← All how-to walkthroughs
Walkthrough 02 · 12 steps

Setting Up IRS A2A
Auto-Login

Connect TRH to IRS e-Services once, and every transcript pull runs unattended afterwards. This walkthrough covers the one-time credential setup, how to find your UID, test the connection, and what to do when the test fails.

Placeholder screenshots: every image block is a description of what the final annotated screenshot should show. Real screenshots with arrows and circles will be added before publish.
STEP 1
What A2A is and why TRH needs it
A2A (Application-to-Application) is the IRS protocol that lets professional software authenticate against Transcript Delivery Services without a human clicking through e-Services each time. You give TRH two things — your IRS e-Services username and a unique identifier (UID) the IRS issued you — and TRH handles the JWT handshake on every pull. You enter these once; TRH re-authenticates automatically after that.
No screenshot for this slide — context only. The remaining 11 steps are all hands-on.
STEP 2
Open Settings → IRS Authentication
SCREENSHOT 2.1
Shows: TRH Settings page with the left-side tabs (General, Firm Profile, IRS Authentication, Updates, Advanced) and the "IRS Authentication" tab selected.
Annotations:
  1. RED ARROW pointing at the Settings gear icon in the main sidebar
  2. YELLOW CIRCLE around the "IRS Authentication" sub-tab
  3. GREEN CALLOUT over the main panel labeled "This is where all A2A credentials live"
Click the Settings gear in the sidebar, then select IRS Authentication from the left tab list.
STEP 3
Fill in your IRS e-Services username
SCREENSHOT 3.1
Shows: IRS Authentication form with a "Username" text field highlighted.
Annotations:
  1. RED ARROW at the Username input
  2. YELLOW CALLOUT labeled "Same username you use to log in at irs.gov/eservices"
  3. GREEN CIRCLE around the tiny "?" help icon next to the field
Enter your IRS e-Services username — the exact one you log in with at irs.gov/eservices.
Common mistakeTyping an email address. A2A wants the e-Services username, not your email. If you're not sure, log into e-Services in a browser and copy it from the top-right profile menu.
STEP 4
Enter the Auto-Login unique identifier (UID)
SCREENSHOT 4.1
Shows: The second field on the IRS Authentication form — "Auto-Login UID" with placeholder text showing format.
Annotations:
  1. RED ARROW at the UID input
  2. YELLOW CIRCLE around the "Where do I find this?" link below the field
  3. GREEN CALLOUT labeled "Long alphanumeric string — paste it, don't retype"
Paste your Auto-Login UID into the second field. It's a long alphanumeric string that never changes once issued.
STEP 5
Where to find your UID in IRS e-Services
SCREENSHOT 5.1
Shows: IRS e-Services browser page — the "Application Access" / "Transcript Delivery System" area where the UID is listed.
Annotations:
  1. RED ARROW tracing the nav path "Main Menu → Application Access → Transcript Delivery System"
  2. YELLOW CIRCLE around the UID/Unique Identifier value on the page
  3. GREEN CALLOUT labeled "Copy this value — paste into TRH"
Log into irs.gov/eservices in a browser. Under Application Access → Transcript Delivery System, your UID is listed with your application profile.
Common mistakeConfusing your CAF number with your UID. CAF is a 9-digit number; the UID is a much longer string. They are not the same.
STEP 6
Click Test Connection
SCREENSHOT 6.1
Shows: IRS Authentication form with username and UID filled in, and a prominent "Test Connection" button at the bottom of the form.
Annotations:
  1. RED CIRCLE around the "Test Connection" button
  2. YELLOW ARROW at the spinner that appears next to the button while the test runs
  3. GREEN CALLOUT labeled "Takes 3-5 seconds"
With both fields filled in, click Test Connection. TRH performs a live A2A handshake against IRS TDS.
STEP 7
Successful connection — the green confirmation
SCREENSHOT 7.1
Shows: Green success banner reading "Connected to IRS TDS" with token TTL and the firm identity the IRS echoed back.
Annotations:
  1. GREEN CIRCLE around the checkmark icon
  2. YELLOW ARROW at the "Token expires in 24 hours" text, labeled "TRH auto-refreshes before this"
  3. RED CALLOUT at the firm name line, labeled "Verify this is your firm"
Success looks like this: a green banner, the firm name echoed back from the IRS, and a token TTL. You're done — no further action.
STEP 8
Failed connection — typical error messages
SCREENSHOT 8.1
Shows: Red error banner reading one of: "401 Unauthorized", "403 Forbidden", or "Network timeout". Side-by-side layout of the three common error variants.
Annotations:
  1. RED CIRCLE around each of the three error codes
  2. YELLOW CALLOUTs next to each: "401 = credentials wrong", "403 = IRS blocked", "timeout = no network/firewall"
If the test fails you'll see one of three red banners. The status code tells you exactly what's wrong — next slide walks the fix for each.
STEP 9
What to do when the test fails
SCREENSHOT 9.1
Shows: A three-column decision chart inside a TRH help panel with the headings "401 Unauthorized", "403 IRS Blocked", "Network timeout" and 2-3 fix steps under each.
Annotations:
  1. RED CIRCLE around each column header
  2. GREEN CALLOUT on the 401 column: "Re-paste your UID, confirm username match"
  3. YELLOW CALLOUT on the 403 column: "Log into e-Services in browser, re-accept terms"
  4. BLUE CALLOUT on the timeout column: "Check firewall / VPN"
Match the error to the fix: 401 means credentials are off (re-paste UID), 403 means IRS blocked the account (usually requires logging into e-Services in a browser and re-accepting updated terms), timeout means firewall or VPN is blocking *.irs.gov.
Common mistakeRepeating the same test 10 times in a row after a 403. That can trigger a deeper IRS block. Fix the underlying cause first, then retest.
STEP 10
Saving credentials — where they're stored
SCREENSHOT 10.1
Shows: The "Save credentials" toast at the bottom of the IRS Auth settings page, with a subtle lock icon.
Annotations:
  1. GREEN CIRCLE around the lock icon
  2. YELLOW CALLOUT: "Stored locally in Windows Credential Manager (DPAPI-encrypted)"
  3. RED ARROW labeled "Never leaves your machine"
Your credentials are stored locally on your machine in Windows Credential Manager, encrypted with DPAPI. They are never sent to any server except the IRS.
STEP 11
Periodic re-auth — when you'll be asked again
SCREENSHOT 11.1
Shows: A subtle in-app notification "Re-authentication required — click to reconnect" in the TRH header area.
Annotations:
  1. YELLOW CIRCLE around the notification banner
  2. RED ARROW labeled "Happens roughly every 24 hours — the IRS JWT expires"
  3. GREEN CALLOUT: "One click to refresh — no re-entry of credentials needed"
IRS JWTs last about 24 hours. When one expires, TRH shows a small banner; click it and TRH silently refreshes. You do not re-enter your UID.
STEP 12
Revoking credentials / signing out
SCREENSHOT 12.1
Shows: Bottom of the IRS Authentication panel with a "Remove credentials" button in red.
Annotations:
  1. RED CIRCLE around the "Remove credentials" button
  2. YELLOW CALLOUT labeled "Use this if you change machines or suspect the UID was leaked"
  3. GREEN ARROW labeled "Confirmation modal appears first — no accidental deletes"
To remove credentials from this machine (for example if you're selling the laptop), click Remove credentials at the bottom of the panel. TRH wipes the stored values and you'll need to re-enter next time.
Done. TRH can now talk to the IRS on your behalf. Next up: 03 — Pulling your first transcript.
Not legal or tax advice. This content is published by Tax Resolution Hub for educational use by tax professionals. It is not legal, tax, accounting, or investment advice, and does not create an attorney-client or preparer-client relationship. IRS systems, forms, procedures, and statutes change — always verify against current IRM guidance, the client's actual transcript, and the facts of the specific engagement before acting.