Skip to main content

Delays to response times: It is taking longer than usual to answer calls and myIR messages, and to process some COVID-19 Support Payment applications. This is because of the impact of COVID-19. If possible, please contact us through your myIR account. Log in to myIR

Budget 2022: The Government has announced Budget 2022, which includes changes to child support payments. Find out more on our Tax Policy website

Budget 2022: The Government has announced a Cost of Living Payment, which will be paid from 1 August 2022. You do not need to apply for this payment. If you are eligible, we’ll pay it into your bank account. Find out more

A service provider application may be provided by either:

  • a third-party digital service provider
  • in-house by a client organisation or an organisation acting on behalf of a client organisation.

To create an authorisation token to access gateway services using our OAuth authorisation services, the following steps are used for both cloud and native (desktop client) application usage.

User accesses service

The authorised user is interacting with the service provider application. They access a protected service provided by us (for example, to file a return or retrieve a balance).

User provides myIR logon

We prompt the authorised user to provide the myIR logon, they are authenticated. On first use the authorised user must also confirm their consent for the service provider application to access our site on their behalf.

User is directed to myIR

The service provider application invokes the authorisation API to get an authorisation code, and the user’s browser is redirected to our logon page.

We issue authorisation code

We issue the authorisation code which is returned to the service provider application via the browser. It has a finite time to live (TTL) of 15 minutes.

Provider redeems authorisation code

The service provider application invokes our token service to redeem the authorisation code for an OAuth access token.

This OAuth access token has a finite time to live (TTL) of 8 hours. For cloud providers a refresh token is also provided with a finite TTL of 6 months.

Provider can access our protected services

The service provider application can then invoke our protected services (for example, to file a return) supplying the OAuth access token in the header.

The OAuth access token can be used for multiple invocations until it expires.

Ongoing usage

A cloud-based service provider application can use the refresh token to request another access token for ongoing usage of the gateway service until it expires.

Last updated: 28 Apr 2021
Jump back to the top of the page