Dear @eCloud,
Please find the responses to the raised concernes below:
First concern: after receiving what response code should I change the UUID, ICV, invoiceHash after fixing?
you should change the UUID, ICV, invoiceHash. After fixing the errors of the rejected invoice, and this error response should be “400”.
“400” means that the invoice has been validated by fatoora platform, and failed in at least one of the validation criteria i.e (KSA business rules).
Other responses such as “401” and the rest on the table, means that fatoora platform didn’t validate the invoice yet, so there is a chance of receiving “401” for a valid invoice, because “401” indicates an issue with the username & password or both. Not an invoice rejection.
So in conclusion, you should only change UUID,ICV, invoiceHash of the rejected invoices that returned “400” code in response, after fixing.
Second concern: fatoora platform’s APIs are public, does this mean that anyone can send invoices on my behalf?
The answer is no, only solutions that are onboarded (integrated) with fatoora platform can send invoices.
1- “OTP”, in order to onboard a solution to fatoora portal, taxpayers must provide a correct" OTP" that is associated with its device that they are trying to onboard. By login to fatoora portal using TIN & password.
2- authorization credentials: each solution has its own unique username & password returned by fatoora platform after validation with OTP, no one should have the access to your authorization credentials.
3- private key: each solution has it own unique associated private key, private key is used to sign simplified tax invoices, and fatoora platform will verify the signature in submission, if the signature is not valid or someone else has signed a document that doesn’t belong to them, the document will be rejected by fatoora platform.
To get more information about securing the solutions, please refer to:
20230519_ZATCA_Electronic_Invoice_Security_Features_Implementation_Standards_vF.pdf (720.4 KB)