E-Invoice System
Q.1 Who can generate the IRN from the e-invoice system?
Presently, IRN can be generated only by the tax payers who have been notified. That is, tax payers whose turnover is more than Rs. 500 Crores.
Q.2 How many rounds of testing of APIs have to be made on the sandbox system to get the production access?
All APIs have to be tested on the sandbox environment. Each API with at least 50 success cases and 50 failed cases with different errors to be tested.
Q.3 Which is the algorithm used for encryption and decryption of data?
The asymmetric algorithm (RSA/ECB/PKCS/Padding) and symmetric algorithm AES256 (AES/ECB/PKCS/Padding) along with SEK is used to encrypt the request payloads of the POST API methods and to decrypt response payloads. It may be noted that SEK is generated and passed by the e-invoice system while sending the authentication token.
Q.4 Whether e-invoice generated is also required to be signed again by the taxpayer?
- Signing of invoice is required by the rules notified by the Government of India. A placeholder for digital signature has been added in the e-invoice schema and hence if a signed e-invoice is sent to IRP, the same will be accepted.
- The e-invoice will be digitally signed by the IRP after it has been validated. The signed e-invoice along with QR code will be shared with creator of document as well as the recipient.
- Once it is registered, it will not be required to be signed by anyone else.
Q.5 Can the seller place their LOGO in the e-invoice template?
- There will NOT be a place holder provided in the e-invoice schema for the company logo.
- This is for the software company to provide in the billing/accounting software so that it can be printed on his invoice using his printer. However, the Logo will not be sent to IRP. In other words, it will not be part of JSON file to be uploaded on the IRP.
Q.6 Is there any change in the e-way bill generation after introduction of e-invoice system?
As of now, there is no change in the generation of e-way bill process. It will exist along with the e-invoice system. There will be additional facility in future to generate the e-way bill based on the IRN.
Q.7 Can I generate e-way bill using IRN?
Yes, there will be one more API, released shortly, to generate the e-way bill based on IRN and Part-B details.
Q.8 At present the e-Invoice API is for those GSTIN where turnover is > 500 crore. What about small traders? Please let us know if you planning to have an offline tool for preparing e-Invoice? Or developing the URL where we can enter the data for generation of e-Invoice.
As of now, the criteria for e-Invoice is turnover greater than 500 crore. There will be government notifications on the change in eligibility criteria. Yes, there will be offline tool and web portal.
Q.9 Should we whitelist our IPs to access Sandbox APIs?
There is no need for whitelisting the IPs to test on the Sandbox.
Q.10 How do the customers and GSPs test the APIs?
Testing can be done using GSPs virtual GSTINs for different states.
REGISTRATION
Q.1 E-invoice system is showing my old email id or mobile number. How should I get it changed?
E-invoice system is using the email id and mobile number, registered by the taxpayer on the GST Common Portal, for communication purpose. If it is old, get is updated with latest on the common portal and communicate to us at so that we can cross-verify and update on the sandbox for accessing the credentials. If you are a GSP, then get it updated with GSTN and request them to communicate to us so that it can be updated.
Q.2 My one business unit has GSTIN in each state based on same PAN. Can I use same API credentials to access to the API system?
There are two types of API credentials – Client Id and Client Secret, and Username and Password. Client Id and Client Secret is provided to the notified tax payer and the tax payer can use it for all the business units registered in different states, based on the same PAN. Whereas the Username and Password is created for each GSTIN. That is, one business, registered in different states, need to create separate username and password for each registered unit/GSTIN.
Q.3 What if email id and mobile number is not matching?
Make sure you use the email id and mobile number entered by you in the GST portal.
Q.4 For Sandbox testing of E-Invoicing at the time of registration it is giving message that: “Sorry Your GSTIN is not Shortlisted for E-Invoice API.”
Presently it is activated only for GSTINs with turnover more than 500 crore. In case you come under this category, contact GSTN.
LOGIN
Q.1 How and where can I get the credentials to access the APIs?
GSP and tax payer can get the API credentials using the online registration option under ‘Login’ system on this portal.
Q.2 Where can I get the URL or end points of APIs?
On logging into the testing portal, one can get the end points of APIs for sandbox system.
Q.3 Where can I get the Public Key of e-invoice system?
On logging into the testing portal, one can get the public key of the e-invoice system for sandbox system.
Q.4 Do I need to generate the token for each transaction or request?
It is not advisable to request for new token before firing each transaction. Once the token is generated it can be re-used any number of times till it get expired. Even if new request for token is made, the system returns the already generated valid token with an expiry time. The best practice is, once the token is generated, store in the tax payer system along with SEK and expiry time. Next, whenever the transaction request is made, token can be referred from the system and used. If it has expired, then request for new token and store and use it.
Q.5 What happens if the same request or same transaction is fired multiple times?
It is not advisable to send the same request or same transaction continuously or multiple times. However, based on the response of the transaction, the tax payer system to act upon rather than firing again. If it happens so, then the e-invoice system will block that user’s requests for one hour and so.
Q.6 What is the purpose of the parameter “ForceRefreshAccessToken” in authentication API?
ForceRefreshAccessToken parameter of Authentication API can be used by the tax payer system to generate the new token, just 10 minutes before the expiry of the token. Basically, the tax payer system can use it to avoid failure of the transaction fired after expiry of the token.
Q.7 What is the validity of the authentication token?
Authentication token generated by the e-invoice system is valid for 6 hours on the production system. However, for effective testing by the developer, it has been set for 1 hour in the sandbox.
Q.8 Who has to generate the Appkey?
Appkey is generated by the API consuming application. It is a 32 byte AES key.
Q.9 As you have mentioned in the FAQs that “Both e-way bill and e-invoice co-exist and the authentication token generated on one system can be used with other system within the expiry time”. Does that mean the GSP/ASP use the e-Way Bill username and password of the taxpayers (generated in e-Way Bill system while registering our GSP) in the e-Invoice portal to generate the authtoken?
In case the tax payer is using the API through GSP, the GSP will provide the ClientId and ClientSecret to the tax payer. GSP will not have the taxpayer’s user id and password. On the production environment (when made available), if the taxpayer has generated the token using a set of credentials (client Id, GSTIN, user Id, password) using one system, then same token can be used for calling other system API. In Sandbox, the credentials are different for each service.
Q.10 We are getting error while decrypting SEK. We are doing it using App key.
JAVA Error is: java.security.InvalidKeyException: Invalid AES key length: 44 bytes. Please help.
App key should be byte array (byte[ ]) of 32 bytes length e-invoice API.
Q.11 How to decrypt the SEK received?
Same App Key that was sent in auth request only needs to be used to decrypt the SEK that has come as the response to the API call using Symmetric AES algorithm.
Q.12 Where to get the public key for encrypting the password and App key?
Please log in to https://einv-apisandbox.nic.in/einvapiclient/ using your generated credentials. To the right side, you will get an option to download the public keys.
GENERATION OF IRN
Q.1 Whether the IRN is to be captured in the Supplier’s ERP?
- The IRN (hash) will be generated by IRP (register) using GSTIN of supplier or document creator, financial year and the unique serial number of the document/ invoice along with the document type.
- The serial number of invoice must be unique for a GSTIN for a Fin Year and the same has to be captured by Supplier’s ERP.
- Supplier has to keep the IRN against each of its invoice, once received by the seller from the IRP. It will be advisable to keep the same in the ERP as invoice without IRN will not be a legal document.
Q.2 There are certain fields today which are optional and some mandatory. How are these to be used?
- The mandatory fields are those that MUST be there for an invoice to be valid under e-Invoice Standard.
- The optional ones are those that may be needed for the specific business needs of the seller/business. These have been incorporated in the schema based on current business practices in India.
- The registration of an e-invoice will only be possible once it has ALL the mandatory fields uploaded into the Invoice Registration Portal (IRP).
- An optional field not having any value can be reported with null or can be omitted from the payload.
Q.3 I am trying to generate IRN from einv-apisandbox.nic.in. However I am getting error code 5001 every time with following detail:
{“Status”:0,”ErrorDetails”:[{“ErrorCode”:”5001″,”ErrorMessage”:”Application Error, Please Contact the help desk Padding is invalid and cannot be removed.”}],”Data”:null}
Please check whether the encryption is happening correctly using the decrypted SEK. You may use the facility in the developer test portal where you can encrypt the same payload using the decrypted SEK and compare the encrypted output from your function with same payload and SEK.Make sure you have decrypted the SEK received using the App key using symmetric algorithm before using the same as key for encryption.
Q.4 We are able to consume the e-invoice API. However we are stuck in decrypting the Generate IRN Response.
Please help.
The details are provided in the API documentation along with sample code in C# and Java at https://einv-apisandbox.nic.in/ The response is encrypted using the SEK using symmetric algorithm, so please decrypt using the SEK.
Q.5 e-Invoice/ Generate IRN API allows for maximum of 1000 line items per document whereas Generate e-Way Bill API allows maximum of 250 line items per document. Can you please confirm whether Generate e-way bill API will be changed now to sync allowing of line item count in e-way Bill APIs?
e-Invoice will have 1000 line items, and when the e-way bill generated from it, e-way bill have high value 250 items with total invoice value. This is followed in current e-way bill system also.
Q.6 Could you please let us know if taxpayer system could generate the IRN on their own using the SHA256 algorithm logic (or) we need to mandatorily get the information from IRP.
Just generation of IRN is not the goal of the e-Invoice system. Registering the invoice with the IRP is the actual requirement (Given the logic of generation of IRN, anybody can generate it, but unless it is registered, it has no authenticity). As the IRP anyway has to generate the IRN (atleast to check whether tax payer generated IRN is correct), there is no need to generate IRN by tax payer.
SIGNED QR
Q.1 Should there be a space provided for the QR Code in the e-invoice?
- The QR code will be provided to the seller once he uploads the invoice into the Invoice Registration system and the same is registered there.
- Seller must print the QR code on the printed Invoice.
Q.2 We successfully generated e-Invoice and got SignedInvoice, SignedQRcode raw data. Going further please help us to decode and verify the signature.
The data is signed using JSON Web Signature, details can be obtained from the web. The signed token has 3 parts, header, data and signature, these three are separated by (dot). After splitting the 3 parts, you can decode the first 2 parts of content with base64 decode.
Q.3 Will there be any mechanism/platform provided to taxpayers to view/validate Signed QR Code’s data in plain text and confirm whether it is an authentic IRP registered IRN or not ?
There will be provision to validate the QR code off line, as well as there will be facility to upload the signed QR code to the portal and get it verified. Details will be shared later.
Q.4 Do we need a public JWK set to verify this JWT? If yes how can we access the public JWK set?
To verify the signed Invoice and the QR code, the public key of the certificate which is used to sign is required. This public key is same as that has been used for encrypting the password and App key. The key for sandbox environment is available for download in the e-Invoice sandbox API developer’s portal.
Q.5 Please suggest whether QR Code of signed data needs to be printed or QR Code of decoded data must be printed for B2B(Business-to-Business) E-Invoice PDF to be issued/ maintained/ shared by suppliers having turnover of more than 500 crore with their buyers?
Signed QR Code data, passed as the response of IRN generation, has to be printed along with the signature on the invoice. You can see these QR code on the web version of e-invoice system that is, going to be released shortly.
MISCELLANEOUS
Q.1 There is no version number in API end points, is this final or in future you are going to introduce versions?
As of now, in the trial, there is no version number. In future, version number would be part of the end point for subsequent versions.
Q.2 Taxpayers or the GSPs will be allowed to access the production environment by whitelisting maximum upto 4 Indian static IP addresses.
For production, if we don’t have a static IP address, is there any alternative to access to the GST network? Is it a mandatory requisite?
For production, access is allowed only through the white listed IP addresses of India.
