> ## Documentation Index
> Fetch the complete documentation index at: https://docs.taxrock.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Quickstart
> From zero to a successful EIN lookup.
This walks through connecting one user and making your first call. Steps 1–3 acquire an
access token; step 4 uses it.
The interactive **Run** on the [API reference](/api-reference/client-accounts/lookup-by-ein)
pages calls the live endpoints with an access token you paste in. The token itself is
obtained with the steps below — the OAuth redirect and token exchange happen against
TaxRock's login domain and your backend, so they aren't run from the playground.
## Before you start
* Your `client_id` and `client_secret` (delivered per environment).
* A **callback URL** registered with us (send it over so we can add it).
* A sandbox login (in the sandbox handoff document).
## 1. Generate a PKCE verifier and challenge
```powershell Windows PowerShell theme={null}
$bytes = New-Object byte[] 32
[System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
$codeVerifier = [Convert]::ToBase64String($bytes) -replace '\+', '-' -replace '/', '_' -replace '=', ''
$hash = [System.Security.Cryptography.SHA256]::Create().ComputeHash([System.Text.Encoding]::ASCII.GetBytes($codeVerifier))
$codeChallenge = [Convert]::ToBase64String($hash) -replace '\+', '-' -replace '/', '_' -replace '=', ''
Write-Host "challenge: $codeChallenge"
Write-Host "verifier: $codeVerifier"
```
```bash macOS / Linux theme={null}
code_verifier=$(openssl rand -base64 32 | tr '+/' '-_' | tr -d '=')
code_challenge=$(printf "%s" "$code_verifier" | shasum -a 256 -b | awk '{print $1}' | xxd -r -p | base64 | tr '+/' '-_' | tr -d '=')
echo "challenge: $code_challenge"
echo "verifier: $code_verifier"
```
Keep the **verifier** for step 3.
## 2. Send the user to authorize
Open this URL in a browser (substitute your `client_id`, callback URL, and the
`code_challenge` from step 1). The user logs in and consents to `read:client-accounts`.
```
https://login-demo.taxrock.com/authorize
?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_CALLBACK_URL
&scope=offline_access%20read%3Aclient-accounts
&audience=https%3A%2F%2Fdelegate.api.taxrock.com
&code_challenge=YOUR_CODE_CHALLENGE
&code_challenge_method=S256
&state=A_RANDOM_VALUE
```
TaxRock redirects to your callback with `?code=...&state=...`. In production, verify
`state` matches what you sent.
## 3. Exchange the code for tokens
From your backend (this uses the `client_secret`):
```bash theme={null}
curl -X POST https://login-demo.taxrock.com/oauth/token \
-H "Content-Type: application/json" \
-d '{
"grant_type": "authorization_code",
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET",
"code": "CODE_FROM_STEP_2",
"redirect_uri": "YOUR_CALLBACK_URL",
"code_verifier": "VERIFIER_FROM_STEP_1"
}'
```
```json Response theme={null}
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5c...",
"refresh_token": "v1.MZ8aRq3K...",
"scope": "offline_access read:client-accounts",
"expires_in": 3600,
"token_type": "Bearer"
}
```
**Store the refresh token securely, per end-user.** See
[Authentication](/concepts/authentication) for token lifetimes and refresh.
## 4. Make your first call
Use the `access_token` as a `Bearer` credential.
```bash theme={null}
curl -X POST https://delegate-demo.api.taxrock.com/client-accounts/lookup/ein \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{ "businessEin": "11-1111111" }'
```
Or paste the access token into **Run** on the
[Look up client account by EIN](/api-reference/client-accounts/lookup-by-ein) page.
Sandbox EIN prefixes map to scenarios: `11-…` Compliant, `22-…` AtRisk,
`33-…` NotCompliant, `44-…`/`55-…` DataPending. Any other EIN returns
`NotMonitored` with a null result.