Invalid OTP in Production – Invalid-OTP error now occurring on both Compliance CSID and Production CSID APIs

Onboarding, renewal and revocation
1

Hello ZATCA Team,

We are currently facing an issue related to OTP validation in the Production (FATOORA Core) environment, and the issue now appears to affect multiple APIs.

Affected API Endpoints:

Compliance CSID API

POST https://gw-fatoora.zatca.gov.sa/e-invoicing/core/compliance

Production CSID API (Onboarding / Renewal)

POST https://gw-fatoora.zatca.gov.sa/e-invoicing/core/production/csids

Issue Description:

Initially, the following error was observed only while calling the Production CSID API.
However, the same error is now occurring for the Compliance CSID API as well.

{
“errors”: [
{
“code”: “Invalid-OTP”,
“message”: “The provided OTP is invalid”
}
]
}

This happens consistently, even after generating new OTPs and retrying the requests.

Validations Already Performed:

We have carefully verified the following in all attempts:

  1. The VAT number in the CSR matches the VAT number used to generate the OTP.
  2. The OTP is used within its validity period (well within 1 hour).
  3. OTPs are generated from the correct Production (FATOORA) portal, not Simulation.
  4. A new OTP is generated for each attempt (no reuse).
  5. Requests are sent only to Production Core endpoints.
  6. CSR generation, signing, and request structure remain unchanged from earlier integrations.

Key Observation

Since the same Invalid-OTP error now occurs on both Compliance CSID API and Production CSID API, this seems to indicate a broader OTP validation issue in the Production environment, rather than an API-specific or CSR-related problem.

Could you please help us with the following:

  1. Confirm if there are any recent changes in OTP validation logic in Production?
  2. Check if there are any ongoing backend issues affecting OTP validation across CSID-related APIs?
  3. Advise if any additional parameters, headers, or preconditions are now required when submitting OTP-based requests.

As an additional update, we would like to mention that onboarding for the same client was completed successfully in the Simulation environment.

With the same VAT number, same CSR generation and signing process, same MI integration flow worked as expected when using Simulation portal OTP and Simulation APIs

The issue occurs only in the Production (FATOORA Core) environment, where both: Compliance CSID API, and Production CSID API return the Invalid-OTP error consistently.

This further suggests that CSR structure and signing are valid and VAT configuration is correct

The issue may be specific to Production OTP validation or backend handling.

We would appreciate your guidance on whether there are any Production-side restrictions, changes, or known issues related to OTP validation.