Cloud software authentication and authorisation (CAA) - formerly 'AUSkey in the cloud'

This page provides links and information to assist digital service providers (DSP) with implementing the Cloud software authentication and authorisation (CAA) solution.

Note: CAA replaces the previous CSAA acronym.


We are continuing to work with online DSP to design and implement a solution where customers of online (cloud enabled) software are able to securely transmit information to us, for example lodgments and prefilling.

The CAA solution:

  • enables approved DSP to setup a dedicated Device AUSkey for the purposes of securing transmissions to us made by businesses through online software
  • allows businesses to notify the ATO of a DSP's dedicated Device AUSkey for the purposes of securing transmissions made by the business from within their online  software
  • eliminate the need for businesses to obtain, upload or use an AUSkey to secure transmissions when interacting with us via online software
  • has been deployed for businesses and tax agents lodging to the ATO
  • can be leveraged for desktop software
  • is being extended for DSP and clients to interact with other government agencies
  • co-exists with existing compliant solutions.

For further information on CAA solution refer to the Software Developer Information Kit v1.6 (PDF 1.1MB).


6 September 2016

The transition to CAA has now been finalised. We would like to thank all those who have supported and worked with us on the project, beginning late 2014, ensuring the move to a compliant solution. This is a great achievement.

24 June 2016

Thank you to all those who have worked with us to transition to CAA. We have received positive feedback from clients and have processed over half a million transactions with numbers increasing daily.

If you have not already done so, ensure you transition any remaining clients and remove shared client AUSkeys from the cloud to avoid these being revoked from July 2016.

If you are experiencing any issues, contact the SBR Service Desk mailbox or call 1300 488 231.

Key updates:

  • The functionality to enable online software providers to complete a notification using their own ABN in Access Manager has been deployed (Issue 138).
  • We have received a number of enquiries from service providers looking to potentially use CAA for high volume lodgments to support STP, SuperStream and whole-of-government initiatives. CAA standard and high volume intermediaries' scenarios (PDF, 208KB) have been mapped to facilitate further design with interested developers. Email your comments to
13 May 2015

Finalising CAA transition

Clients are continuing to transition to the CAA solution, with over 250,000 interactions processed across thousands of clients.

Reminder: You should be transitioning all remaining clients who have shared their AUSkey with you and removing these client AUSkeys from your servers by 30 May 2016.

Following our latest round of consultation on communicating the revised CAA transition timeline with your clients, we have now updated the Cloud software authentication and authorisation webpage.

Key updates include:

  • revised client message ‘From July 2016, if you don’t notify us and continue to lodge with a shared client AUSkey, your AUSkey may be revoked, as this is a breach of AUSkey terms and conditions.’
  • new FAQs to assist clients with their transition.

If you are experiencing issues with finalising your transition, contact the SBR Service Desk mailbox or call 1300 488 231.


The CAA issues register has been updated:

Key dates

  • 18 June 2015 - EVTE testing environment made available for testing
  • 24 July 2015 - SBR deployment to Production
  • 7 August 2015 - ebMS3 deployment to Production
  • 19 October - Updated documentation available (IPT, CMIG)
  • 31 October 2015 - Phase 2 deliverables progressively available in EVTE
  • 3 December 2015 - Phase 2 deployment to Production
  • 31 December 2015 - Cloud software products are compliant with the CAA solution
  • 31 March 2016 - Existing cloud software clients have transitioned to the solution
  • 30 May 2016 - All remaining clients transitioned to the CAA solution
  • 1 July 2016 - Identified non-compliant client AUSkeys will be revoked

Consultation (meetings, seminars, workshops)

Ongoing - The Software developers Technical Working Group is being used as the working group.

Throughout - Potential seminars for industry following ATO release of functionality



  • 17 December - Software Developer Technical Working Group #34
  • 19 November - eCommerce Technical Working Group #33
  • 1 October - eCommerce Technical Working Group #32
  • 3 September - eCommerce Technical Working Group #31
  • 6 August - eCommerce Technical Working Group #30
  • 23 July - eCommerce Technical Working Group #29
  • 9 July - eCommerce Technical Working Group #28
  • 11 June - eCommerce Technical Working Group #27
  • 28 May - ELS2SBR eCommerce SWD TWG #26
  • 14 May - ELS2SBR eCommerce SWD TWG #25
  • 16 April - ELS2SBR eCommerce SWD TWG #24
  • 19 March - ELS2SBR eCommerce SWD TWG #23
  • 26 February - ELS2SBR eCommerce SWD TWG #22
  • 19 February - ELS2SBR eCommerce SWD TWG #22 (rescheduled to 26 February)
  • 11 February - phone hookup to discuss identity validation issue (PDF, 460KB)
  • 22 January - scheduled topic at eCommerce TWG


  • 11 December - Special eCommerce SWD Technical Working Group Meeting to discuss technical details
  • 25 November - ATO phone hookup with targeted DSPs to discuss a proposed solution to the future state and transition options (PDF, 621KB)
    • ATO offer to hold one-on-one discussions as needed. (Emails to
    • SWD requests for more detail in order to determine transition and impacts
  • September – SRAM 17/9/2014 and TPSD 18/9/2014 – included AUSkey update and noting desired future state is clients use a Whole of Government service to authorise a provider’s Device AUSkey to transmit on their behalf
    • ATO would work with agencies to develop the future state solution
    • ATO would work with agencies and digital service providers to develop a transition plan to move towards compliant models and the future state solution
  • December 2013 to April 2014 – ATO conduct 'one-on-one' sessions as requested
    • Understanding of various implementations
    • Understanding of issues with the policy
    • ATO to work with AGIMO to develop a draft policy and bring back to DSPs for co-development and co-operation on transition.


22 November – Tax Practitioner Software Developers (TPSD) meeting 22/11/2013

More information

  • Feedback and queries can be emailed to the SBR Service Desk or by phone on 1300 488 231

Links and documents