Skip to content

Authentication

API keys

Server-to-server requests authenticate with a bearer API key, created in the Tax-Bridge console:

Authorization: Bearer tbk_live_8f3c…
  • Keys are scoped to a tenant and shown once at creation — store them securely.
  • Keys are stored only as a salted HMAC hash; they can be revoked at any time.
  • Each request resolves to your tenant; you may only act on shops you own.

Tenancy model

Tenant ─┬─ Shop ── Credential (encrypted PFX + PAC + POS number)
        ├─ Shop ── …
        └─ API keys

A shop is a fiscal outlet with its own certificate, PAC and POS number. You onboard shops and upload their certificates in the console (or via the API); Tax-Bridge stores them encrypted at rest and decrypts them in memory only at signing time.

Xero (OAuth2)

For the Xero connector, Tax-Bridge is the OAuth2 client. You authorise your Xero organisation once; Tax-Bridge stores only encrypted access/refresh tokens and refreshes them automatically. See Integrations → Xero.

Never put certificates in your POS

Certificates live in the Tax-Bridge vault, not in your connector. Your Odoo module or POS only ever holds an API key.