Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

dev.mondi's avatar

HMRC api

Hello, I want to talk to the HMRC api but I have an authorization problem. Will there be anyone who will try to help me?

0 likes
5 replies
Sinnbeck's avatar

We generally do our best to help, but we need some information regarding the problem. Show some code and a description of what is going wrong.

dev.mondi's avatar

Thank you for your reply. I am using Insomnia to send a POST request to HMRC endpoint. But I am reciving response 401 Unauthorized. I dont know what I am doing wrong.

Here is a documentation https://developer.service.hmrc.gov.uk/api-documentation/docs/api/service/goods-movement-system-haulier-api/1.0#List%20Goods%20Movement%20Records

I have generated access token with my client id and secret

{
	"access_token": "c9cd9e6727acf1fbd87f0xxxxxxxxxxx",
	"scope": "write:goods-movement-system",
	"expires_in": 14400,
	"token_type": "bearer"
}

In next step I prepared POST request with: GRANT TYPE: Authorization Code AUTHORIZATION URL: https://test-api.service.hmrc.gov.uk/oauth/authorize ACCESS TOKEN URL: https://test-api.service.hmrc.gov.uk/oauth/token CLIENT ID: 9590d3a2-eb4a-4097-9afa-3xxxxxxxxxxxx CLIENT: Secret: 5ff3acbe-cfcf-4c62-b81a-dcxxxxxxxxxxxxxx SCOPE: write:goods-movement-system

 paring request to https://test-api.service.hmrc.gov.uk/customs/goods-movement-system/movements
* Current time is 2022-02-17T08:36:43.072Z
* Using libcurl/7.73.0-DEV OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.9 WinIDN libssh2/1.9.0_DEV nghttp2/1.41.0
* Using default HTTP version
* Disable timeout
* Enable automatic URL encoding
* Enable SSL validation
* Enable cookie sending with jar of 5 cookies
* Too old connection (153 seconds), disconnect it
* Connection 86 seems to be dead!
* Closing connection 86
* TLSv1.3 (OUT), TLS alert, close notify (256):
*   Trying 52.84.198.73:443...
* Connected to test-api.service.hmrc.gov.uk (52.84.198.73) port 443 (#87)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: C:\Users\pawswi\AppData\Local\Temp\insomnia_2021.7.2\ca-certs.pem
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=api.externaltest.tax.service.gov.uk
*  start date: Oct 13 00:00:00 2021 GMT
*  expire date: Nov 11 23:59:59 2022 GMT
*  subjectAltName: host "test-api.service.hmrc.gov.uk" matched cert's "test-api.service.hmrc.gov.uk"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x251bba9e4b0)

> POST /customs/goods-movement-system/movements HTTP/2
> Host: test-api.service.hmrc.gov.uk
> user-agent: insomnia/2021.7.2
> accept: application/vnd.hmrc.1.0+json
> content-type: application/json
> authorization: bearer c9cd9e6727acf1fbd87f0d6c91e81c2a
> content-length: 859

| {
|   "direction": "GB_TO_NI",
|   "isUnaccompanied": false,
|   "vehicleRegNum": "AB19 DEF",
|   "plannedCrossing": {
|     "routeId": "178",
|     "localDateTimeOfDeparture": "2021-08-11T10:58"
|   },
|   "customsDeclarations": [
|     {
|       "customsDeclarationId": "0GB689223596000-SE119404",
|       "sAndSMasterRefNum": "20GB01I0XLM976S001"
|     }, {
|       "customsDeclarationId": "0GB689223596000-SE119405",
|       "sAndSMasterRefNum": "20GB01I0XLM976S002"
|     }, {
|       "customsDeclarationId": "0GB689223596000-SE119406",
|       "customsDeclarationPartId": "34J",
|       "sAndSMasterRefNum": "20GB01I0XLM976S003"
|     }
|   ],
|   "transitDeclarations": [
|     {
|       "transitDeclarationId": "10GB00002910B75BE5",
|       "isTSAD": true
|     }, {
|       "transitDeclarationId": "10GB00002910B75BE6",
|       "sAndSMasterRefNum": "20GB01I0XLM976S004",
|       "isTSAD": false
|     }
|   ]
| }

* We are completely uploaded and fine
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!

< HTTP/2 401 
< content-type: application/json
< date: Thu, 17 Feb 2022 08:36:46 GMT
< www-authenticate: Bearer realm="HMRC API Platform"
< strict-transport-security: max-age=31536000;
< content-security-policy: default-src 'self'
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-cache: Error from cloudfront
< via: 1.1 ec3c5df6777270d9633f0082bf016380.cloudfront.net (CloudFront)
< x-amz-cf-pop: WAW50-C1
< x-amz-cf-id: WgzNqq6B9Ne0E8267ccb7n_uLFCr0YkDyNxUDHy3UpoD4JUvIg-4NA==


* Received 89 B chunk
* Connection #87 to host test-api.service.hmrc.gov.uk left intact```
dev.mondi's avatar

Now I see the Redirect URI is missing. Maybe it makes it doesnt work?

dev.mondi's avatar

@Sinnbeck I am using postman application to make requests, I cant find nothing more than I paste above

Please or to participate in this conversation.