TaxGuardian External API Gateway Documentation
Welcome to the TaxGuardian External API Gateway documentation. This API provides secure access to TaxGuardian's comprehensive tax identity protection and monitoring services for partner integrations.
Overview
The TaxGuardian External API Gateway is a partner-facing API that enables integration with TaxGuardian's 24/7 IRS monitoring, real-time alerts, and tax identity protection services. The API is designed to be secure, scalable, and easy to integrate.
Architecture
System Architecture
Partner Applications
→ Azure API Management
(API Gateway)
→ (API Gateway)
TaxGuardian.External.API
(Function App)
→ (Function App)
Database
Azure API Management handles OAuth validation, rate limiting, security headers, and CORS.
Function App processes business logic, partner context resolution, user provisioning, and audit logging.
Key Features
- Secure Partner Integration: OAuth 2.0 authentication with Azure API Management
- Rate Limiting: Rate limiting is enforced to ensure fair usage. For specific rate limit details, contact TaxGuardian customer support.
Environments
The API supports multiple environments:
- DEV: Development environment for testing and integration development
- PROD: Production environment for live partner integrations
Note: This documentation focuses on the "External API Gateway - DEV" environment. Production endpoints and credentials will differ.
Authentication
The TaxGuardian External API Gateway uses OAuth 2.0 authentication via Azure Active Directory (Azure AD) through Azure API Management. All API requests (except the health check and OAuth token endpoint) require a valid Bearer token.
Authentication Flow
1. Request Token
(Client Credentials)
→ (Client Credentials)
2. Azure AD
Validates & Returns Token
→ Validates & Returns Token
3. Use Token in
API Requests
→ API Requests
4. API Gateway
Validates Token
Validates Token
OAuth 2.0 Client Credentials Flow
The API uses the OAuth 2.0 Client Credentials grant type for machine-to-machine (M2M) authentication:
- Obtain OAuth credentials (Client ID, Client Secret, Tenant ID) from your Azure AD application
- Request an access token from Azure AD OAuth endpoint
- Include the access token in the Authorization header of subsequent API requests
- Tokens expire after a set period and must be refreshed. For specific expiration details, contact TaxGuardian customer support.
Subscription Key
In addition to OAuth tokens, Azure API Management requires a subscription key for API access. This key is provided by TaxGuardian and should be included in the X-API-Key header (or Ocp-Apim-Subscription-Key header).
Important: Keep your OAuth credentials and subscription keys secure. Never expose them in client-side code or public repositories.
Environment-Specific Endpoints
OAuth endpoints differ between environments:
- DEV: Uses development Azure AD tenant and OAuth endpoints
- PROD: Uses production Azure AD tenant and OAuth endpoints
Configure the azureOauthUrl and tenantId variables according to your environment.
Getting Started
Prerequisites
- Postman application (or similar API testing tool)
- TaxGuardian External API Gateway Postman collection
- OAuth credentials (Client ID, Client Secret, Tenant ID)
- Azure API Management subscription key
- Partner ID and tier information
Environment Setup
- Import the Postman Collection:
- Open Postman
- Click "Import" and select the "TaxGuardian External API Gateway" collection file
- The collection will be imported with all endpoints pre-configured
- Create an Environment:
- Create a new environment in Postman (e.g., "External API Gateway - DEV")
- Add the following variables (see Variables Reference section for details):
Required Environment Variables
| Variable | Description | Example (DEV) |
|---|---|---|
base_domain | Base URL for the API Gateway | https://taxguardian-apim-dev.azure-api.net/external/v1 |
subscription_key | Azure API Management subscription key | your-subscription-key |
partner_id | Your unique partner identifier | partner-123 |
azureOauthUrl | Azure AD OAuth endpoint base URL | https://login.microsoftonline.com |
tenantId | Azure AD tenant ID | your-tenant-id |
clientKey | OAuth client ID | your-client-id |
clientSecret | OAuth client secret | your-client-secret |
grantType | OAuth grant type | client_credentials |
scope | OAuth scope | api://your-api-id/.default |
First API Call Walkthrough
- Get OAuth Token: Obtain access token
- Endpoint:
POST {azureOauthUrl}/{tenantId}/oauth2/v2.0/token - Use your OAuth credentials
- The response will contain an
access_tokenthat will be automatically saved tooauth_tokenvariable
- Endpoint:
- Health Check: Verify API availability
- Endpoint:
GET /health - Requires Bearer token (automatically included from previous step)
- Should return 200 OK if API is available
- Endpoint:
Tip: The Postman collection includes test scripts that automatically save tokens and IDs to environment variables, making subsequent requests easier.
API Endpoints
This section documents all available endpoints in the TaxGuardian External API Gateway.
POST
{{azureOauthUrl}}/{{tenantId}}/oauth2/v2.0/token OAuth Get Token
Obtains an OAuth 2.0 access token using the Client Credentials grant type. This token is required for all authenticated API requests.
Request Details
Headers
| Header | Required | Description |
|---|---|---|
Content-Type | Required | application/x-www-form-urlencoded |
Request Body (Form Data)
| Parameter | Required | Description |
|---|---|---|
grant_type | Required | OAuth grant type. Use client_credentials |
client_id | Required | Your OAuth client ID |
client_secret | Required | Your OAuth client secret |
scope | Required | OAuth scope (e.g., api://your-api-id/.default) |
Response Codes
| Status Code | Description |
|---|---|
| 200 OK | Token obtained successfully |
| 400 Bad Request | Invalid request parameters |
| 401 Unauthorized | Invalid client credentials |
Success Response Example
{
"token_type": "Bearer",
"expires_in": 3600,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGc..."
}Example Request
curl -X POST "https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=your-client-id" \
-d "client_secret=your-client-secret" \
-d "scope=api://your-api-id/.default"const formData = new URLSearchParams();
formData.append('grant_type', 'client_credentials');
formData.append('client_id', 'your-client-id');
formData.append('client_secret', 'your-client-secret');
formData.append('scope', 'api://your-api-id/.default');
fetch('https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: formData
})
.then(response => response.json())
.then(data => {
console.log('Access Token:', data.access_token);
// Save token for subsequent requests
});import requests
url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"
data = {
'grant_type': 'client_credentials',
'client_id': 'your-client-id',
'client_secret': 'your-client-secret',
'scope': 'api://your-api-id/.default'
}
response = requests.post(url, data=data)
token_data = response.json()
access_token = token_data['access_token']
print(f"Access Token: {access_token}") Note: The Postman collection automatically saves the
access_token to the oauth_token environment variable for use in subsequent requests. GET
{{base_domain}}/health Requires Auth Health Check
Verifies the availability and health status of the API Gateway. This endpoint requires authentication.
Request Details
Headers
| Header | Required | Description |
|---|---|---|
Authorization | Required | Bearer token: Bearer {oauth_token} |
X-API-Key | Required | Azure API Management subscription key |
Response Codes
| Status Code | Description |
|---|---|
| 200 OK | Service is healthy and operational |
| 503 Service Unavailable | Service is experiencing issues or is unavailable |
Example Request
curl -X GET "https://taxguardian-apim-dev.azure-api.net/external/v1/health"fetch('https://taxguardian-apim-dev.azure-api.net/external/v1/health')
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));import requests
response = requests.get('https://taxguardian-apim-dev.azure-api.net/external/v1/health')
print(response.json()) POST
{{base_domain}}/users Requires Auth Create User
Creates a new user in the TaxGuardian system. The user ID returned in the response is automatically saved to the userId environment variable in Postman.
Request Details
Headers
| Header | Required | Description |
|---|---|---|
Authorization | Required | Bearer token: Bearer {oauth_token} |
Content-Type | Required | application/json |
X-API-Key | Required | Azure API Management subscription key |
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
firstName | string | Required | User's first name |
lastName | string | Required | User's last name |
email | string | Required | User's email address (must be unique) |
ssn | string | Required | Social Security Number (format: XXX-XX-XXXX) |
dateOfBirth | string (ISO 8601) | Required | Date of birth in ISO 8601 format |
address | object | Required | User's address object |
address.street1 | string | Required | Primary street address |
address.street2 | string | Optional | Secondary address line (apartment, suite, etc.) |
address.city | string | Required | City |
address.state | string | Required | State code (2 letters, e.g., "NY") |
address.zipCode | string | Required | ZIP code |
Request Body Example
{
"firstName": "John",
"lastName": "Doe",
"email": "john.doe@example.com",
"ssn": "456-13-6129",
"dateOfBirth": "1990-01-15T00:00:00Z",
"address": {
"street1": "123 Main St",
"street2": "Apt 4B",
"city": "New York",
"state": "NY",
"zipCode": "10001"
}
}Response Codes
| Status Code | Description |
|---|---|
| 201 Created | User created successfully. Response body contains the user ID (UUID) |
| 400 Bad Request | Invalid request data or validation errors |
| 401 Unauthorized | Invalid or missing authentication token |
| 403 Forbidden | Insufficient permissions |
| 409 Conflict | User with this email or SSN already exists |
| 422 Unprocessable Entity | Business logic validation failed |
| 500 Internal Server Error | Internal server error |
Success Response Example
"a1b2c3d4-e5f6-7890-abcd-ef1234567890"The response is a UUID string representing the newly created user ID.
Example Request
curl -X POST "https://taxguardian-apim-dev.azure-api.net/external/v1/users" \
-H "Authorization: Bearer {oauth_token}" \
-H "Content-Type: application/json" \
-H "X-API-Key: {subscription_key}" \
-d '{
"firstName": "John",
"lastName": "Doe",
"email": "john.doe@example.com",
"ssn": "456-13-6129",
"dateOfBirth": "1990-01-15T00:00:00Z",
"address": {
"street1": "123 Main St",
"street2": "Apt 4B",
"city": "New York",
"state": "NY",
"zipCode": "10001"
}
}'const userData = {
firstName: "John",
lastName: "Doe",
email: "john.doe@example.com",
ssn: "456-13-6129",
dateOfBirth: "1990-01-15T00:00:00Z",
address: {
street1: "123 Main St",
street2: "Apt 4B",
city: "New York",
state: "NY",
zipCode: "10001"
}
};
fetch('https://taxguardian-apim-dev.azure-api.net/external/v1/users', {
method: 'POST',
headers: {
'Authorization': `Bearer ${oauthToken}`,
'Content-Type': 'application/json',
'X-API-Key': subscriptionKey
},
body: JSON.stringify(userData)
})
.then(response => response.text())
.then(userId => {
console.log('User ID:', userId);
// Save userId for subsequent requests
});import requests
url = "https://taxguardian-apim-dev.azure-api.net/external/v1/users"
headers = {
"Authorization": f"Bearer {oauth_token}",
"Content-Type": "application/json",
"X-API-Key": subscription_key
}
data = {
"firstName": "John",
"lastName": "Doe",
"email": "john.doe@example.com",
"ssn": "456-13-6129",
"dateOfBirth": "1990-01-15T00:00:00Z",
"address": {
"street1": "123 Main St",
"street2": "Apt 4B",
"city": "New York",
"state": "NY",
"zipCode": "10001"
}
}
response = requests.post(url, headers=headers, json=data)
user_id = response.text
print(f"User ID: {user_id}") POST
{{base_domain}}/users/{{userId}}/signature-links Requires Auth Initiate Consent Signature
Creates a secure signature link for a consent form. The signature token is automatically extracted and saved to the signatureToken environment variable in Postman.
Request Details
Headers
| Header | Required | Description |
|---|---|---|
Authorization | Required | Bearer token: Bearer {oauth_token} |
Content-Type | Required | application/json |
X-API-Key | Required | Azure API Management subscription key |
Path Parameters
| Parameter | Type | Description |
|---|---|---|
userId | string (UUID) | The unique identifier of the user |
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
Form | string | Required | Form number (e.g., "8821") |
TaxYearStart | integer | Required | Starting tax year (e.g., 2022) |
TaxYearEnd | integer | Required | Ending tax year (e.g., 2024) |
Request Body Example
{
"Form": "8821",
"TaxYearStart": 2022,
"TaxYearEnd": 2024
}Response Codes
| Status Code | Description |
|---|---|
| 200 OK | Signature link created successfully |
| 400 Bad Request | Invalid request data |
| 401 Unauthorized | Invalid or missing authentication token |
| 403 Forbidden | Insufficient permissions or user does not belong to partner |
| 404 Not Found | User not found |
| 422 Unprocessable Entity | Business logic validation failed |
| 500 Internal Server Error | Internal server error |
Success Response Example
{
"signatureUrl": "https://sign.taxguardian.com/sign?token=abc123xyz..."
}The Postman collection automatically extracts the token from the signatureUrl and saves it to the signatureToken variable.
GET
{{base_domain}}/users/{{userId}}/consents Requires Auth Get User Consents
Retrieves all consents for a specific user. Note: This endpoint accepts a request body (unusual for GET requests) which is preserved due to disableBodyPruning setting.
Request Details
Headers
| Header | Required | Description |
|---|---|---|
Authorization | Required | Bearer token: Bearer {oauth_token} |
X-API-Key | Required | Azure API Management subscription key |
Path Parameters
| Parameter | Type | Description |
|---|---|---|
userId | string (UUID) | The unique identifier of the user |
Request Body (Optional)
Note: This endpoint accepts an optional request body, which is unusual for GET requests. This is preserved for compatibility.
{
"FormType": "FORM_8821",
"TaxYearStart": 2022,
"TaxYearEnd": 2024
}Response Codes
| Status Code | Description |
|---|---|
| 200 OK | User consents retrieved successfully |
| 400 Bad Request | Invalid userId format |
| 401 Unauthorized | Invalid or missing authentication token |
| 403 Forbidden | Insufficient permissions or user does not belong to partner |
| 404 Not Found | User not found |
| 500 Internal Server Error | Internal server error |
GET
{{base_domain}}/users/{{userId}}/alerts Requires Auth Get User Alerts
Retrieves a paginated list of alerts for a specific user. The API Gateway automatically sets the X-Client-Id header based on your authentication.
Request Details
Headers
| Header | Required | Description |
|---|---|---|
Authorization | Required | Bearer token: Bearer {oauth_token} |
X-API-Key | Required | Azure API Management subscription key |
Note: The API Gateway automatically sets the
X-Client-Id header based on your authentication. You do not need to include it manually. Path Parameters
| Parameter | Type | Description |
|---|---|---|
userId | string (UUID) | The unique identifier of the user |
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
pagenumber | integer | Optional | Page number for pagination (default: 1) |
pagesize | integer | Optional | Number of items per page (default: 10) |
status | string | Optional | Filter by alert status (e.g., "PENDING", "RESOLVED", "DISPUTED") |
Response Codes
| Status Code | Description |
|---|---|
| 200 OK | Alerts retrieved successfully |
| 400 Bad Request | Invalid request parameters |
| 401 Unauthorized | Invalid or missing authentication token |
| 403 Forbidden | Insufficient permissions |
| 404 Not Found | User not found |
| 500 Internal Server Error | Internal server error |
Note: This is a new endpoint. The API Gateway automatically sets the
X-Client-Id header based on your authentication. GET
{{base_domain}}/alerts/{{alertId}} Requires Auth Get Alert By Id
Retrieves detailed information about a specific alert by its ID.
Request Details
Headers
| Header | Required | Description |
|---|---|---|
Authorization | Required | Bearer token: Bearer {oauth_token} |
X-API-Key | Required | Azure API Management subscription key |
Note: The API Gateway automatically sets
X-Partner-ID and X-Partner-Tier headers based on your authentication. You do not need to include them manually. Path Parameters
| Parameter | Type | Description |
|---|---|---|
alertId | string (UUID) | The unique identifier of the alert |
Response Codes
| Status Code | Description |
|---|---|
| 200 OK | Alert retrieved successfully |
| 400 Bad Request | Invalid alertId format |
| 401 Unauthorized | Invalid or missing authentication token |
| 403 Forbidden | Insufficient permissions or alert does not belong to partner |
| 404 Not Found | Alert not found, invalid, or expired |
| 500 Internal Server Error | Internal server error |
Success Response Example
{
"Id": 10,
"PublicId": "a4e70af7-f690-4a4a-b2b6-f74e38d17899",
"BusinessTaxEventID": 554,
"OutgoingMessageID": 1034,
"AlertType": "IDENTITYTHEFT",
"UserResponse": "No",
"ResponseTimestamp": "2025-11-10T00:00:00",
"GuidanceContent": "{...}",
"Status": "DISPUTED",
"CreatedAt": "2025-11-09T00:00:00",
"UpdatedAt": "2025-11-14T18:08:47.9271014",
"BusinessTaxEvent": {
"Id": 554,
"EventDescription": "A tax return has just been filed with your SSN. Was this you?",
"EventDate": "2025-09-26T00:00:00",
"AmountInCents": 1876598,
"TaxFormNumber": "1040",
"TaxYear": 2024,
"Severity": "CRITICAL",
"SeverityScore": 1
}
} PUT
{{base_domain}}/alerts/{{alertId}}/reply Requires Auth Alert Reply
Records a user's response to an alert. When the response is "No", guidance content is returned to help the user take appropriate action.
Request Details
Headers
| Header | Required | Description |
|---|---|---|
Authorization | Required | Bearer token: Bearer {oauth_token} |
Content-Type | Required | application/json |
X-API-Key | Required | Azure API Management subscription key |
Note: The API Gateway automatically sets
X-Partner-ID and X-Partner-Tier headers based on your authentication. You do not need to include them manually. Path Parameters
| Parameter | Type | Description |
|---|---|---|
alertId | string (UUID) | The unique identifier of the alert |
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
userResponse | string | Required | User's response: "Yes" or "No" |
Request Body Example
{
"userResponse": "No"
}Response Codes
| Status Code | Description |
|---|---|
| 200 OK | Alert response recorded successfully |
| 400 Bad Request | Invalid request data |
| 401 Unauthorized | Invalid or missing authentication token |
| 403 Forbidden | Insufficient permissions or alert does not belong to partner |
| 404 Not Found | Alert not found |
| 422 Unprocessable Entity | Business logic validation failed |
| 500 Internal Server Error | Internal server error |
| 503 Service Unavailable | Service Bus issues |
Success Response Examples
Response "Yes":
{
"success": true,
"message": "Alert response recorded successfully.",
"guidanceContent": ""
}Response "No" (with guidance):
{
"success": true,
"message": "Alert response recorded successfully.",
"guidanceContent": {
"title": "Identity verification requested (Letter 5071C/6331C)",
"nextsteps": [
"Complete IRS identity verification online",
"Call IRS if online fails",
"Gather ID documents"
],
"messaging": "IRS needs to verify your identity for a recent tax return. Follow the instructions on Letter 5071C/6331C."
}
} Note: When the user responds "No", the API returns guidance content to help the user take appropriate action for identity verification or dispute resolution.
GET
{{base_domain}}/consents/{{consentId}}/history Requires Auth Get Consent History
Retrieves the status change history for a specific consent. This endpoint requires Bearer token authentication and accepts an optional request body.
Request Details
Headers
| Header | Required | Description |
|---|---|---|
Authorization | Required | Bearer token: Bearer {oauth_token} |
X-API-Key | Required | Azure API Management subscription key |
Path Parameters
| Parameter | Type | Description |
|---|---|---|
consentId | string (UUID) | The unique identifier of the consent |
Request Body (Optional)
Note: This endpoint accepts an optional request body, which is unusual for GET requests.
{
"FormType": "FORM_8821",
"TaxYearStart": 2022,
"TaxYearEnd": 2024
}Response Codes
| Status Code | Description |
|---|---|
| 200 OK | Consent history retrieved successfully |
| 400 Bad Request | Invalid consentId format |
| 401 Unauthorized | Invalid or missing authentication token |
| 403 Forbidden | Insufficient permissions or consent does not belong to partner |
| 404 Not Found | Consent not found |
| 500 Internal Server Error | Internal server error |
PUT
{{base_domain}}/consents/{{consentId}}/cancel Requires Auth Cancel Consent
Cancels an existing consent by setting its status to cancelled. This operation may involve Service Bus processing.
Request Details
Headers
| Header | Required | Description |
|---|---|---|
Authorization | Required | Bearer token: Bearer {oauth_token} |
Content-Type | Required | application/json |
X-API-Key | Required | Azure API Management subscription key |
Path Parameters
| Parameter | Type | Description |
|---|---|---|
consentId | string (UUID) | The unique identifier of the consent to cancel |
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
FormType | string | Required | Form type (e.g., "FORM_8821") |
TaxYearStart | integer | Required | Starting tax year |
TaxYearEnd | integer | Required | Ending tax year |
Request Body Example
{
"FormType": "FORM_8821",
"TaxYearStart": 2022,
"TaxYearEnd": 2024
}Response Codes
| Status Code | Description |
|---|---|
| 200 OK | Consent cancelled successfully (no response body) |
| 400 Bad Request | Invalid request data |
| 401 Unauthorized | Invalid or missing authentication token |
| 403 Forbidden | Insufficient permissions or consent does not belong to partner |
| 404 Not Found | Consent not found |
| 422 Unprocessable Entity | Business logic validation failed |
| 500 Internal Server Error | Internal server error |
| 503 Service Unavailable | Service Bus issues during consent processing |
Note: Consent cancellation may involve Service Bus operations. If the Service Bus is unavailable, you may receive a 503 Service Unavailable response.
Error Handling
Error Response Format
All error responses follow a consistent format using the ApiErrorResponse structure:
{
"message": "User-friendly error message",
"validationErrors": {
"fieldName": ["Error message 1", "Error message 2"]
}
}HTTP Status Codes
| Status Code | Description | Common Causes |
|---|---|---|
| 200 OK | Request successful | - |
| 201 Created | Resource created successfully | - |
| 400 Bad Request | Invalid request data or validation errors | Missing required fields, invalid format, invalid parameter values |
| 401 Unauthorized | Invalid or missing authentication | Expired token, invalid credentials, missing Authorization header |
| 403 Forbidden | Insufficient permissions | User doesn't belong to partner, insufficient OAuth scopes |
| 404 Not Found | Resource not found | Invalid ID, resource doesn't exist, invalid endpoint |
| 409 Conflict | Duplicate entity | User with email/SSN already exists |
| 422 Unprocessable Entity | Business logic validation failed | Business rule violations, invalid state transitions |
| 429 Too Many Requests | Rate limit exceeded | Rate limit exceeded |
| 500 Internal Server Error | Internal server error | Unhandled exceptions, database errors, service failures |
| 503 Service Unavailable | Service unavailable | Service Bus issues, temporary service problems, maintenance |
Error Handling Best Practices
- Always check the HTTP status code before processing response data
- Implement exponential backoff for 429 (rate limit) and 503 (service unavailable) errors
- Log error responses for debugging and monitoring
- Display user-friendly error messages from the
messagefield - Handle validation errors by checking the
validationErrorsobject - Refresh OAuth tokens when receiving 401 errors
Rate Limiting
Azure API Management enforces rate limiting to ensure fair usage. When the rate limit is exceeded, the API returns a 429 Too Many Requests status code. For specific rate limit details, contact TaxGuardian customer support.
Rate Limit Response: When rate limited, implement exponential backoff and retry the request after the specified retry-after period.
Environment Variables Reference
This section documents all environment variables required for the TaxGuardian External API Gateway.
Required Variables
| Variable | Description | DEV Example | PROD Example |
|---|---|---|---|
base_domain | Base URL for the API Gateway | https://taxguardian-apim-dev.azure-api.net/external/v1 | https://api.taxguardian.com |
subscription_key | Azure API Management subscription key | Provided by TaxGuardian | Provided by TaxGuardian |
partner_id | Your unique partner identifier | Your partner ID | Your partner ID |
azureOauthUrl | Azure AD OAuth endpoint base URL | https://login.microsoftonline.com | https://login.microsoftonline.com |
tenantId | Azure AD tenant ID | DEV tenant ID | PROD tenant ID |
clientKey | OAuth client ID | DEV client ID | PROD client ID |
clientSecret | OAuth client secret | DEV client secret | PROD client secret |
grantType | OAuth grant type | client_credentials | client_credentials |
scope | OAuth scope | api://dev-api-id/.default | api://prod-api-id/.default |
Auto-Generated Variables
These variables are automatically set by Postman test scripts:
| Variable | Description | Set By |
|---|---|---|
oauth_token | OAuth access token | OAuth Get Token endpoint test script |
userId | User ID (UUID) | Create User endpoint test script |
signatureToken | Signature token extracted from signature URL | Initiate Consent Signature endpoint test script |
Setting Variables in Postman
- Click the "Environments" icon in the left sidebar
- Select your environment (or create a new one)
- Click "Add" to create a new variable
- Enter the variable name and value
- Save the environment
Security Note: Mark sensitive variables (like
clientSecret and subscription_key) as "Secret" in Postman to prevent them from being displayed in plain text. Best Practices
Security
- Never expose credentials: Keep OAuth client secrets and subscription keys secure. Never commit them to version control or expose them in client-side code.
- Use HTTPS: Always use HTTPS for all API requests. Never send sensitive data over HTTP.
- Token management: Store OAuth tokens securely and refresh them before expiration. For specific token expiration details, contact TaxGuardian customer support.
- Validate responses: Always validate API responses before processing data to prevent security vulnerabilities.
Rate Limiting
- Respect limits: The API enforces rate limiting to ensure fair usage. For specific rate limit details, contact TaxGuardian customer support.
- Implement backoff: When receiving 429 (Too Many Requests) errors, implement exponential backoff before retrying.
- Monitor usage: Track your API usage to avoid hitting rate limits unexpectedly.
Error Handling
- Handle all status codes: Implement proper error handling for all possible HTTP status codes.
- Retry logic: Implement retry logic for transient errors (500, 503, 429) with exponential backoff.
- Logging: Log all API errors for debugging and monitoring purposes.
- User feedback: Provide clear, user-friendly error messages based on API error responses.
Performance
- Cache tokens: Cache OAuth tokens and reuse them until they expire to reduce authentication overhead.
- Async operations: Use asynchronous operations for API calls to avoid blocking your application.
- Connection pooling: Reuse HTTP connections when making multiple API calls.
- Minimize requests: Reduce the number of API calls by batching operations and caching data when appropriate.
Environment Management
- Separate environments: Use separate Postman environments for DEV and PROD to avoid accidental production calls.
- Environment validation: Validate that you're using the correct environment before making API calls.
- Variable management: Keep environment variables organized and documented.
