Q.1 How could a taxpayer/GSP get credentials to access the APIs?
Ans. A taxpayer/GSP can obtain credentials on the https://einv-apisandbox.nic.in/ portal. They need to register themselves under the portal by using the login tab.
Q.2 Form where can a taxpayer/GSP obtain the URL or endpoints of APIs?
Ans. A taxpayer/GSP need to login to the testing portal to get the endpoints of APIs for the sandbox system.
Q.3 Company A has business units in different states with different GSTINs but registered under the same PAN. Can same API credentials be used for accessing API at different locations?
Ans. There are two category of credentials for logging-in to the e-invoice system:
I. Client ID and Client Secret: This is for the notified taxpayer and can be used for all the business units registered in different states under the same PAN.
ii. Username and password: This can only be created separately for each GSTIN.
Q.4 For whom the e-invoice APIs available for its access?
Ans. E-invoice APIs are available for:
- Registered taxpayers with a turnover more than Rs.500 crore.
- Registered GSPs under GST.
Q.5 Who can generate IRN under the e-invoice system?
Ans. E-invoicing has currently been (on 1st January 2021) notified for registered taxpayers with a turnover greater than Rs.100 crore in FY 19-20 (Except Special Economic Zones (SEZ) units, insurance, banking, any financial institutions, and passenger of transportation service and supply of movie tickets. Only these notified taxpayers will need to generate the IRN for his or her supplies/sales.
Q.6 Where can individual find the Public Key of the e-invoice system?
Ans. An Individual can get the Public Key of the e-invoice system by logging into the testing portal.
Q.7 Can a taxpayer generate e-way bills using IRN?
Ans. Yes, a taxpayer will generate e-way bills using IRN. There will be no change within the generation of e-way bill processes.
Q.8 Is a taxpayer required to generate a token for each transaction?
Ans. It is not stated to raise a new token for each transaction However; once a token will be generated then it can be used multiple times till the time it will be expired.Â
- If in case, a new request has been made, the system will throw back the prior valid token along with expiry time and for making a new request, a taxpayer can ask the already generated token from the system. If the token has expired, he can raise a latest one.
Q.9 What happens if the same request is raised multiple times?Â
Ans. It is not stated to raise the same request many times however, if a taxpayer does so, the e-invoice system may block the user’s request for one hour or so on.
Q.10 What is the intent of using ‘Force Refresh Access Token’ under Authentication API?
Ans. A taxpayer can use ‘Force Refresh Access Token’ provision to create a new token just 10 minutes before the expiry of the previous token to avoid failure of a transaction after the expiry of a token.
Q.11 Can the same token be used for the creation of e-way bills and e-invoice?
Ans. Yes, the same token can be used to generate both i.e. e-way bills and e-invoice. But, an equivalent should be done within the expiry of the token.
Q.12 Can a taxpayer print QR code on its invoice?
Ans. Yes, a taxpayer can print QR code by using the ‘Generate IRN’ API before issuing it to the party.
Q.13 How does a signed invoice be verified?
Ans. A signed invoice can be verified by the following points:
- Use ‘Generated IRN’ API to get the signed invoice back. The details of signed invoice are provided as per JWT and JWS standard, which contains the info signature and signing algorithm provisions.
- Further, public key is required to verify the signed invoice and the QR code.Â
- The public key is used for encrypting the password and app key.Â
- The key for the sandbox environment is out there for download the e-invoice sandbox API developer’s portal.*SHA256 RSA algorithm is employed for digital signatures
Q.14 Which algorithm is used for encryption/decryption of data?
Ans. The symmetric algorithm AES256 (AES/ECB/PKCS7Padding) and therefore the asymmetric algorithm (RSA/ECB/PKCS1Padding) is employed along side SEK, to encrypt the request payloads of the POST API methods and to decrypt response payloads.
Q.15 For how long is the authentication token valid?
Ans. An authentication token is valid for 6 hours on the assembly system. But, for effective testing by the developer, it’s set for one hour within the sandbox.
Q.16 How many rounds of API testing have to be made on the sandbox system to get the production access?
Ans. Each API must be tested on the sandbox environment. Each API will need to have a minimum of 50 success cases and 50 failed cases. A system generated MIS report is going to be provided under ‘API developer is testing’, application to work out what percentage cases are tested by the taxpayers. On the idea of this report, the system will decide whether a taxpayer is qualified for production access or not.
Q.18 Why am I getting ‘Invalid Auth Token’ error while generating an e-invoice through API?
Ans. Auth Token for generating e-invoice is going to be active for 6 hours since the primary successful login. Even if the Auth API is named again before six hours, an equivalent token are going to be returned and therefore the time isn’t reset. Hence, you’ve got to get a replacement Auth token when it expires after six hours.
