Authentication
Abacus Tax Engine uses a client credentials flow. You exchange a client_id and client_secret for a short-lived Bearer token, then pass that token on every API request.
Obtaining a Token
Endpoint: POST /v1/auth/token
The response includes:
| Field | Description |
|---|---|
access_token |
JWT Bearer token to pass on all subsequent requests |
token_type |
Always "Bearer" |
expires_in |
Token lifetime in seconds |
expire_at |
ISO8601 timestamp when this token expires |
See the Auth API Reference for the full response schema.
Using the Token
Pass the token as an Authorization header on every request to the Abacus Tax Engine API:
Authorization: Bearer <access_token>
Token Expiry and Refresh
Tokens expire after 24 hour. There is no refresh token - obtain a new one using the same client credentials when the current token expires.
The expire_at field in the token response tells you exactly when the token expires. The recommended pattern is to check expire_at before each request and re-authenticate if the token is within a short window of expiry (e.g. 60 seconds).
Verifying a Token
Endpoint: POST /v1/auth/verify
Returns the decoded JWT claims for the current token. Useful for debugging or confirming scope and expiry without decoding the JWT locally.
Security Best Practices
Never expose your client_secret in client-side code, mobile apps, or version control. Anyone with your client_secret can generate valid tokens for your tenant.
- Store credentials in environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault), never in source code
- Rotate credentials if you suspect they have been compromised - contact your account team to issue a new credential pair
- Use short-lived tokens - the 24-hour expiry is intentional; do not cache tokens beyond their stated lifetime
- Use HTTPS - all requests must use HTTPS; plain HTTP is not supported
Auth API Reference
See the Authentication API Reference for the full interactive schema, including request/response models for both endpoints.