 1.2
Digital certificates for mutual authentication X.509 RFC 5280 profile
Access tokens OAuth 2.0
Machine-to-machine (M2M) Client signed JSON web token (JWT) 1.2

Transport level security

At a network level, access to our services is restricted to approved providers. This includes access to our test environments.

For integration through a cloud end point

A TLS (SSL) mutual authentication using the TLS 1.2 specification is applied across all gateway services in PROD and QUAL environments.

In the mock services environment, TLS mutual authentication is not used but IP address white listing is applied.

TLS connection requirements for cloud providers

Incoming connections are identified using client side X509 certificates. The client side X509 certificates must be from a certificate of authority and cannot be self-signed.

TLS connection requirements for desktop providers

Desktop providers must connect through one-way TLS. No client side X509 certificates are required.

User identity

Most gateway service requests are controlled using an OAuth token. This token identifies who is making the request. Users need to authenticate using myIR Secure Online Services logon details.

How to get an OAuth token

For web service requests an OAuth token is required in the HTTP header.

Authorisation to use gateway services is defined in the myIR permissions.

If a user does not have permission to file a return online, they will not be able to file a return via gateway services. This applies to users who are granted access as staff inside an organisation or as staff in a tax agency.

Supporting services

Identity and access service

Last updated: 28 Apr 2021
Jump back to the top of the page