Step-by-Step E-Invoicing Integration Framework for Saudi Arabia
Last updated: March 30, 2026
ZATCA (Zakat, Tax and Customs Authority) Phase 2 requires all taxable businesses in Saudi Arabia to integrate their systems for electronic invoicing. This comprehensive guide covers everything you need to know—from CSD certificates to API integration.
Generate CSR (Certificate Signing Request) through ZATCA Fatoora portal to link your POS system.
بدء الربط: إنشاء طلب توقيع الشهادة (CSR) من خلال بوابة فاتورة لربط نظامك.
Invoices must be generated in UBL 2.1 XML format including UUID, Hash, and QR Code.
إنشاء ملف XML: يجب إنشاء الفواتير بتنسيق UBL 2.1 بما في ذلك الـ UUID والهاش والرمز.
QR must be Base64 encoded TLV. Use our home page tool to verify your QR encoding.
معايير الرمز: يجب أن يكون الرمز مشفرًا بتنسيق Base64 TLV. استخدم أدواتنا للفحص.
All simplified tax invoices must be reported within 24 hours of generation.
الإبلاغ اللحظي: يجب الإبلاغ عن جميع الفواتير الضريبية المبسطة في غضون 24 ساعة.
Phase 2 is the mandatory integration phase where taxpayers must connect their systems directly to ZATCA's Fatoora portal via APIs. Unlike Phase 1 (which only required QR codes on invoices), Phase 2 requires real-time or near-real-time submission of invoice data. This ensures greater tax transparency and fraud prevention.
A CSD certificate is mandatory for Phase 2. It enables digital signing and cryptographic stamping of invoices. You must obtain it from ZATCA-approved providers like Geotrust or Digicert. The certificate acts as your business's digital identity when communicating with the Fatoora portal. Without it, your e-invoices will be rejected.
All invoices must be generated in the standardized UBL 2.1 XML format. This includes specific fields for seller/buyer details, line items, VAT amounts, and cryptographic stamps. The XML must be schema-validated before submission. Use our XML Validator tool to check your files.
The QR code must contain a cryptographic stamp encoded in TLV (Tag-Length-Value) format and then Base64 encoded. It includes seller name, TRN, timestamp, invoice total, VAT amount, and digital signature. The QR code must be printed on paper invoices or displayed on digital invoices.
Clearance model (B2B): Real-time validation by ZATCA before buyer receives invoice. The invoice must be submitted synchronously, and ZATCA returns a "cleared" or "rejected" status. Reporting model (B2C): Submit within 24 hours of issuance. No real-time validation. Choose based on your transaction type and customer classification.
Step 1: Register on ZATCA Fatoora portal. Step 2: Generate CSR and obtain CSD certificate. Step 3: Generate API credentials (client_id, client_secret). Step 4: Implement XML generation in UBL 2.1 format. Step 5: Implement QR code generation with TLV encoding. Step 6: Test all APIs in ZATCA Sandbox environment. Step 7: Apply for production access. Step 8: Go live with clearance or reporting model.
| Endpoint Name | URL | Method |
|---|---|---|
| Clearance (B2B) | https://api.fatoora.zatca.gov.sa/api/v1/invoice/clearance | POST |
| Reporting (B2C) | https://api.fatoora.zatca.gov.sa/api/v1/invoice/reporting | POST |
| CSR Generation | https://api.fatoora.zatca.gov.sa/api/v1/csr | POST |
| Compliance Check | https://sandbox.fatoora.zatca.gov.sa/api/v1/compliance | POST |
A: Deadlines vary by business revenue. Large taxpayers (over SAR 3 million) have earlier deadlines. Small and medium businesses have extended timelines. Check your ZATCA portal for your specific integration date.
A: Yes, unless your POS provider offers built-in ZATCA integration. API development requires technical expertise in PHP, REST APIs, XML generation, and cryptography.
A: No. Free SSL certificates (like Let's Encrypt) are NOT accepted. You must purchase a paid CSD certificate from ZATCA-approved providers like Geotrust or Digicert.
A: ZATCA may impose penalties up to SAR 50,000 and suspend your e-invoicing privileges. Your business will not be able to issue compliant e-invoices.
A: Typically 5-10 business days after submitting all required documents to an approved provider. Plan well before your integration deadline.
A: ZATCA provides a Sandbox (Simulation) environment at https://sandbox.fatoora.zatca.gov.sa. Test all API calls before going live.