Renew CSID - 401 Unauthorized error

Onboarding, renewal and revocation
1

Dear ZATCA Team,

We are facing 401 Unauthorized error while performing EGS Renewal in Production CSID (PATCH) API. We request you to guide us on the sequence of steps for Renewal.
Below are the steps with sequence of APIs that we are follwing based on guidelines provided for Production in below link.

https://zatca.gov.sa/en/E-Invoicing/Introduction/Guidelines/Documents/DEVELOPER-PORTAL-MANUAL.pdf (Page Number 42 → Step 6)

Step 1 : Call compliance CSID API
1.1 : URL : https://gw-fatoora.zatca.gov.sa/e-invoicing/core/compliance
1.2 : Http Method : POST
1.3 : Headers :
accept-version: V2
OTP: 111111

 1.4 : Request Body : CSR
			
 1.5 : Response : Success - Received Compliance CSID and Secret

Step 2 : Call Compliance Invoices API 6 times (3 times for B2B & 3 times for B2C as we require both B2B/B2C)
2.1 : URL : https://gw-fatoora.zatca.gov.sa/e-invoicing/core/compliance/invoices
2.2 : Http Method : POST
2.3 : Headers :
accept-version: V2
authorization: “Basic {Base64 of Compliance CSID & Secret combined received from Step 1.5}”
accept-language: “EN”
clearance-status: “1”

 2.4 : Request Body : Document Hash, XML & UUID
		  
 2.5 : Response : Success - Received Success for all 6 compliance API calls.

Step 3 : Call Production CSID API
3.1 : URL : https://gw-fatoora.zatca.gov.sa/e-invoicing/core/production/csids
3.2 : Http Method : PATCH
3.3 : Headers :
accept-version: V2
OTP: 111111
authorization: “Basic {Base64 of Compliance CSID & Secret combined received from Step 1.5}”

 3.4 : Request Body : CSR

 3.5 : Response : ERROR - Received 401 Unauthorized

We request you to guide us on the sequence of steps for Renewal.

2

Dear @dev.cksatc ,

Please find your mistakes below while trying to call the production CSID API:

1- method should be post
2- There is no OTP header required in the PCSID step, just in the CCSID
3- the body of the PCSID request is not the CSR, it’s the compliance request id which is being returned in the CCSID API response
4- OTP should be obtained from fatoora portal in the first step (CCSID) and not 111111
5- VAT number in the CSR config file, should be the same VAT number that you used to obtain an OTP from fatoora portal

Note: the PCSID is valid for 5 years, so consider renewing it after this time period

To fix the issue, please generate a new CSR with the same VAT of your fatoora portal credentials, and start the process over again after correcting the mistakes above, ensuring that the authorization section is well structured (username & passsword), the username will be BinarySecturityToken & Password is the secret.

Make sure that you insert them as is, with no spaces or any additional characters.