Security of TaxBandits API and Guide to OAuth 2.0 Authentication
Our API Security
TaxBandits API has gone to the greatest lengths to safeguard our users’ data from theft, hacks, and security threats. Our advanced data security architecture protects the data shared through API.
The application subjects the data in rest to an end-to-end encryption process. Data in transit is protected from malware attacks and other intrusions by robust network control protocols.
The API uses secure JSON parsers and strongly typed data to avert data intrusion. In order to clearly identify and address the errors, the status of API methods is communicated through HTTP codes. Data in transit is protected by restricting the access to Secure Tunnels (TLS) and whitelisted IP addresses in the Live environment.
Security of Data at Rest
Since we are dealing with confidential information, your data is secured while at rest. The data resides on databases, file systems, and other structured storage devices. The ‘Always Encrypted’ technique in MS SQL Server is used to store the data.
Database columns containing Personal Identifiable Information (PII) such as Name, DOB, SSN, and EIN are encrypted using a symmetric key with AES 256 algorithm and stored. PDFs and other documents are encrypted with the AES-256 algorithm and are stored in AWS S3. The database connection information is also encrypted using the AES algorithm.
Security of Data when in Use
We don’t store information if we don’t have to. For example, a reference to the credit card profile is all that is maintained at our end. The actual data is stored with our merchant gateway, with very stringent security measures.
All activities are logged and periodically reviewed. This includes IP addresses, devices, and browsers used to access the data. As for the IRS, TIN masking is done to reduce the risk of identity theft. Our support systems have Multi-Factor Authentication and IP whitelisting to prevent unauthorized access.
OAuth 2.0 Authentication
OAuth2.0 is an HTTP authentication standard, that involves a security token called Access token or JSON Web Token (JWT). Each request is authorized by validating the access token.
The access token is a cryptic string, usually generated by the server in response to a request with JSON Web Signature (JWS). The client must send this JWT in the Authorization header when making requests to protected resources.
The OAuth2.0 authentication is available on the version 1.5.0 and above in TaxBandits API.
Pre-requisites
Below are the important URLs for the Sandbox environment:
Developer Console: sandbox.taxbandits.com
Application: testapp.taxbandits.com
API: testapi.taxbandits.com/<version>
Authentication API: https://testoauth.expressauth.net/v2/tbsauth
To get started with TaxBandits API, users have to sign up for our Sandbox environment. After logging in, navigate to Settings >> API Credentials to receive the following authentication keys:
- Client ID
- Client secret
- User Token
Note: Do not share the keys with any individual or business.
Steps to receive Access token (JWT) by constructing a JWS
Construct a JWS according to OAuth 2.0 standards & hit our tbsauth endpoint in OAuth API in the Sandbox environment to receive an access token.
https://testoauth.expressauth.net/v2/tbsauthThe JWS consists of 3 parts
- Header
- Payload
- Signature
Each part of the JWS will be as illustrated below:
Header:
{
"alg": "HS256", /*Algorithm = HS256*/
"typ": "JWT" /*Type = JSON Web Token (JWT)*/
}Payload:
{
“iss”: “968a9c78dae29a29”, /*Issuer: Client ID*/
“sub”: “968a9c78dae29a29”, /*Subject: Client ID*/
“aud”: “a574b75f18b24fc09f9039ffb5cb08f3”, /*Audience: User Token*/
“iat”: 1516239022 /*Issued at: Current time (Unix epoch format)*/
}Refer to this link for more information on the Unix Epoch standard.
Signature:
HMACSHA256(
base64UrlEncode(header) + “.” +
base64UrlEncode(payload),
siqHfLy59g3UHxrb5gjxg /*Client Secret retrieved from the console*/
)Combine the header, payload, and signature concatenated with a dot (.) and applying HMACSHA256 algorithm to create the JWS.
Sample JWS:
eyJhbGciOiJIUzI1845CI6IkpXVCJ9.eyJpc3MiOi
I5NjhhOWM3OGRhZTI5YTI5Iiwi65412dfsfljNzhkYWUyOWEyOSIsImF1
ZCI6ImE1NzRiNzVmMThiMjRmYzA5ZjkwMzlmZmI1Y2IwOGYzIiwiaWF0IjoxN
TE2MjM5MDIyfQ.HNQznxlPyVt62ghfmewr1-uzm1uDWH4NBDLShA6Ac0Below is the encoded & decoded structures of a JWS sample:
Once the JWS is created, then send a request to the OAuth server in the Sandbox environment with the JWS in Authentication HTTP header to get an Access token.
OAuth server receives JWS from the client & will validate to provide the JWT (Access token) to the client in the following response format:
{
"StatusCode":200,
"StatusName":"Ok",
"StatusMessage":"Successful API call",
"AccessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0ZXN0YXBpLnRheGJhbmRpdHMuY29tIiwiYXVkIjoiYTU3NGI3NWYxOGIyNGZjMDlmOTAzOWZmYjVjYjA4ZjMiLCJpYXQiOjE1OTU5MjAxMjQsImV4cCI6MTU5NTkyNzMyNH0.BIg8764SOhOai9As3uRSidrF1-B9CxL6D5z4OggcVbs ",
"TokenType":"Bearer",
"ExpiresIn":3600,
"Errors":null
}This JWT (Access token) will be valid for one hour. On a JWT’s expiry, repeat constructing JWS & hit OAuth server again to receive a new access token (JWT). We do not provide Refresh tokens.
Once the user obtains the JWT (Access token), its expiry can be known by decoding the JWT & reading its ”exp” (“ExpiresIn”) claim value in the response. The user will have to use the same JWT along with every API request until the token expires.
Hitting TaxBandits API with JWT
Every API request has to be sent along with the JWT in the Authorization HTTP header. TaxBandits Sandbox API URL is https://testapi.taxbandits.com/<version>
HTTP Headers required in every API request are:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3
MiOiJ0ZXN0YXBpLnRheGJhbmRpdHMuY29tIiwiYXVkI
joiYTU3NGI3NWYxOGIyNGZjMDlmOTAzOWZmYjVjYjA4ZjMiLCJp
YXQiOjE1OTU5MjAxMjQsImV4cCI6MTU5NTkyNzMyNH0.BIg8764SOhOai9As
3uRSidrF1-B9CxL6D5z4OggcVbs
Content-Type: application/jsonConclusion
Our security team does internal audits at regular intervals and corrects any lapses. Our Quality Assurance team consists of members who test the security (Ethical Hackers) to find potential holes in the application. Code review workshops are held periodically and secure coding guidelines are taught and reviewed.
For more guidelines & code samples on integrating with TaxBandits, check out our TaxBandits SDK, which is available in several popular programming languages.
