Scam messages have been sent out in the Tax Administration’s name. Read more about scams.

Things to consider in software development

  • Software that is calling Vero API services should include all input validations like data format validations and other logical validations that are described in the service documentation in API portal. This helps to ensure quality of data before it is sent to the service and unnecessary errors are avoided early. Examples of input format validations include input length, customer id formatting, date formatting, required fields, allowed date ranges (date cannot be in the past or in the future).
  • The Tax Administration monitors service usage and errors. The Tax Administration may contact software developers or end users to clear up errors. For this purpose, it is the responsibility of software developers to have their contact information updated. You can submit a new testing start up form with updated information when necessary. End user and holder of the production certificate is responsible to keep contact information updated in the Incomes register e-service.
  • Access to the API services can be blocked or limited by the Tax Administration in the event of overload situations, suspected abuse, or denial-of-service attack.
  • Services prevent intended or unintended overload situations and denial-of-service attacks by limiting incoming traffic volume. It is recommended that applications make max 50 - 125 simultaneous calls. 
    • Applications calling services should be prepared to handle heavy load scenarios when services respond with status codes 429 – too many requests or 403 – forbidden. In these heavy load scenarios, your software must reduce number of simultaneous calls or try calling again at another time. 

Error handling

  • The Tax Administration monitors the use of the interfaces and the errors that occur. The Tax Administration may contact the software developer or user if it is necessary to resolve any errors.
  • Appropriate monitoring of the use of the Vero API interfaces should be built into the software so that error situations can be detected and responded to by the software company or the software user. Typical errors include expiration of certificate, lack of Suomi.fi authority, incorrect input validations or connection problems.
Page last updated 2/23/2024