PCSID Renewal (Simulation) — Error “You are not authorized to use this API endpoint” when requesting new PCSID

Hello everyone,

We’re facing an issue during the PCSID renewal process in the simulation environment.
All renewal steps complete successfully until the final POST request to production/csids, where we receive an authorization error.

Below are the detailed steps followed and the issue encountered.

Steps Executed

1. PATCH request to /production/csids

   • Sent the CSR in the request body.

   • Used Authorization header as the combination of the existing PCSID and PSECRET (from the previous onboarding).

   • The request returned:

     • a BinarySecurityToken (used as the new CSID for compliance checks), and

     • a new secret, which was then used to generate new authorization for further API calls.

2. Used CSID and Private Key from the first onboarding

   • Using the CSID from step 1 and the original private key (generated during the first onboarding),
     we signed XMLs and generated hash values as part of the standard signing process.

3. Submitted signed XMLs for Compliance Check

   • All compliance checks were successful using the new authorization obtained from the renewal response.

4. Attempted POST request to /production/csids

   • Used the new authorization and the request ID returned from step 1.

   • At this stage, we receive the following error response:

   Error: “You are not authorized to use this API endpoint”

Summary of the Issue

• Renewal via PATCH works fine and returns valid CSID + secret.

• Compliance checks succeed with the new authorization.

• But while performing the final POST to /production/csids (with the new authorization and request ID),
  the API responds with “You are not authorized to use this API endpoint.”

Request for Guidance

Could anyone please confirm:

• If there are any recent changes in authorization scope for the production/csids endpoint in simulation?

• Whether the POST call after renewal should still use the old PCSID authorization, instead of the new one?

• Or if the simulation environment now restricts renewal-related POST requests after successful compliance checks?

Any clarification or guidance from others who faced similar behavior would be appreciated.

“compliance_request_id”: “1762171454537”

Thanks in advance

Dears
@idaoud @Ankit.K.Tiwari,
i appreciate it if you could look into this issue.

Dear @azeem.chisty

Thanks for reaching out,

Please find below the requested clarifications:

1. “If there are any recent changes in authorization scope for the production/csids endpoint in simulation?” No, any change that might be major, ZATCA will ensure to make an announcement here on the forum.
2. “Whether the POST call after renewal should still use the old PCSID authorization, instead of the new one?” Correct. In addition to using the same “requestID” from the PATCH call as the body.
3. “Or if the simulation environment now restricts renewal-related POST requests after successful compliance checks?” For both simulation and production environments, you should complete all the compliance checks based on your configuration file (InvoiceType).

Can I kindly ask you to check the renewal process again and confirm whether the issue still persists?
knowing that the renewal process works as expected in both simulation and production?

Thanks,
Ibrahem Daoud.

Dear @idaoud ,

Thanks for the reply,

I tried multiple times and facing the same issue. I have already sent the full payload by mail to sp_support@zatca.gov.sa with the same subject as this thread. Kindly look into it and feedback.

meanwhile please share any document that exists for renewal process.

Dear @azeem.chisty

Thank you for the clarification. Could you please share the email address from which you sent it?

Thanks,
Ibrahem Daoud.

Dear @idaoud ,

The email is sent from ‘azeemuddin.chisty@hotmail.com’

Hi @idaoud ,

We have faced the exact same issue when we try to onboard our clients to simulation portal. I have sent an email with the subject " ZATCA Simulation Onboarding Issues" but I have not heard back from the techinical regarding this. My email is “adithyaraviraja@mastersindia.co”

Hello @idaoud ,

Kindly feedback, if you verified the payload that i sent by mail.