January 2025 release notes

Release notes explain new features and improvements made to ONESOURCE API Administration.

What's new

Refresh token

We’ve enhanced our token generation where you can use
Refresh Tokens
to generate a new
Access Token
.
Refresh Tokens
reduce security risks by letting you use a separate refresh token instead of supplying client credentials each time.
You can use refresh tokens to generate
Access Tokens
by making slight modifications to the existing request and response payload of the token generation endpoint,
oauth2/v1/token
. If the authorization server provides a refresh token to you, you can make a refresh request to the token endpoint.
Add the following parameters using the "application/x-www-form-urlencoded" format per Appendix B. Make sure you use a character encoding of UTF-8 in the HTTP request entity-body:
  • grant_type
    • Required. Select
      refresh_token
      as the grant type.
  • refresh_token
    • Required. Provide the refresh token issued to you.
The authorization server revokes the old refresh token after issuing a new one. The refresh token is valid for 24 hours.
Example of a token request:
Example of the token code:
Authorization code:
curl --location 'https://api-cloud-dev2.onesourcetax.com/oauth2/v1/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: LSLanguage=en-US' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'authcode= auUVB4Bb' \
--data-urlencode 'refresh_token= BOzu3ValnVOefCDTDeJsUfz8vafe4hSZ9YHCmiEz'

Basic authorization token

Use Custom Authorization
We currently support 3 different ways of authorization on the
Add Webhook Registration
screen:
  • Thomson Reuters signed JWT Bearer token
    This is the default option. With every call to your callback, we generate a JWT token and sign it with a special certificate. You can validate the token signature using the provided public key (which you can download from a special URL or copy from ONESOURCE Events).
  • Oauth2 Credentials
    You can set up your own identity provider and share the OAuth2 token endpoint and credentials with us. We’ll request an access token and provide it with all calls to your callback endpoint. We'll cache the access token value depending on its expiration time.
  • Basic Authorization
    This is the simplest and least secure authorization method. You provide a username and password during endpoint setup. We provide these credentials with every call to your callback as an Authorization HTTP Header in the following form:
    Authorization: Basic base64encoded(username: password)