Skip to main content

Delays to response times: It's taking longer than usual to answer calls and myIR messages. You may be able to use self-service options in myIR or on our self-service line, 0800 257 777. You can also find information on our website by typing in what you want to do in the search bar. Thank you for your understanding. Log in to myIR

Cost of Living Payment The Government has announced a Cost of Living Payment, which will be paid from 1 August 2022. You do not need to apply for this payment. If you are eligible, we’ll pay it into your bank account. Find out more

A service provider application may be provided by either:

  • a third-party digital service provider
  • in-house by a client organisation or an organisation acting on behalf of a client organisation.

To create an authorisation token to access gateway services using our OAuth authorisation services, the following steps are used for both cloud and native (desktop client) application usage.

User accesses service

The authorised user is interacting with the service provider application. They access a protected service provided by us (for example, to file a return or retrieve a balance).

User provides myIR logon

We prompt the authorised user to provide the myIR logon, they are authenticated. On first use the authorised user must also confirm their consent for the service provider application to access our site on their behalf.

User is directed to myIR

The service provider application invokes the authorisation API to get an authorisation code, and the user’s browser is redirected to our logon page.

We issue authorisation code

We issue the authorisation code which is returned to the service provider application via the browser. It has a finite time to live (TTL) of 15 minutes.

Provider redeems authorisation code

The service provider application invokes our token service to redeem the authorisation code for an OAuth access token.

This OAuth access token has a finite time to live (TTL) of 8 hours. For cloud providers a refresh token is also provided with a finite TTL of 6 months.

Provider can access our protected services

The service provider application can then invoke our protected services (for example, to file a return) supplying the OAuth access token in the header.

The OAuth access token can be used for multiple invocations until it expires.

Ongoing usage

A cloud-based service provider application can use the refresh token to request another access token for ongoing usage of the gateway service until it expires.

Last updated: 28 Apr 2021
Jump back to the top of the page