Where authentication fits
When an integrated system sends invoices to eTIMS, KRA needs to know the request comes from a registered, authorised business and control unit. Authentication is that identity check: the system presents credentials, and KRA accepts or rejects the connection.
The credentials are tied to your onboarding, your business and your control unit. Because the precise scheme, fields and endpoints are defined and updated by KRA, the only reliable source is the official eTIMS API documentation or a certified integrator who builds to it.
How to approach eTIMS authentication as a developer
- 1
Onboard the business and control unit first
Authentication credentials come from a completed eTIMS onboarding. Make sure the business and its control unit are registered before you build.
- 2
Get the official API documentation
Work from KRA's official eTIMS API documentation for the current authentication scheme, fields and endpoints. Do not rely on second-hand or outdated descriptions.
- 3
Implement against the sandbox
Build and authenticate against the eTIMS sandbox environment first, so you can test without touching live records.
- 4
Handle credential storage securely
Store credentials securely and follow good practice for secrets, since they authorise transmitting invoices on the business's behalf.
- 5
Validate then go live
Once authentication and a full invoice flow work in the sandbox, move to live and monitor the first transmissions closely.
Mistakes to avoid
Building from unofficial specs
Authentication details change and are owned by KRA. Building from a blog or an old copy leads to failures. Use the official documentation.
Skipping the sandbox
Testing authentication against live is risky. Validate in the sandbox first.
Mishandling credentials
Credentials authorise invoice transmission. Store them securely and never expose them in client code or logs.
Ignoring onboarding
Without completed onboarding there are no valid credentials. Register the business and control unit first.
A worked example
A developer building a POS integration started by trying to authenticate from a forum example and kept getting rejected.
Switching to KRA's official eTIMS API documentation, completing the onboarding to obtain valid credentials, and testing against the sandbox got authentication working cleanly. Only then did they connect the live invoice flow.
Authentication is straightforward when built from the official spec against the sandbox, and frustrating when built from second-hand descriptions.
Trading without eTIMS-compliant tax invoices risks KRA penalties, blocked VAT input claims for your customers, and receipts a business buyer cannot expense.
Veira signs every sale to KRA eTIMS automatically, so each receipt is compliant the moment it prints, with no separate device to reconcile.
How Veira helps
If you would rather not build and maintain an eTIMS integration yourself, Veira provides compliant invoicing out of the box, with the authentication, signing and transmission handled for you.
That lets a business be compliant without a developer maintaining an API connection. See how Veira works or book a demo.