TaxuDOCS
DashboardSign in
Developers/Docs/API/Authentication

Authentication

Secure your API requests with API keys and OAuth 2.0 authentication

Keep Keys Secure
Never expose your secret keys in client-side code or public repositories

Overview

The Taxu API uses API keys to authenticate requests. You can view and manage your API keys in the Dashboard. Your API keys carry many privileges, so be sure to keep them secure!

Authentication is required

All API requests must be authenticated using an API key passed in the Authorization header. Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.

API Keys

Taxu provides two types of API keys: secret keys and publishable keys.

Secret Keys

Use secret keys on the server-side. They can perform any API request to Taxu.

sk_test_51StgIqEDGn...

Publishable Keys

Use publishable keys in client-side code. They have limited permissions.

pk_test_51StgIqEDGn...

Making authenticated requests

Include your API key in the Authorization header as a Bearer token:

curl https://api.taxu.com/v1/tax/calculate \ -H "Authorization: Bearer sk_test_51StgIqEDGn..." \ -H "Content-Type: application/json" \ -d '{ "filingStatus": "single", "income": 75000 }'
// Using the Taxu SDK const taxu = require('@taxu/taxu-js')('sk_test_51StgIqEDGn...'); const result = await taxu.tax.calculate({ filingStatus: 'single', income: 75000 });

Test and Live Modes

Taxu has two environments: test mode for development and live mode for production.

Test Mode

Test mode keys start with sk_test_ or pk_test_

  • No real money or tax filings processed
  • Use for development and testing
  • Separate data from live mode

Live Mode

Live mode keys start with sk_live_ or pk_live_

  • Processes real payments and tax filings
  • Use for production applications
  • Requires account activation

Restricted API Keys

Create restricted keys with limited permissions to minimize security risks. Restricted keys can only access specific resources and operations.

PermissionDescription
tax:readRead tax calculations and filings
tax:writeCreate and submit tax filings
banking:readRead banking accounts and transactions
accounting:writeCreate invoices and manage books

OAuth 2.0

Use OAuth 2.0 to allow users to authorize your application to access their Taxu account without sharing credentials.

Authorization Flow

  1. 1Redirect user to Taxu authorization URL
  2. 2User grants permission to your application
  3. 3Exchange authorization code for access token
  4. 4Use access token to make API requests
// Step 1: Redirect to authorization URL const authUrl = 'https://connect.taxu.com/oauth/authorize?' + 'response_type=code&' + 'client_id=YOUR_CLIENT_ID&' + 'redirect_uri=https://yourapp.com/callback&' + 'scope=tax:read tax:write'; // Step 3: Exchange code for token const response = await fetch('https://connect.taxu.com/oauth/token', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ grant_type: 'authorization_code', client_id: 'YOUR_CLIENT_ID', client_secret: 'YOUR_CLIENT_SECRET', code: 'AUTHORIZATION_CODE', redirect_uri: 'https://yourapp.com/callback' }) }); const { access_token } = await response.json();

Security Best Practices

Rotate keys regularly

Change your API keys periodically to minimize security risks

Use environment variables

Store API keys in environment variables, never in code

Use restricted keys when possible

Limit permissions to only what's needed for each integration

Never expose secret keys client-side

Secret keys should only be used on secure servers, never in browsers or mobile apps

Next steps

Rate Limits →

Learn about API rate limiting and best practices

Start Building →

Explore the Tax Filing API endpoints