Integration with the National e-Invoicing System (KSeF) requires not only a technical connection to the Ministry of Finance interfaces but also responsible access management to these services. At the core of this issue are two key elements: qualified certificates and KSeF access tokens. Their correct usage, monitoring, and renewal are the foundation of secure and continuous operation with electronic invoices in SAP.
In this article, we present how authorization in KSeF works, what mechanisms for managing certificates and tokens in SAP exist, and what implementation practices HAERGI uses to ensure continuity and security of integration.
Types of authorization in KSeF – overview of mechanisms
The National e-Invoicing System supports two main modes of authorization:
- Qualified or non-qualified certificate (PEM) – used directly to sign requests,
- Access token – generated in the KSeF application and used by IT systems (e.g., SAP) to communicate with the API.
In implementation practice, the use of a token is preferred due to:
- no need to sign each operation,
- the ability to create a non-personalized token,
- easier rotation and revocation of access,
- simpler background process automation.
Additionally, two certificates provided by KSeF are also needed for the connection: a certificate for encrypting the HTTPS-level connection and a certificate for encrypting the XML data itself.
Certificate management in SAP – STRUST transaction
In the HAERGI solution, certificates used in communication with KSeF are registered in SAP using the standard STRUST transaction. The IT department can
- import a new certificate (PEM, CER, CRT format),
- assign it to a specific communication partner,
- set the trust chain,
- monitor expiration dates.
SAP automatically warns of the upcoming certificate expiration – this is crucial to ensure the continuity of invoice sending and receiving processes.
Generating access tokens in the KSeF application
Access tokens are generated in the Ministry of Finance’s Taxpayer Application. Within a single NIP, multiple tokens can be created
- for different systems (e.g., SAP, BI, external integrators),
- with different permission levels (e.g., only for download, only for sending),
- with aliases assigned to facilitate identification.
The token is saved as a character string and can be:
- stored in the SAP system configuration (e.g., configuration table),
- periodically renewed by the administrator,
- revoked at any time in the KSeF panel.
Secure storage of access data in SAP
HAERGI has implemented a solution that allows for:
- storing tokens in encrypted form,
- access control to KSeF login data in SAP,
- a mechanism to test the connection to KSeF using the saved token.
Monitoring, alerts, and rotation of certificates/tokens
In the system implemented by HAERGI, the administrator can:
- monitor the status of communication with KSeF (errors 401, 403, timeouts),
- manually test KSeF channel availability in interactive mode,
- initiate the token rotation process (old – new, without interruption in operation).
Most common errors and the consequences of ignoring them
Lack of proper authorization leads to:
- rejection of sent invoices,
- inability to download incoming invoices,
- inability to update statuses and retrieve KSeF numbers.
Typical errors:
- expired certificate with outdated date,
- token assigned to a different NIP / user,
- missing permissions granted in the KSeF application,
- incorrect path in STRUST.
Implementation best practices
- Linking the token with an alias and documentation: easier management and rotation.
- Emergency procedure: an action plan in case of connection errors.
- Error notifications: automatic email alerts about connection issues.
- SAP administrator training: especially in STRUST and logging of authorization and communication errors.
Proper management of certificates and tokens in the SAP system is a necessary condition for maintaining communication with KSeF. HAERGI’s solution provides full control over the authorization process – from certificate registration to token expiration monitoring
This makes it possible not only to meet legal obligations but also to minimize operational and tax risks.
Implementing procedures and automation in the KSeF access area – up-to-date tokens, verified certificates, continuous alerts – is now the foundation of any responsible ERP integration with the National e-Invoicing System.
