MTD Mandation Timeline
Note: MTD rollout dates have changed multiple times β always verify current mandation dates on HMRC's website (gov.uk/make-tax-digital). This guide reflects the MTD programme as of June 2025.
| MTD Phase | Who It Applies To | Mandation Date | HMRC API |
|---|---|---|---|
| MTD for VAT (Phase 1) | VAT-registered businesses, taxable turnover >Β£85K | April 2019 | MTD VAT API v1 |
| MTD for VAT (Phase 2) | All VAT-registered businesses (any turnover) | April 2022 | MTD VAT API v1 |
| MTD for ITSA (Phase 1) | Self-employed income or property income >Β£50K | April 2026 | MTD ITSA API (in pilot) |
| MTD for ITSA (Phase 2) | Self-employed income or property income >Β£30K | April 2027 | MTD ITSA API |
| MTD for Corporation Tax | UK companies | Not yet confirmed | In development |
MTD for VAT β API Integration
| MTD VAT API Endpoint | Method | Description |
|---|---|---|
| /organisations/vat/{vrn}/obligations | GET | Retrieve VAT obligations (open/fulfilled periods) |
| /organisations/vat/{vrn}/returns | POST | Submit VAT return (9 box values) |
| /organisations/vat/{vrn}/returns/{periodKey} | GET | Retrieve submitted return |
| /organisations/vat/{vrn}/liabilities | GET | Retrieve VAT liabilities |
| /organisations/vat/{vrn}/payments | GET | Retrieve VAT payments |
MTD HMRC OAuth 2.0 Flow
Authorisation endpoint: https://api.service.hmrc.gov.uk/oauth/authorize
Token endpoint: https://api.service.hmrc.gov.uk/oauth/token
Required scope for MTD VAT: write:vat (submit) + read:vat (retrieve)
HMRC access tokens expire after 4 hours β refresh tokens last 18 months
HMRC requires HTTPS redirect URIs β no HTTP in production
Fraud Prevention Headers: HMRC requires 7 device and session headers on every MTD API call (Gov-Client-Device-ID, Gov-Client-User-IDs, Gov-Vendor-Version, etc.)
HMRC uses a standard OAuth 2.0 Authorization Code flow with HMRC-specific requirements:
HMRC Fraud Prevention Headers
| Header | Description | Example Value |
|---|---|---|
| Gov-Client-Device-ID | Unique device identifier (UUID, persisted) | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Gov-Client-User-IDs | OS username (for desktop software) | os=ALICE123 |
| Gov-Client-User-Agent | Device/OS information | Windows/10.0 (Build 19045) |
| Gov-Client-Timezone | Timezone of client device | UTC+01:00 |
| Gov-Vendor-Version | Your software name and version | MyAccounting=1.2.3 |
| Gov-Client-Connection-Method | How the call originates | WEB_APP_VIA_SERVER |
| Gov-Client-Window-Size | Browser window dimensions (web apps) | 1920x1080 |
UK GDPR for MTD Integrations
VAT return data: retain for 6 years (VAT record-keeping obligation) β UK GDPR storage limitation must not delete earlier than 6 years.
HMRC OAuth tokens: store securely (AWS Secrets Manager or equivalent) β never in database plain text.
Refresh token exposure: a stolen refresh token gives HMRC API access for 18 months β treat as highly sensitive credential.
Access to VAT return data: restrict to the authorised business user β no sharing between tenants in multi-tenant accounting software.
MTD integrations process financial personal data β tax returns contain turnover, VAT amounts, and business details that may identify individuals. UK GDPR basis: contract performance (software processing tax data on behalf of the user). Key obligations: