EI Hub
implementation8 min read

KSeF Token Management: How to Set Up and Rotate Authentication Tokens

KSeF uses cryptographic tokens for API authentication. This guide explains how to generate, store, rotate, and manage KSeF tokens — the most common source of authentication errors in the first months of mandatory e-invoicing.

By EU E-Invoicing HubPublished: 20 May 2026

KSeF Token Management: How to Set Up and Rotate Authentication Tokens

One of the most common causes of KSeF failures in the first months of mandatory e-invoicing was not a format error or a missing field — it was token management. Authentication tokens expired, weren't shared with the right team members, or weren't set up correctly for multi-entity businesses.

This guide explains everything you need to know about KSeF authentication tokens: what they are, how to set them up, how to share them, and how to avoid the most common problems.

What Is a KSeF Authentication Token?

The KSeF (Krajowy System e-Faktur) system requires every API call — submitting an invoice, checking a status, retrieving a received invoice — to be authenticated. Authentication proves to the Ministry of Finance's system that you are who you say you are.

KSeF uses a token-based authentication system. A token is a long cryptographic string (typically a JWT or session token) that:

  • Is tied to your company's NIP (Numer Identyfikacji Podatkowej — Polish tax ID)
  • Has a defined expiry period (default: 30 days)
  • Authorises specific operations (submit invoices, read invoices, manage settings)
  • Can be delegated to accounting software or intermediaries

The token system means you can grant your accounting software access to KSeF without sharing your login credentials — the software gets a token with limited scope.

Types of KSeF Authentication

KSeF supports several authentication methods:

Method Best for How it works
Token (API) Software integration, ERP Generate a token in KSeF, enter it in your software
Qualified electronic signature Manual access, legal entities Sign authentication request with your qualified certificate
Trusted profile (Profil Zaufany) Small businesses, manual access Login via Polish government ePUAP/Profil Zaufany
Biometric / mobile app Individual users Via the KSeF mobile app (limited scope)

For businesses with accounting software (Comarch, INSERT nexo, enova365, Sage Symfonia, wFirma, iFirma), token authentication is the standard method. The software generates and manages the API calls; you provide the token.

How to Generate a KSeF Token

Step 1: Access the KSeF portal

Go to ksef.mf.gov.pl and log in using:

  • Qualified electronic signature (kwalifikowany podpis elektroniczny)
  • Trusted Profile (Profil Zaufany) via ePUAP

Your login must be for a person authorised to represent your company (typically a management board member listed in the KRS register, or an authorised representative).

Step 2: Navigate to token management

In the KSeF portal, find the Zarządzanie tokenami (Token Management) section.

Step 3: Create a new token

Click "Generuj token" (Generate token) and configure:

Setting What to choose
Token name A descriptive name, e.g., "Comarch ERP Production 2026"
Scope Select the permissions this token needs (see below)
Validity period Default is 30 days; you can extend up to 365 days
Binding to NIP Automatically tied to your company NIP

Token scope options:

  • invoicing — Submit and manage outbound invoices
  • read — Read received invoices
  • management — Manage settings (required for some administrative tasks)

For most accounting software integrations, you need both invoicing and read permissions.

Step 4: Copy and store the token securely

The token is displayed only once when generated. Copy it immediately and store it securely. If you close the page without copying, you'll need to generate a new token.

Store the token in:

  • Your accounting software's KSeF integration settings
  • A secure password manager (1Password, Bitwarden) — not a spreadsheet
  • Your IT team's secure configuration vault

Never store tokens in plain text files, email, or shared documents.

Step 5: Enter the token in your accounting software

Every major Polish accounting platform (Comarch, INSERT nexo, enova365, Sage Symfonia, wFirma, iFirma) has a KSeF integration settings page. Enter:

  • Your company NIP
  • The token you generated
  • The KSeF environment (production or test)

Test with one invoice before switching to full production use.

Token Expiry: The Most Common Problem

Default token validity: 30 days.

When a token expires, every KSeF API call fails with an authentication error. The impact:

  • Invoice submissions fail silently (or with an error your software may not surface clearly)
  • Invoice status checks fail
  • Incoming invoice downloads fail

Why businesses miss this

30 days passes quickly. If you set up your KSeF integration in February and don't manage the calendar, the token expires in March. Your accounting team may not immediately recognise "authentication error" as "token expired" — they might escalate it as a software bug or a KSeF outage.

How to manage token expiry

Option 1: Set a calendar reminder

Add a calendar event two weeks before the token expires. Give yourself time to generate a new token and update all systems before the expiry date.

Assign a specific person as the "KSeF token owner" — the person responsible for rotation. Document this in your internal process guide.

Option 2: Generate a longer-validity token

When generating the token, set validity to 365 days instead of the default 30. This reduces rotation frequency significantly. Check that your accounting software can handle long-validity tokens — most can.

Option 3: Use automated token rotation (enterprise)

For businesses with multiple entities or high-volume KSeF usage, automated token rotation via the KSeF API is possible. The API allows generating a new token programmatically before the current one expires. This requires development effort but eliminates manual rotation entirely.

Multiple Entities and Multiple Tokens

If your business has multiple Polish VAT registrations (e.g., a holding company with Polish subsidiaries), each NIP requires its own authentication. You cannot use one token for multiple NIPs.

Best practice for multi-entity businesses:

  • Generate a separate named token for each entity and software environment
  • Use a clear naming convention: [EntityName]-[Software]-[Environment]-[Year]
  • Example: ABC-Poland-Comarch-PROD-2026
  • Maintain a token inventory spreadsheet: Entity, Token name, Expiry date, Responsible person

Delegating Access: Self-Invoicing and Accountant Access

KSeF supports delegation — granting another party (an accounting firm, an intermediary) the ability to submit invoices on your behalf.

Delegating to an accounting firm

Your accounting firm needs a specific delegation credential tied to their own NIP. This is different from giving them your token. In KSeF, navigate to Pełnomocnictwa (Authorisations) and grant your accounting firm's NIP the appropriate KSeF roles.

This allows your accountant to access KSeF under their own credentials while being authorised to act for your NIP. No token sharing required.

Self-invoicing (wystawianie faktur przez nabywcę)

If your customer issues invoices on your behalf (self-invoicing under Article 106d of the Polish VAT Act), they need a specific KSeF delegation from you. This delegation is also managed in the KSeF portal under Pełnomocnictwa.

KSeF Token Security: What Not to Do

🚫 Don't share tokens via email. If an email is intercepted or forwarded, your token is compromised.

🚫 Don't use the same token in test and production. The test KSeF environment (ksef-test.mf.gov.pl) uses separate tokens from production. Never use a production token in testing — it can cause unintended invoice submissions.

🚫 Don't hardcode tokens in source code. If you're building a custom KSeF integration, store tokens in environment variables or a secrets manager (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault), never in source code repositories.

🚫 Don't delay when a token is compromised. If you suspect a token has been exposed, revoke it immediately in the KSeF portal and generate a new one. The revocation is effective immediately.

Troubleshooting: "Authentication Error" in KSeF

If you receive an authentication error from the KSeF API:

  1. Check token expiry first — Log in to the KSeF portal and verify the token is still valid
  2. Verify the NIP matches — The NIP in your software settings must match the NIP the token was generated for
  3. Check the environment — Are you using the correct endpoint? Production: ksef.mf.gov.pl/api, Test: ksef-test.mf.gov.pl/api
  4. Check for token revocation — The token may have been manually revoked by another team member
  5. Check your IP whitelist — If your token was configured with IP restrictions, your current IP may be blocked

If none of these resolve it, generate a new token and update your software. This is almost always the fastest solution.

Summary: Token Management Checklist

  • Assign a named "KSeF token owner" in your organisation
  • Generate tokens with a clear naming convention
  • Set tokens to 365-day validity where possible
  • Calendar reminders 2 weeks before each token expiry
  • Store tokens in a secure vault, never in plain text
  • Maintain a token inventory with entity, expiry, and responsible person
  • Test new tokens before deactivating old ones
  • Never use production tokens in the KSeF test environment
  • For multi-entity businesses: one token per NIP, not shared
kseftokenauthenticationpolandapisecuritynip2026implementation
← More ImplementationCompare Software →