PDF Security
The PDFs for 1099, W-2, or W-9/W-8, and other forms contain Personally Identifiable Information (PII) of recipients and employees. To ensure the highest level of security for this sensitive data, TaxBandits has implemented additional security measures for form PDFs.
For 1099/W-2 Forms:
- The PDF links provided in the response of RequestDraftPdfUrl and RequestPDFURLs methods are encrypted by default. You can decrypt these links before downloading the files.
For W-9/W-8 Forms:
- By default, the PDF URLs provided in the API responses of the Get or List methods are not encrypted. However, for enhanced security, especially since W-9/W-8 forms contain Personally Identifiable Information (PII), you can enable encryption in your console under Credentials → W-9/W-8 PDF Security Preferences. If encryption is enabled, you will need to decrypt the links before downloading the files.
- Additionally, if you prefer not to include PDF URLs in the response, you can disable this feature.
Decrypt the PDF URLs
To decrypt the URL, you will need the following parameters.
- AWS AccessKey
- AWS SecretKey
- Base64Key
- S3 Bucket Name
All the above values will be available on your TaxBandits console site. Log in to the console site and navigate to Settings >> Credentials
-
S3 file path - This is the file path you received in the RequestPdfUrls endpoint Response.
Sample PDF Path you will get in the Response -> https://expressirsforms.s3.us-east-1.amazonaws.com/pdfs/ac5df30c-6b81-49ab-b85e-8122128d227f/6c36e3fa-5d6f-4c21-81df-2e1e0c27305c/1099/36253545/m/copy1_1up_36253545.pdf
How to Decrypt the URL?- In Sandbox, insert the complete PDFUrl or PDFPath into the code under the S3 file path.
- In Live, insert only the PDFPath instead of the complete Url.
Sample Code:
- NodeJs
- C#
- Ruby
- Java
- Python
- PHP
- Go
Send the above-listed parameters using a code to decrypt the PDF URL for download. Here is a sample code for NodeJs.
{
const AWS = require("aws-sdk");// reference library
AWS.config.update({region:"us-east-1"}); // don't change this US-East-01
const s3 = new AWS.S3({
accessKeyId: "<<AWS AccessKey>>",
secretAccessKey: "<<AWS SecretKey>>"
});
const ssecKey = Buffer.alloc(32, "<<Base64Key>>",'base64') // you can get the key from Taxbandits API Console
var params = {
Key: "<<S3 file path>>",// File path without main domain URL.
Bucket: "<<Bucket Name>>",// Get the Bucket Name from the URL given in the response
SSECustomerAlgorithm: "AES256",
SSECustomerKey: ssecKey
}
var file = require('fs').createWriteStream('<<samplepdfname.pdf>>');// save the pdf in local
s3.getObject(params).createReadStream().pipe(file);
}
{
using Amazon;
using Amazon.S3;
using Amazon.S3.Model;
class Program
{
static async System.Threading.Tasks.Task Main(string[] args)
{
string accessKeyId = "AWS_ACCESS_KEY"; //AWS Access Key provided by TaxBandits in Console Site
string secretAccessKey = "AWS_SECRET_KEY"; //AWS Secret Key provided by TaxBandits in Console Site
string s3BucketName = "AWS_S3_BUCKET_NAME"; //AWS S3 Bucket Name provided by TaxBandits in Console Site
// Provide the S3 Bucket file path from 'pdfs/88fb.../copy1_1up_1521965.pdf'.
// File path without main domain URL
string s3FilePath = "file/path/provided-by/TaxBandits/encrypted.pdf";
string ssecKeyBase64 = "PDF_KEY";// Replace with the Base64Key provided by TaxBandits in Console site
string localFilePath = "DecryptedPdf.pdf"; // Path to save the PDF locally. Default will be stored in bin of the project folder
AmazonS3Config s3Config = new AmazonS3Config
{
RegionEndpoint = RegionEndpoint.USEast1
};
using (IAmazonS3 s3Client = new AmazonS3Client(accessKeyId, secretAccessKey, s3Config))
{
// Define parameters for the S3 getObject operation
GetObjectRequest request = new GetObjectRequest
{
BucketName = s3BucketName,
Key = s3FilePath,
ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256,
ServerSideEncryptionCustomerProvidedKey = ssecKeyBase64
};
using (GetObjectResponse response = await s3Client.GetObjectAsync(request))
using (Stream responseStream = response.ResponseStream)
// Download the encrypted PDF from S3 using SSE-C and save it locally.
using (FileStream fileStream = File.Create(localFilePath))
{
await responseStream.CopyToAsync(fileStream);
}
}
}
}
}
{
require 'aws-sdk-s3'
require 'base64'
# Set AWS configuration
Aws.config.update({
region: 'us-east-1', # Don't change this (US-East-01)
credentials: Aws::Credentials.new(
'AWS_ACCESS_KEY', #AWS Access Key provided by TaxBandits in Console Site
'AWS_SECRET_KEY') #AWS Secret Key provided by TaxBandits in Console Site
})
s3 = Aws::S3::Resource.new
# Specify the S3 bucket and object (PDF) details
bucket_name = 'AWS_S3_BUCKET_NAME' # AWS S3 Bucket Name provided by TaxBandits in Console Site
# Provide the S3 Bucket file path from 'pdfs/88fb.../copy1_1up_1521965.pdf'.
object_key = 'file/path/provided-by/TaxBandits/encrypted.pdf'
# You can get PDF Key from Taxbandits API Console site
sse_c_key = Base64.strict_decode64('PDF_KEY')
# Accessing S3 Bucket using the bucket_name, object_key and sse_c_key. The Decrypted file will be downloaded.pdf.
s3.bucket(bucket_name).object(object_key).get(
response_target: 'downloaded.pdf', #Replace with the file name you needed.
sse_customer_algorithm: 'AES256',
sse_customer_key: sse_c_key)
puts "TaxBandits - Encrypted PDF (SSE-C) downloaded to 'downloaded.pdf'"
}
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.*;
import org.apache.commons.io.FileUtils;
import java.io.File;
import java.io.IOException;
public class TbsDecryptPdfUrl {
public static void main(String[] args) {
String accessKeyId = "<<AWS AccessKey>>";
String secretAccessKey = "<<AWS SecretKey>>";
String s3BucketName = "<<Bucket Name>>";
String s3FilePath = "<<S3 file path>>";
String ssecKeyBase64 = "<<Base64Key>>";
String localFilePath = "<<samplepdfname.pdf>>";
// Create AWS credentials
BasicAWSCredentials awsCredentials = new BasicAWSCredentials(accessKeyId, secretAccessKey);
// Create S3 client
AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration("https://s3.amazonaws.com", "us-east-1"))
.build();
// Decode Base64 key
byte[] ssecKeyBytes = java.util.Base64.getDecoder().decode(ssecKeyBase64);
// Create S3ObjectRequest
GetObjectRequest getObjectRequest = new GetObjectRequest(s3BucketName, s3FilePath)
.withSSECustomerAlgorithm("AES256")
.withSSECustomerKey(ssecKeyBytes);
// Download object and save to a local file
try (S3Object s3Object = s3Client.getObject(getObjectRequest);
S3ObjectInputStream objectInputStream = s3Object.getObjectContent()) {
FileUtils.copyInputStreamToFile(objectInputStream, new File(localFilePath));
System.out.println("File downloaded successfully.");
} catch (IOException e) {
e.printStackTrace();
}
}
}
import boto3
import base64, os
def get_file_from_aws_bucket(bucket_name, access_key_id, secret_access_key, sse_c_key, e_customer_alg, file_key=False):
#Initializing Client
s3 = boto3.client(
service_name = 's3',
aws_access_key_id = access_key_id,
aws_secret_access_key = secret_access_key,
region_name = "us-east-1"
)
# Define parameters for the S3 getObject operation
response = s3.get_object(
Bucket = bucket_name,
Key = file_key,
SSECustomerKey = sse_c_key,
SSECustomerAlgorithm = e_customer_alg
)
read_content = response['Body'].read()
# Save the file locally
file_name = os.path.basename(file_key)
with open(f'./{file_name}', 'wb') as f:
f.write(read_content)
get_file_from_aws_bucket(
bucket_name = 'AWS_S3_BUCKET_NAME', #AWS S3 Bucket Name provided by TaxBandits in Console Site
access_key_id = 'AWS_ACCESS_KEY', #AWS Access Key provided by TaxBandits in Console Site
secret_access_key = 'AWS_SECRET_KEY', #AWS Secret Key provided by TaxBandits in Console Site
sse_c_key = base64.b64decode('PDF_KEY'), #Replace with the Base64Key provided by TaxBandits in Console site
e_customer_alg = 'AES256',
# File path without main domain URL
file_key = 'file/path/provided-by/TaxBandits/encrypted.pdf' # Provide the S3 Bucket file path from 'pdfs/88fb.../copy1_1up_1521965.pdf'.
)
<?php
require 'vendor/autoload.php'; // Make sure to include the AWS SDK for PHP autoload file
use AwsS3S3Client;
//Replace with AWS Access Key & AWS Secret Key provided by TaxBandits in Console Site
$credentials = new AwsCredentialsCredentials('AWS_ACCESS_KEY', 'AWS_SECRET_KEY');
$region = 'us-east-1'; // US East (N. Virginia)
// Create an S3 client
$s3Client = new S3Client([
'version' => 'latest',
'region' => $region,
'credentials' => $credentials,
]);
// Replace with the Base64Key provided by TaxBandits in Console site
$ssecKey = base64_decode('PDF_KEY'); // Base64 key, decoded to binary
# AWS S3 Bucket Name provided by TaxBandits in Console Site
$bucketName = 'AWS_S3_BUCKET_NAME';
# Provide the S3 Bucket file path from 'pdfs/88fb.../copy1_1up_1521965.pdf'.
// File path without main domain URL
$objectKey = 'file/path/provided-by/TaxBandits/encrypted.pdf';
// Define parameters for the S3 getObject operation
$params = [
'Bucket' => $bucketName,
'Key' => $objectKey,
'SSECustomerAlgorithm' => 'AES256',
'SSECustomerKey' => $ssecKey,
];
// Download the encrypted PDF from S3 using SSE-C and save it locally
$localFilePath = 'samplepdfname.pdf'; // Path to save the PDF locally
try {
$result = $s3Client->getObject($params);
file_put_contents($localFilePath, $result['Body']);
echo "TaxBandits - Encrypted PDF (SSE-C) downloaded to '$localFilePath'
";
} catch (AwsS3ExceptionS3Exception $e) {
echo 'Error: ' . $e->getMessage() . "
";
}
package main
import (
"encoding/base64"
"fmt"
"io"
"os"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/s3"
)
func main() {
// Set AWS credentials and region
awsRegion := "us-east-1"
awsAccessKey := "AWS_ACCESS_KEY" //AWS Access Key provided by TaxBandits in Console Site
awsSecretKey := "AWS_SECRET_KEY" //AWS Secret Key provided by TaxBandits in Console Site
sess, err := session.NewSession(&aws.Config{
Region: aws.String(awsRegion),
Credentials: credentials.NewStaticCredentials(awsAccessKey, awsSecretKey, ""),
})
if err != nil {
fmt.Println("Error creating AWS session:", err)
return
}
// Create an S3 client
s3Client := s3.New(sess)
// Replace "PDF_KEY" with the actual Base64Key provided by TaxBandits in Console site
ssecKey, err := base64.StdEncoding.DecodeString("PDF_KEY")
if err != nil {
fmt.Println("Error decoding Base64Key:", err)
return
}
ssecKeyString := string(ssecKey)
// Set S3 parameters
params := &s3.GetObjectInput{
// Provide the S3 Bucket file path from 'pdfs/88fb.../copy1_1up_1521965.pdf'.
// File path without main domain URL
Key: aws.String("file/path/provided-by/TaxBandits/encrypted.pdf"),
Bucket: aws.String("AWS_S3_BUCKET_NAME"), //AWS S3 Bucket Name provided by TaxBandits in Console Site
SSECustomerAlgorithm: aws.String("AES256"),
SSECustomerKey: &ssecKeyString,
}
// Download the encrypted PDF from S3 using SSE-C and save it locally
file, err := os.Create("DecryptedPdf.pdf")
if err != nil {
fmt.Println("Error creating file:", err)
return
}
defer file.Close()
result, err := s3Client.GetObject(params)
if err != nil {
fmt.Println("Error getting object from S3:", err)
return
}
// Download the encrypted PDF from S3 using SSE-C and save it locally.
_, err = io.Copy(file, result.Body)
if err != nil {
fmt.Println("Error copying content to file:", err)
return
}
fmt.Println("Decrypted PDF downloaded successfully.")
}