The problem nobody at HQ wants to own
Every B2B distributor on BigCommerce runs into the same operational tax: tax-exempt customers can't actually buy tax-exempt. The wholesale buyer places an order, sees sales tax applied, emails accounting their resale certificate, accounting forwards to Avalara, somebody manually uploads it to CertCapture, somebody else manually flags the customer as exempt in BigCommerce, and the order sits broken in between.
Multiply by 50 new B2B accounts a month and you have a part-time job that nobody wants — and certificate expirations nobody is tracking.
What we built
A self-serve tax document portal that lives inside the customer's BigCommerce account, talks to Avalara CertCapture's v2 API, listens for CertCapture status webhooks, and tags the customer's tax_exempt_category in BigCommerce — end to end, no human in the loop.
Customer-side
- Drag-and-drop upload with real-time file-type and size validation (PDF, JPG, PNG up to 10MB)
- Multi-state certificate selector — resale, manufacturing, government, agricultural, religious
- Live status: Uploaded · Pending · Approved · Expired · Rejected
- Renewal reminders 60 / 30 / 7 days before expiration
- Document gallery with secure pre-signed download URLs
Behind the scenes
The PHP service handles the choreography: JWT-verifying the customer against BigCommerce, uploading the binary to CertCapture, attaching it to the right customer record, auto-approving via the API, then PATCHing the customer's tax class in BigCommerce so the exemption applies on their very next order.
// /api/documents/upload — simplified flow public function upload(Request $req): Response { $cust = $this->jwt->verify($req->bearer()); $file = $this->upload->validate($req->file()); $docId = $this->avalara->attach($cust->avaCustomerId, $file); $this->avalara->autoApprove($docId); $this->bc->tagExempt($cust->id, 'wholesale'); $this->audit->log('cert.uploaded', $cust, $docId); $this->email->notify($cust, 'pending'); return Response::json(['status' => 'approved', 'id' => $docId]); }
The unglamorous parts that actually mattered
HMAC-verified webhooks (the part most agencies skip)
Avalara CertCapture sends status callbacks. Naïvely accepting them means anybody on the internet who knows your URL can flip a customer to "approved." Every inbound webhook is verified against the shared secret with constant-time comparison; failed verifications are logged and silently 401'd.
Idempotent everything
Webhooks retry on network blips. If CertCapture sends the same document.approved event three times, the customer doesn't get three "exempt" tags or three email notifications. Every external event carries an event ID; we check-and-set against a Redis-backed dedup table before any side effect runs.
Retry with exponential backoff
BigCommerce and Avalara both occasionally 429 or 503. The integration retries with 250ms → 500ms → 1s → 2s → 4s backoff, then drops to a dead-letter queue we monitor in Slack. No silently lost certificates. No "I uploaded it last week but my order still has tax" support tickets.
Redis caching — 60–80% faster reads
The customer's document list, AvaTax exemption status, and BigCommerce customer profile all live in Redis with intelligent invalidation. The dashboard renders in ~80ms on cold storefronts, ~15ms on warm.
Auditable from day one
Every upload, approval, expiration, and admin action lands in a tamper-evident audit log with actor, timestamp, IP, user-agent, and event payload. When their tax auditor came knocking, we exported the whole history as CSV in 30 seconds.
Security posture
- JWT auth scoped to BigCommerce customer ID — no cross-customer access possible
- HMAC SHA-256 webhook verification with timing-safe comparison
- Rate limiting (Redis token bucket) — 30 uploads / hour / customer
- File-content sniffing (not just extension) — rejects renamed executables
- Pre-signed download URLs with 5-minute TTL
- Secrets rotated quarterly, stored in env-only, never in repo
- Penetration-tested before production launch · OWASP Top 10 reviewed
By the numbers
"It used to take three people and four days to onboard a tax-exempt wholesale customer. Now it takes the customer two minutes and zero of us."
Can we build one for your BigCommerce store?
Yes. The Avalara Tax Manager is a custom build, not a SaaS — but the architecture is portable. We can adapt it to your customer-group model, your CertCapture configuration, your state coverage, and your B2B Edition setup in 4–6 weeks.
It pairs especially well with:
- BigCommerce B2B Edition (price lists + tax exemption working together)
- NetSuite / ERP sync (exempt status reconciled both directions)
- Quote-to-order workflows (exemption applied at quote time, not order time)