Skip to main content

Takapuna office closure | Takapuna office closure. The Takapuna office is relocating to a new address so will be closed from 22 November 4pm to 26 November 4pm. From 27 November you can find the new office at: 74 Taharoto Road Smales Farm, One NZ Building, Takapuna.

Some services unavailable 23 - 24 November | myIR, gateway services and our self-service phone line will not be available from 3pm Saturday 23 November to 9am Sunday 24 November while we do planned system testing. This will not affect any tax entitlements or payments scheduled during this time.

A service provider application may be provided by either:

  • a third-party digital service provider
  • in-house by a client organisation or an organisation acting on behalf of a client organisation.

To create an authorisation token to access gateway services using our OAuth authorisation services, the following steps are used for both cloud and native (desktop client) application usage.

User accesses service

The authorised user is interacting with the service provider application. They access a protected service provided by us (for example, to file a return or retrieve a balance).

User is directed to myIR

The service provider application invokes the authorisation API to get an authorisation code, and the user’s browser is redirected to our logon page.

User provides myIR logon

We prompt the authorised user to provide the myIR logon, they are authenticated. On first use the authorised user must also confirm their consent for the service provider application to access our site on their behalf.

We issue authorisation code

We issue the authorisation code which is returned to the service provider application via the browser. It has a finite time to live (TTL) of 10 minutes.

Provider redeems authorisation code

The service provider application invokes our token service to redeem the authorisation code for an OAuth access token.

This OAuth access token has a finite time to live (TTL) of 8 hours. For cloud providers a refresh token is also provided with a finite TTL of 1 year.

Provider can access our protected services

The service provider application can then invoke our protected services (for example, to file a return) supplying the OAuth access token in the header.

The OAuth access token can be used for multiple invocations until it expires.

Ongoing usage

A cloud-based service provider application can use the refresh token to request another access token for ongoing usage of the gateway service until it expires.

Last updated: 28 Apr 2021
Jump back to the top of the page