# Brazil Returns FAQs Source: https://developer.avalara.com/products/tax-compliance/integration-guides/extractor-en/faqs/ Guide: Brazil Returns (Tax compliance) - English # FAQs Below are answers to common questions that users face when integrating TaxCompliance. What is our API type? REST API. Do we accept files sent via XML or just JSON file model? Only JSON file model is accepted. What is the difference between the Sandbox and Production environments? The sandbox environment is available so that the partner has an environment where they can carry out tests and simulate operations at project time, and before go-live. Therefore, there are no technical differences between environments, except for the data source. Can I use my credentials in both Sandbox and Production? No, the credentials are unique to each environment. What authentication methods are supported? The authentication method supported is OAuth 2.0 bearer token authentication. What is the Sandbox URL? [https://portal.sandbox.avalarabrasil.com.br/Login](https://portal.sandbox.avalarabrasil.com.br/Login) Who do I contact if my Sandbox account has expired? If your Sandbox account has expired, you should contact the Partner Launch Brazil team. How can I confirm if the service is up? [https://api-gateway.sandbox.avalarabrasil.com.br/portal/health](https://api-gateway.sandbox.avalarabrasil.com.br/portal/health) What can you do if your “Secret Token” was exposed? If your “Secret Token” has been exposed, it is possible to revoke it through the Avara Portal.  1. Select the token that will be revoked and click "revogar" to revoke the token.  2. Select "confirmar" to confirm the operation.  What should I do if I lose my “Secret Token”? If you did not save your “Secret Token” in a safe place and lost it, you must revoke your token and create a new one.  How can I obtain my “Client ID”? You can access your Client ID in two different ways. - When you create your Secret token, your client ID is shown. - You can also find your client ID in assinatura and infomações da assinatura.    What happens if I send the JSON request WITHOUT “disableTokenRefresh”? You will receive a "refresh\_token" in the response. What happens if I send the JSON request WITH “disableTokenRefresh” set to “true”? You will not receive the "refresh\_token" in the response, and it will be necessary to send the credentials again, after the session expires. [Previous](/extractor-en/functional_review/whats_next)