This walks through connecting one user and making your first call. Steps 1–3 acquire an
access token; step 4 uses it.
The interactive Run on the API reference
pages calls the live endpoints with an access token you paste in. The token itself is
obtained with the steps below — the OAuth redirect and token exchange happen against
TaxRock’s login domain and your backend, so they aren’t run from the playground. Before you start
Your client_id and client_secret (delivered per environment).
A callback URL registered with us (send it over so we can add it).
A sandbox login (in the sandbox handoff document).
1. Generate a PKCE verifier and challenge Windows PowerShell
macOS / Linux
$bytes = New-Object byte[] 32 [ System.Security.Cryptography.RandomNumberGenerator ]::Create().GetBytes( $bytes ) $codeVerifier = [ Convert ]::ToBase64String( $bytes ) -replace '\+' , '-' -replace '/' , '_' -replace '=' , '' $hash = [ System.Security.Cryptography.SHA256 ]::Create().ComputeHash([ System.Text.Encoding ]::ASCII.GetBytes( $codeVerifier )) $codeChallenge = [ Convert ]::ToBase64String( $hash ) -replace '\+' , '-' -replace '/' , '_' -replace '=' , '' Write-Host "challenge: $codeChallenge " Write-Host "verifier: $codeVerifier "
Keep the verifier for step 3.
2. Send the user to authorize Open this URL in a browser (substitute your client_id, callback URL, and the
code_challenge from step 1). The user logs in and consents to read:client-accounts.
https://login-demo.taxrock.com/authorize ?response_type=code &client_id=YOUR_CLIENT_ID &redirect_uri=YOUR_CALLBACK_URL &scope=offline_access%20read%3Aclient-accounts &audience=https%3A%2F%2Fdelegate.api.taxrock.com &code_challenge=YOUR_CODE_CHALLENGE &code_challenge_method=S256 &state=A_RANDOM_VALUE
TaxRock redirects to your callback with ?code=...&state=.... In production, verify
state matches what you sent.
3. Exchange the code for tokens From your backend (this uses the client_secret):
curl -X POST https://login-demo.taxrock.com/oauth/token \ -H "Content-Type: application/json" \ -d '{ "grant_type": "authorization_code", "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "code": "CODE_FROM_STEP_2", "redirect_uri": "YOUR_CALLBACK_URL", "code_verifier": "VERIFIER_FROM_STEP_1" }'
{ "access_token" : "eyJhbGciOiJSUzI1NiIsInR5c..." , "refresh_token" : "v1.MZ8aRq3K..." , "scope" : "offline_access read:client-accounts" , "expires_in" : 3600 , "token_type" : "Bearer" }
Store the refresh token securely, per end-user. See
Authentication for token lifetimes and refresh.4. Make your first call Use the access_token as a Bearer credential.
curl -X POST https://delegate-demo.api.taxrock.com/client-accounts/lookup/ein \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "businessEin": "11-1111111" }'
Or paste the access token into Run on the
Look up client account by EIN page.
Sandbox EIN prefixes map to scenarios: 11-… Compliant, 22-… AtRisk,
33-… NotCompliant, 44-…/55-… DataPending. Any other EIN returns
NotMonitored with a null result.
