Hello everyone,
I am facing some confusion while working with ZATCA e-Invoicing Sandbox APIs, specifically related to authentication, and I would appreciate your guidance.
Step 1: I generated the CSR.csr and private-key.key files(holding CSR and private key).
Step 2: Using the generated CSR, I called the CSID generation API
https://gw-fatoora.zatca.gov.sa/e-invoicing/developer-portal/compliance
by passing the CSR and OTP 123345 (as mentioned in the Sandbox API demo). This call was successful and I received the binarySecurityToken and secret.
Step 3: I copied the generated private-key (generated with CSR) into the ec-secp256k1-priv-key.pem file inside the Certificates folder. I also Base64-decoded the binarySecurityToken from the CSID response and pasted the decoded value into the cert.pem file.
Step 4: I signed the invoice XML successfully (In this step a new xml file generated with certificate and QR details inside it).
Step 5: I then generated the required request JSON body.
Step 6: I called the compliance invoice validation API
https://gw-fatoora.zatca.gov.sa/e-invoicing/developer-portal/compliance/invoices
using Basic Authentication with binarySecurityToken as the username and secret as the password. This request was successful and the invoice XML was validated.
Step 7: I then tried to clear the invoice by calling
https://gw-fatoora.zatca.gov.sa/e-invoicing/developer-portal/invoices/clearance/single
using the same username and password (binarySecurityToken and secret) and the same request body. This request failed with HTTP 401 Unauthorized, and no response body was returned.
My confusion is that the same credentials work for compliance invoice validation but fail for invoice clearance. I would like to understand why this happens. Is invoice clearance using a different authentication mechanism, is a different endpoint expected, or is there an additional enablement step required after compliance?
Any guidance or clarification would be very helpful.
Thank you.