Using myGovID, RAM and machine credentials (M2M)

Together, myGovID and Relationship Authorisation Manager (RAM) provide a flexible, easy and secure way to access Online services for DSPs and using machine credentials, you can interact with government online services through Standard Business Reporting (SBR)-enabled software.

How you set up these authentication and authorisation services depends on your circumstances and the type of DSP you are. For example, a Cloud service provider, Sending service provider (SSP), Gateway provider, Desktop product developer or an On-premise enterprise software provider.

On this page:

Using myGovID

myGovID allows you to prove who you are and access Online services for DSPs and other government online services.

To access Online services for DSPs, you need a myGovID with a ‘Standard’ identity strength. This means you need to verify two Australian identity documents.

Download the myGovID app from the App Store or Google Play and set it up by adding your identity documents to achieve a ‘Standard’ identity strength.

Visit the myGovID website for more information, including participating government online services.

Note: myGovID cannot be used for SBR services. You will need a machine credential to transact with the ATO through your software.

Unable to achieve a Standard identity strength

If you’re an employee who is unable to achieve a ‘Standard’ identity strength, some government online services such as the ATO’s Business Portal accept a ‘Basic’ identity strength (additional eligibility requirements may apply).

If you’re a principal authority and unable to achieve a Standard identity strength, check whether another principal authority is able to, so they can link the business in RAM.

If no principal authority is able to achieve a Standard identity strength, you won't be able to use myGovID at this time. You can use alternative lodgment options, such as cloud-based Standard Business Reporting (SBR)-enabled software or a registered tax agent. We are continuing to expand the identity documents you can use to establish your identity, so you may be able to use myGovID in future.

Using Relationship Authorisation Manager (RAM)

RAM is an authorisation service that allows you to link your myGovID to and act on behalf of a business or entity online. You need myGovID to access RAM.

To get started with RAM, first the principal authority needs to set up their myGovID and link to their Australian business number (ABN) in RAM. Once linked, they can set up authorisations for employees and others to act on behalf of the business who will accept the authorisation in RAM.

For SBR-enabled software you can use RAM to:

  • authorise a Machine credential administrator (MCA)
  • create machine credentials to interact with government online services through your software
  • notify government agencies about the software you’ll be using to interact with them through My Cloud Software Services (only the Office of the Student Identifiers Registrar, Department of Employment, Skills, Small and Family Business).

Visit Relationship Authorisation Manager for more information on how to get started and if you need to link your business as a Principal authority.

Using machine credentials (M2M solution)

Machine credentials allow DSPs, businesses and registered tax and BAS agents to interact with ATO online services through their SBR-enabled software. Machine credentials are installed from RAM and used in your SBR enabled software.

You’ll need to create a machine credential if you:

  • are a digital service provider who offers cloud-based SBR-enabled software. You’ll need to install it on your server to enable software authentication by third-party users.
  • use desktop or locally hosted software.

Note: myGovID is used to log in to RAM and Online services for DSPs – not for SBR enabled software. Machine credentials are installed from RAM and used in your SBR enabled software to report to government online services – not used log in to online services.

Who can create a machine credential

You can create a machine credential if you are a:

  • principal authority
  • machine credential administrator (MCA) as assigned by a principal authority or authorisation administrator.

Once the machine credential is created, the principal authority or MCA will be responsible for the use of it in the business.

Before you create a machine credential

Before creating a machine credential, you need to download and install the browser extension software compatible with your device’s operating system:

Installing the browser extension is only required when creating a machine credential and not required when using the credential in your software.

You may need to consult with your IT department in relation to any restrictions they have regarding installing software on your network.

Installing a machine credential guide

This guide provides step-by-step instructions on how to create a new machine credential for an entity in Relationship Authorisation Manager (RAM):

Step 1 - Using Chrome or Firefox, go to authorisationmanager.gov.au and select the myGovID login button.

Step 2 - Log in using your myGovID by entering the email address that you used to create your myGovID.

A code will appear. Open myGovID on your smart device, log in and enter the 4 digit code into the pop-up within the app. Tap Accept.

Step 3 - Click View or manage authorisations, machine credentials and cloud software notifications. You will be directed to a view of all the entities you can act for.

Step 4 - Select the entity you would like to create a machine credential for.

Step 5 - The entity homepage will be displayed with a list of all the authorisations for the entity. Click the Manage Credentials tab in the toolbar.

Step 6 - The Manage credentials page is displayed. If you’ve already installed the required browser extension, go to the next step. If you have not yet installed the required browser extension, a message advising that browser extension software is required will appear.

Step 7 - Select Create machine credential

Step 8 - Enter the following information:

  • Keystore path – This will be pre-filled but can be changed if required. This is where the machine credential will be created and stored.
  • Keystore password – Choose a password. It should include at least 10 characters with no space, an upper case letter, a lower case letter, a number and a punctuation character. You’ll provide this password within your software either when setting up or authenticating. You are not required to use your myGovID password for the ‘Keystore password’
  • Verify your keystore password. 
  • Credential name – Enter a name for the machine credential. You should create a name which will help you to easily identify the machine credential.
  • Identify the Machine Credential Custodian – This will be pre-filled with your name and cannot be changed.

Tick the box to confirm you understand and accept the machine credential details. Click Download.

Step 9 – Click finish and your credential has been installed.

Step 10 – From the Manage credentials page you can create, view, revoke and claim unassigned machine credentials for the entity.

See also: How to install a machine credential guide on the RAM website.

Note:  Testing your machine credential solution may involve specific requirements for different agencies. You can review the agency requirements by referring to, Machine to Machine (M2M) authentication solution.

Support tools and resources

We have a range of guidance material and resources available, including instructional videos, to support you and your users to access and use  myGovID, RAM and the M2M solution:

Stay informed

To get the latest information on using our new services, subscribe to our Digital service providers newsletter.

Contact us

For more information or to request assistance contact DPO@ato.gov.au or use Online services for DSPs.

Additional information for Cloud service providers

As a Cloud service provider (CSP) you need to create a machine credential in RAM and update the authentication service endpoint as documented in ATO SBR Physical End Points (DOCX, 310KB).

Once a machine credential has been created, downloaded and installed, and your software has been updated to connect to the new authentication service endpoints, you will need to 'prime' your credential for use with SBR.

The first time you send a message to SBR your machine credential appears in Access Manager. While a machine credential is created with Full authorisations by default, you still need to login to Access Manager. Select the machine credential for use in hosted SBR services you provide. When this has been completed you are ready to transact with SBR.

As the MAS-ST service is compatible with Device AUSkey you can update the endpoint before installing the new machine credential. You should not install the new credential without updating the endpoint.

What your users need to know

Information and advice you give to your users will vary depending on their technical knowledge.

  • You need to set up your myGovID and link your business in RAM to access government online services such as Access Manager and Online services for agents.
  • With your myGovID and RAM, you can continue to use your software to send transactions to the ATO without change.
  • You have no requirement to install a machine credential.

Additional information for Sending service provider (SSP) or Gateway providers

If you are a SSP or Gateway provider your processes are closely related to a Cloud service provider (CSP) for installing machine credentials.

If your implementation does not fit the model described under CSP, contact us for assistance via Online services for DSPs.

What your users need to know

Information and advice you give to your users will vary depending on their technical knowledge.

  • You need to set up your myGovID and link your business in RAM to access government online services such as Access Manager and Online services for agents.
  • With your myGovID and RAM, you can continue to use your software to send transactions to the ATO without change.
  • You have no requirement to install a machine credential.

Additional information for Desktop software providers

Desktop software providers need to distribute an updated version of their software with an updated authentication endpoint to support  machine credentials.

Desktop software users may need to use RAM to create and install a machine credential on their device.

Not all desktop software users need a machine credential. If your users transact with the government through a Gateway, a Sending service provider or other third party integration service, they will sign transactions on your behalf.

If your users hold business appointments within Access Manager to report on behalf of other businesses, these permissions are not automatically applied to a new machine credential. Once they have used the credential for the first time, they will need to log in to Access Manager and assign the appropriate permissions to the credential. This will be necessary whenever a new machine credential is installed.

What your users need to know

Information and advice you give to your users will vary depending on their technical knowledge. If you regularly transact with the ATO using a Sending service provider (SSP), messages for your users may include:

  • You need to set up your myGovID and link your business in RAM to access government online services such as Access Manager and Online services for agents.
  • With your myGovID and RAM, you can continue to use your software to send transactions to the ATO without change.
  • You need to replace any AUSkeys with a machine credential to transact through our software
  • You need to add your existing business appointments to your new machine credential – check your details in Access Manager are correct after you send your first transaction.
  • Not all desktop software users need a machine credential – if you transact with the government through a Gateway, a Sending service provider or other third party integration service, they will sign transactions on your behalf.

Additional information for On-premise enterprise software providers

When you move to a  machine credential, it must be done in conjunction with your users.

While the credential’s authentication service endpoint is defined in your software, your users also need a machine credential. Not all enterprise software users need a machine credential. If your users transact with the government through a Gateway, a Sending service provider or other third party integration service, they will sign transactions on your behalf.

Large businesses or entities using On-premise software

Large entities may operate within private cloud-hosted software services, where the enterprise software provider host all or part of their software in the cloud. Where that tenancy remains under the control of the customer this software is still considered to be ‘on-premise’.

As a machine credential custodian you can only upload your credential to a cloud tenancy that remains in the exclusive use and control of your company.

Reference to cloud services in these instructions is a reference to software providers that operate cloud-hosted multi-tenanted business software. Cloud service providers are endorsed under the ATO’s DSP Operational Framework, and use their device credential to sign transactions on behalf of their clients.

Control in this example refers to administrative or management access to the information contained within the tenancy and does not preclude third party infrastructure and environment management.

What your users need to know

The information and advice you give to your users will vary depending on their technical knowledge.

If your users hold business appointments within Access Manager to report on behalf of other businesses, these permissions are not automatically applied to a new machine credential. Once they have used the credential for the first time, they will need to log in to Access Manager and assign the appropriate permissions to the credential. This will be necessary whenever a new machine credential is installed.