The REST standard makes use of existing HTTP authentication methods rather than creating custom solutions. As a result, AvaTax V2, which uses the REST standard, supports Basic HTTP Authentication. This standard is well documented and has been in existence for a long time - which also means that over the past decades, many different people have implemented the standard in many different ways. Let’s describe exactly how to authenticate your API calls in AvaTax REST v2.
Additionally, we will talk a bit about the advantages and disadvantages of different types of authentication in order to help you select the correct type of authentication for your program.
The simplest type of authentication is called Basic HTTP Authentication, and it involves identifying yourself and providing a password. In order to use this API, you’ll need to know the following:
That’s it! No magic. Here’s how to construct an authentication token for AvaTax REST v2 using your username and password:
| Task | Result |
|---|---|
| Start with the word "Basic" followed by username and password. | Basic username:password |
| Replace "username" with your username, and "password" with your password. | Basic bob@example.org:bobspasswordgoeshere |
| Now use your favorite Base64 encoding program to encode the right hand side of the string. | Basic Ym9iQGV4YW1wbGUub3JnOmJvYnNwYXNzd29yZGdvZXNoZXJl |
Now you’re done! Just paste your authorization header into the swagger online UI tester, or attach the authorization header to an HTTP request.
Basic Authentication has a number of advantages and disadvantages:
Overall, basic authentication is recommended for individual users who are calling APIs within AvaTax, or for users who have limited access rights.
Each AvaTax account has one (and only one!) license key. This license key is generated by an account administrator on the AvaTax Website. Here’s how to generate a license key:
As you’ll notice, this page is restricted to only account administrators. Keep in mind that you only have one license key! When you generate a new license key, all older license keys are immediately revoked and no longer usable. This is helpful because if your license key is lost or stolen you can revoke it instantly; it is a risk though because this may affect existing systems that are running at the moment.
To authenticate using a license key, here’s how you construct your authorization header:
| Task | Result |
|---|---|
| Start with the word "Basic" followed by accountid and licensekey. | Basic accountid:licensekey |
| Replace "accountid" with your account ID number, and "licensekey" with the license key you generated above. | Basic 123456789:123456789ABCDEF123456789ABCDEF |
| Now use your favorite Base64 encoding program to encode the right hand side of the string. | Basic MTIzNDU2Nzg5OjEyMzQ1Njc4OUFCQ0RFRjEyMzQ1Njc4OUFCQ0RFRg== |
As you’ll notice, license key and basic authentication are very similar in practice. Why would someone want to use license key authentication instead of username/password? Let’s look at the advantages and disadvantages of license key authentication.
If you are working on authentication and you received an error message, here’s a breakdown of all REST v2 error codes and how to interpret them.
Overall, Avalara recommends: