@Ankit.K.Tiwari @Aturkistani @saalotaibi
Issue Summary
We are facing an outbound HTTPS connectivity issue while connecting to ZATCA Fatoora APIs from our application server.
Our systems are hosted on a shared hosting environment, where multiple software applications are integrated with ZATCA. Currently, all ZATCA API calls from this server are failing, while other HTTPS connections work normally.
Our hosting provider has confirmed that port 443 is open, there are no firewall restrictions, and trace/MTR tests reach the destination network successfully. Based on their findings, they suspect the connection may be blocked from the ZATCA side (IP-level blocking).
NETWORK_DIAGNOSTICS Result
Host : gw-fatoora.zatca.gov.sa
PHP Version : 7.4.33
OpenSSL Version : OpenSSL 1.1.1w (11 Sep 2023)
DNS IPv4 :
- masked for security purpose
- masked for security purpose
DNS IPv6 : Not available
Supported TLS :
- TLSv1.0 : Enabled
- TLSv1.1 : Enabled
- TLSv1.2 : Enabled
- TLSv1.3 : Enabled
Socket Test : FAILED
Socket Error : Connection timed out
Clarification Required from ZATCA
We kindly request confirmation on the following:
- Does ZATCA apply IP-level blocking for API access, particularly in shared hosting environments where multiple applications use the same public IP address?
- In a shared hosting environment, if one of the PCSIDs associated with the same public IP sends incorrect data or an invalid XML payload, can this lead to IP-level restrictions that affect all other PCSIDs or applications using that shared IP, even if they are functioning correctly?
- All applications on this shared hosting server were working correctly with ZATCA APIs until January 2025 (and earlier).
- Can newly introduced ZATCA security policies, rate limits, or automated controls cause a sudden block, even when no changes were made on the application side?
- If an IP-level block is applied, is it temporary or permanent, and is there a way for affected customers to identify the exact reason or trigger for such a block?
What is the recommended corrective action in such cases:
- Is there an official IP whitelisting or unblock procedure?
- Does ZATCA recommend or require using a VPS or dedicated server with a dedicated IP for stable API access?
- Are there any required adjustments to request rate, payload structure, or TLS configuration to avoid future blocks?
- If ZATCA confirms that no IP-level blocking is applied from your side, could you please advise how customers should communicate this to their hosting provider?
Specifically, is there any official confirmation, reference, or diagnostic guideline that can help hosting providers further troubleshoot connectivity issues on their infrastructure?
Request for Guidance
Please advise the correct and recommended way to resolve this issue and prevent future blocks.
We can share trace/MTR results and server IP details if required for verification.