Ensure that the structure of the request includes the following:
Authorization (basic auth):
* Username: The username should be the "BinarySecurityToken" issued earlier from the previous step
* Password: The password should be the "secret" issued earlier from the previous step
Headers:
* Accept-Version: Accept version header should has the value of "V2"
Body:
* "compliance_request_id": which is the “requestID” that has been issued earlier from the previous step.
After completing this request ensuring the above, you will receive the PCSID in terms of BinarySecurityToken & Secret, which will be used in the authorization of the clearance & reporting APIs and the onboarded EGS will appear.
Thanks for your response. We are in final stage of deployment of our zatca integrated solution.
We successfully onboarded with our company’s fatoora account and tested clearance API after receiving Prod CSID in simulation env
We are “Inventory/billing” solution provider. As a solution provider, below is our understanding
our software needs to facilitate the generation of separate Production CSID for each client based on the CSR generated with the taxpayer’s details.
For each new Client who uses our software for trading business, We have to make sure that whole workflow of Compliance CSID generation, compliance submissions, till Prod CSID generation should be done via our solution interface and the client just needs to enter OTP during this onboarding process (which they generate via their own fatoora login)
We have to keep the csrcertificate and private key for each client to later do invoice signing of their respective invoices
we have to keep each clients binarySecurityToken & secret so as to do the clearance of their respective invoices
Please read the below comments, otherwise your understanding is correct.
1- PCSID should be maintained as per each onboarded device, so one client may has multiple PCSIDs
2- the certificate which is used to sign the e-invoices (x.509 certificate) is the decoded (base64) BinarySecurityToken
3- Private key should be stored securely even if the client doesn’t require to sign the e-invoices i.e.(if the client only needs to send B2B invoices), because the private key is linked to the certificate, and if the private key has been lost/leaked for any reason, a new certificate should be obtained for that specific client.