This application serves as the backend for agent-invitations-frontend containing the logic for creating and updating invitations.
Refer to RAML documentation for further details on each API.
- Supported Regimes / Services
- Invitation Status
- Agent APIs
- Client APIs
- Running the tests
- Running the application locally
This supports Agent and Client authorisation processes for the following regimes (aka services):
Regime | Service |
Self Assessment | HMRC-MTD-IT |
Income-Record-Viewer for Individuals | PERSONAL-INCOME-RECORD |
Value-Added-Tax | HMRC-MTD-VAT |
For Trust | HMRC-TRUST-ORG |
Capital Gains Tax | HMRC-CGT-PD |
Invitations can have one of the following status:
Invitation Status | Description |
Pending | Default status when an invitation has been created |
PartialAuth | For ITSA only - allows agent to sign-up client to ITSA for a limited time |
Accepted | Allows Agent to be authorised to act on behalf of a client |
Rejected | Prevents Agent being authorised to act on a client's behalf |
Expired | Client did not respond to the Agent's Invitation within 21 days |
Cancelled | Agent cancels the invitation they sent out, preventing a client from responding |
Deauthorised | Agent, client or HMRC terminates a relationship |
Note: Invitations with "Pending" or "PartialAuth" statuses are the only editable status.
The following APIs require agent authentication.
Any unauthorised access could receive one of the following responses:
Response | Description |
401 | Unauthorised. Not logged In |
403 | The Agent is not subscribed to Agent Services. |
403 | The logged in user is not permitted to access invitations for the specified agency. |
Validates the service, clientIdentifier and type, then creates an invitation.
POST /agencies/:arn/invitations/sent
Example Body of ITSA:
"service": "HMRC-MTD-IT",
"clientType": "personal",
"clientIdType": "ni",
"clientId": "AB123456A"
Example Body of VAT:
"service": "HMRC-MTD-VAT",
"clientType": "personal / business",
"clientIdType": "vrn",
"clientId": "101747696"
Example Body of IRV:
"clientType": "personal",
"clientIdType": "ni",
"clientId": "AE123456C"
Example Body of Trust
"service": "HMRC-TERS-ORG",
"clientType": "business",
"clientIdType": "utr",
"clientId": "2134514321"
Example of CGT:
"service": "HMRC-CGT-PD",
"clientType": "personal / business",
"clientIdType": "CGTPDRef",
"clientId": "XMCGTP123456789"
Response | Description |
201 | Successfully created invitation. (In Headers) Location → "/agencies/:arn/invitations/sent/:invitationdId" |
400 | Received Valid Json but incorrect data |
400 | Received Invalid Json |
403 | Client Registration Not Found |
501 | Unsupported Service |
Note: The link returned from a successful create invitation response is "GET a Specific Agent's Sent Invitation"
Create a link to represent multi-invitation
POST /agencies/:arn/multi-invitations/
Example Body:
"clientType": "personal",
"invitationIds": [
Response | Description |
201 | Successfully created invitation link. (In Headers) Location → "/invitations/:clientType/:uid/:normalisedAgencyName" |
400 | Received Valid Json but incorrect data |
400 | Received Invalid Json |
Retrieves a specific invitation by its InvitationId
GET /agencies/:arn/invitations/sent/:invitationId
Response | Description |
200 | Returns an invitation in json |
403 | The specified invitation is not accessible for this ARN. |
404 | The specified invitation was not found. |
Example Response: 200 with Body:
"arn": "TARN0000001",
"service": "HMRC-MTD-VAT",
"lastUpdated": "2018-05-04T13:51:35.278Z",
"created": "2018-04-16T15:05:54.029Z",
"clientIdType": "vrn",
"clientId": "101747641",
"expiryDate": "2018-04-26",
"suppliedClientIdType": "vrn",
"suppliedClientId": "101747641",
"_links": {
"self": {
"href": "/agent-client-authorisation/agencies/TARN0000001/invitations/sent/CS5AK7O8FPC43"
"status": "Expired"
Retrieves all invitations sent by the Agent.
Returned list if sorted by created
field descending, newest invitations first.
GET /agencies/:arn/invitations/sent
Optional query filters:
query param | format | description | default |
service | enum | returns only invitations for the specified service | none |
status | enum | returns only invitations having specified status | none |
createdOnOrAfter | yyy-MM-dd | returns only invitations created on or after the specified date | none |
Response | Description |
200 | Returns all invitations in json array |
Example Response: 200 with Body:
"arn": "TARN0000001",
"service": "HMRC-MTD-VAT",
"lastUpdated": "2018-05-04T13:51:35.278Z",
"created": "2018-04-16T15:05:54.029Z",
"clientIdType": "vrn",
"clientId": "101747641",
"expiryDate": "2018-04-26",
"suppliedClientIdType": "vrn",
"suppliedClientId": "101747641",
"_links": {
"self": {
"href": "/agent-client-authorisation/agencies/TARN0000001/invitations/sent/CS5AK7O8FPC43"
"status": "Expired"
Checks a known fact for a given Postcode.
GET /known-facts/individuals/nino/:nino/sa/postcode/:postcode
Response | Description |
204 | There is a record found for given nino and postcode |
403 | There is a record for given nino but with a different postcode |
404 | There is no record found for given nino |
Checks a known fact for a given Date of Birth.
GET /known-facts/individuals/:nino/dob/:dob
Response | Description |
204 | There is a record found for given nino and date |
403 | There is a record for given nino but with a different date |
404 | There is no record found for given nino |
Checks a known fact for a given Vat Registration Number.
GET /known-facts/organisations/vat/:vrn/registration-date/:vatRegistrationDate
Response | Description |
204 | There is a record found for given vrn and date |
403 | There is a record for given vrn but with a different date |
404 | There is no record found for given vrn |
The following APIs require client authentication. Any requests to access without authentication will be redirected to login page.
Regime | Auth Service | Service | Service-Api | Client-Identifier-Type |
Self Assessment | HMRC-MTD-IT | Same | MTDITID | ni |
Income-Record-Viewer for Individuals | HMRC-NI | PERSONAL-INCOME-RECORD | NI | ni |
Value-Added-Tax | HMRC-MTD-VAT | Same | VAT | vrn |
Any unauthorised access could receive one of the following responses:
Response | Description |
401 | Unauthorised. Not logged In |
403 | The Client Identifier is not found in the user's login profile |
Changes the status of a "Pending" Invitation to "Accepted". As a result of accepting an invitation, a relationship record is established to allow an agent to act on their behalf. See agent-client-relationships for further details.
For HMRC-MTD-IT, a client may successfully accept an invitation without having the ITSA enrolment. In this case the status moves from Pending to PartialAuth and for a limited time allows the agent to sign up the client to ITSA. The creation of a full relationship is deferred until the client has acquired the ITSA enrolment.
PUT /clients/(service-api)/(associated-clientIdentifier)/invitations/received/:invitationId/accept
Example Requests
Response | Description |
204 | Invitation is accepted and the status is updated in Mongo |
403 | Invalid Status: Invitation status is not "Pending" |
403 | Client is not authorised to accept this invitation |
404 | Cannot find invitation to accept |
Changes the status a "Pending" Invitation to "Rejected".
PUT /clients/(service-api)/(service-api)/invitations/received/:invitationId/reject
Example Requests:
Response | Description |
204 | Invitation is rejected and the status is updated in Mongo |
403 | Invalid Status: Invitation status is not "Pending" |
403 | Client is not authorised to accept this invitation |
404 | Cannot find invitation to reject |
Retrieve a specific invitation by its invitationId
GET /clients/(service-api)/(associated-clientIdentifier)/invitations/received/:invitationId
Example Requests:
Response | Description |
200 | Returns a specific Invitations for a given client identifier |
403 | Client is not authorised to view this invitation |
404 | Cannot find specific invitation for given client identifier |
Example Response, 200 with Body:
"arn": "TARN0000001",
"service": "HMRC-MTD-VAT",
"lastUpdated": "2018-05-04T11:55:29.954Z",
"suppliedClientId": "101747696",
"_links": {
"accept": {
"href": "/agent-client-authorisation/clients/VRN/101747696/invitations/received/CPB6KM1NHT446/accept"
"self": {
"href": "/agent-client-authorisation/clients/VRN/101747696/invitations/received/CPB6KM1NHT446"
"reject": {
"href": "/agent-client-authorisation/clients/VRN/101747696/invitations/received/CPB6KM1NHT446/reject"
"created": "2018-05-04T11:55:29.954Z",
"status": "Pending",
"expiryDate": "2018-05-14",
"suppliedClientIdType": "vrn",
"clientIdType": "vrn",
"clientId": "101747696"
Retrieve all invitations by client identifier, used by agent-client-management (manage your tax agent) and STRIDE users with the correct roles
Response | Description |
200 | Returns all Invitations for a given client identifier, returns empty if no invitations |
403 | User is not authorised to view this invitation |
GET /clients/(service-api)/(associated-clientIdentifier)/invitations/received
Example Requests:
Example Response for partialAuth query, 200 Body:
"_links": {
"self": {
"href": "/agent-client-authorisation/clients/NI/EP849172B/invitations/received?status=Partialauth"
"invitations": {
"href": "/agent-client-authorisation/clients/MTDITID/EP849172B/invitations/received/AJKFPB2XJCZXA"
"_embedded": {
"invitations": [
"_links": {
"self": {
"href": "/agent-client-authorisation/clients/MTDITID/EP849172B/invitations/received/AJKFPB2XJCZXA"
"clientType": "personal",
"service": "HMRC-MTD-IT",
"clientIdType": "ni",
"clientId": "EP849172B",
"arn": "KARN0762398",
"suppliedClientId": "EP849172B",
"suppliedClientIdType": "ni",
"created": "2021-10-19T10:49:46.048+01:00",
"lastUpdated": "2021-10-19T16:25:24.614+01:00",
"expiryDate": "2021-11-09",
"status": "Partialauth",
"invitationId": "AJKFPB2XJCZXA",
"detailsForEmail": {
"agencyEmail": "",
"agencyName": "Booth Professional Services",
"clientName": "Elijah Thompson"
"isRelationshipEnded": false,
"relationshipEndedBy": null,
"clientActionUrl": null,
"origin": "agent-invitations-frontend"
Cancel a specific invitation by its invitationId
PUT /agencies/:arn/invitations/sent/:invitationId/cancel
Example Requests:
Response | Description |
204 | Invitation is successfully cancelled |
403 | This invitation cannot be cancelled because it's status is not Pending |
403 | This user has no permissions |
404 | Client is not authorised to view this invitation |
Returns status of an authorised client's with regard to authorisations of agents.
GET /status
Response | Description |
200 | application/json content |
401 | Missing or expired authorisation token |
403 | This user has no permissions |
"hasPendingInvitations": true|false,
"hasInvitationsHistory": true|false,
"hasExistingRelationships": true|false
- hasPendingInvitations - there are pending authorisations requests from Agent(s) for this client
- hasInvitationsHistory - there were other authorisations requests in the past, which can be accepted, rejected or expired
- hasExistingRelationships - there exist active client's authorisations for HMRC-MTD-IT, HMRC-MTD-VAT, PERSONAL-INCOME-RECORD or any other supported service
Replaces URN clientID of pending or active relationships with UTR
POST /invitations/:urn/replace/utr/:utr
Response | Description |
201 | A new relationship has been created |
204 | Latest relationship isn't Pending or Active, so didn't create any new relationship |
404 | No relationships found |
Update Alternative ITSA based on status of an Invitation, for a main ("HMRC-MTD-IT"
) or
supporting (HMRC-MTD-IT-SUPP
) agent
PUT /alt-itsa/:service/update/:nino
Response | Description | Notes |
201 | MTDID found and relationship has been created | |
204 | MTDID found and invitation updated (no Partialauth) | Indicates client signed themselves up |
404 | No Alt-ITSA found |
sbt test it:test
To run application requires the following prerequisites:
- Service Manager ( See: Installation Guidance)
- MongoDB 3.2
The command to use is:
sm --start AGENT_MTD -f
Alternatively run from source alone:
sbt run
However, it is advised to run AGENT_MTD profile which comes with authentication applications because each api requires authentication for use.
This code is open source software licensed under the Apache 2.0 License