Use of HMRC sign-in details, automation and accessing HMRC’s web services
Published 27 May 2026
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/accessing-hmrcs-web-services/use-of-hmrc-sign-in-details-automation-and-accessing-hmrcs-web-services
1. Introduction
The sharing of HM Revenue and Customs (HMRC) sign-in details is prohibited for any purpose under HMRC’s Online Services Terms and Conditions.
In this policy paper, ‘HMRC sign-in details’ includes all sign-in details used to access any HMRC web services. ‘HMRC web-services’ refers to all HMRC’s webbased digital services that are accessed online using HMRC sign-in details.
This includes, but is not limited to:
- Agent Services Account
- Business Tax Account
- Personal Tax Account
Customers can only authorise someone else to deal with HMRC for them through HMRC’s approved appointment process. This does not involve sharing HMRC sign-in details.
The confidential customer data within an HMRC web services account is intended to be accessed solely by the named account user or members of that organisation. If HMRC customers share their HMRC sign-in details with anyone, they put their own data at risk. This may result in security interventions to prevent disclosure of customer data to third parties.
HMRC sign-in details are a secure gateway that ensures HMRC web services are accessed only by the named account user. The named account is the person or organisation to which an HMRC web services account is registered.
Sharing HMRC sign-in details does not include individual members of an organisation accessing their organisation’s HMRC web services account for legitimate business purposes.
This policy applies to organisations, individuals and third parties using HMRC web services, by any means, including through the use of software products.
2. Requests for HMRC sign-in details
Requesting another named account user’s HMRC sign-in details is not allowed.
Asking for HMRC sign-in details places HMRC customers in breach of HMRC’s Online Services Terms and Conditions. The request itself creates risk and HMRC considers it a harmful practice.
This does not include tools that assist sign-in to an HMRC web services account they have legitimate access to, such as using sign-in details saved on their own device or web browser.
Where a software product asks a customer to enter their HMRC sign-in details into the product’s own sign-in page, this is treated as sharing HMRC sign-in details with that product. Software products that operate in this way are in breach of HMRC’s Online Services Terms and Conditions.
The authorisation of HMRC’s Application Programming Interfaces (API) does not fall within the scope of this policy as APIs do not require software developers to request or collect HMRC sign-in details. Where an API requires user authorisation, the user signs in directly with HMRC and grants consent. The software does not receive or use the user’s sign-in details and is granted tokenised access instead.
Accessing another person’s HMRC web services account
Accessing another person’s HMRC web services account using their HMRC sign-in details is not permitted.
These rules apply equally to tax agents. Tax agents must not access HMRC web services using the HMRC sign‑in details of another named account user. Authorised tax agents have their own HMRC sign-in details. They may only access client data where they have been granted authorisation, and only through their Agent Services Account.
Accessing another person’s HMRC web services account using software products falls within this restriction and is not allowed.
3. Use of automation tools
HMRC’s current policy under the existing Government Gateway Terms and Conditions is that automation tools must not be used to enter data into or navigate Government Gateway.
HMRC is aware of a wide range of automated practices being used across the tax ecosystem by established tax advisers, software providers and other actors. These practices vary significantly in their design, purpose and risk profile.
Where tax agents or software providers have a business need for automated access to customer data that is not currently available through HMRC’s APIs, HMRC recognises that some legacy or workaround approaches have emerged where no secure alternative has been available.
HMRC is considering how safe, secure and appropriate automation should operate in relation to HMRC services and intends to provide greater clarity later this year.
What HMRC means by ‘automation tools’
HMRC does not intend to include tools that assist an individual to sign-in to an HMRC web services account they have legitimate access to, such as using sign-in details saved on their own device or web browser.
This policy does not restrict the use of HMRC’s APIs that are designed for software applications to interact directly with HMRC systems to submit information, such as for filing tax returns.
HMRC uses the term ‘automation tools’ in the Government Gateway Terms and Conditions to describe software designed to simulate human interaction such as browser automation, screen scraping, scripted sign-in, or robotic process automation.
Automation tools that access HMRC online services by signing in and simulating user behaviour are not permitted under the Government Gateway Terms and Conditions, regardless of whether data is being read or written.
4. HMRC’s approach to non-compliance
Where unsafe access to HMRC web services is detected, HMRC will take all necessary steps to protect both HMRC customer data and HMRC web services. This may include blocking access to HMRC web services accounts to prevent disclosure of customer data to third parties. This could disrupt activities such as filing tax returns, potentially leaving taxpayers at risk of penalties.
The sharing of HMRC sign-in details by a tax agent is a breach of the HMRC Standard for Agents. HMRC will consider taking action against agents who do not meet the HMRC Standard for Agents on a case-by-case basis.
Breaches of HMRC’s terms and conditions may fall within the scope of HMRC’s approach to intermediary harm.
5. Software products requiring HMRC sign-in details
HMRC has identified a number of software products operating in the tax market that access HMRC web services by displaying their own sign-in page to collect HMRC sign-in details, and then reusing those details to access HMRC web services.
HMRC is reviewing these products and is taking appropriate action where unsafe access is identified.
Where a software developer is unclear whether their product is compliant with this policy, they may contact HMRC at softwarestrategyandpolicy@hmrc.gov.uk for clarification on any points within this policy paper.