Identity and access service
You'll need to be able to:
- get and set up a TLS (SSL) connection client side X509 certificate for web service client connections in test and production (primarily for Cloud originating connections)
- complete OAuth2 integration
- identify internet-facing IP addresses that SOAP requests will come from
- apply X509 client certificates available in the developer portal for client side of mutual TLS authentication for all connection requests
- do a local network trace to see exactly what has been sent and received, including HTTP headers and ideally a TLS handshake.
For services relating to SFTP related set up, you may need to:
- exchange SSH keys
- exchange PGP keys for file signing and encryption
- make firewall changes to open incoming ports
- apply PGP decryption, validation, encryption and signing depending on specific integration.
Identity and access roles
| Party | Requirement | Description |
|---|---|---|
| Inland Revenue |
Provide public certificate for mutual TLS | Inland Revenue's public X.509 certificate to support TLS is provided as part of connectivity testing. |
| Software provider |
Get a X.509 certificate from Inland Revenue for the test and production environments. | Required when using mutual TLS with cloud-based software providers. |
API architecture
Our gateway services use the SOAP and rest API architecture.
For SOAP APIs, you will need to develop and test web services using:
- request and response operations
- XSD schemas and WSDL.
For REST APIs, you will need to develop and test using:
- HTTP request and response operations (GET, POST, PUT, DELETE)
- OpenAPI specifications.
Last updated:
09 Feb 2026