ZATCA Phase 2 IntegrationE-Invoicing API Saudi ArabiaFatoora Portal Developer GuideUBL 2.1 XML ZATCACSID Cryptographic StampB2B Clearance APISaudi Tax Tech 2026ERP API MiddlewareCustom Software KSA

ZATCA Phase 2 E-Invoicing: Technical API Integration Guide for Developers in 2026

By Devbricks Team·
ZATCA Phase 2 E-Invoicing: Technical API Integration Guide for Developers in 2026

The digitalization of the Saudi Arabian economy under Vision 2030 has reached a critical inflection point. For enterprises, retailers, and B2B service providers operating in the Kingdom, the grace periods are over. The Zakat, Tax and Customs Authority (ZATCA) is rigorously enforcing Phase 2 of the E-Invoicing (Fatoora) mandate across successive waves of taxpayers in 2026.

Failing to comply with ZATCA Phase 2 is no longer just an administrative headache; it results in immediate, severe financial penalties, the suspension of government services, and the inability to legally conduct B2B transactions.

However, achieving compliance in Phase 2 is an immensely complex engineering challenge. Unlike Phase 1, which merely required generating a compliant invoice with a basic QR code on a local machine, Phase 2 demands real-time, bidirectional API communication between your company’s internal billing software and ZATCA’s central servers.

For Chief Technology Officers (CTOs) and lead developers, the mandate requires architecting a highly secure, fault-tolerant integration layer capable of generating cryptographic hashes, structuring data into strict UBL 2.1 XML formats, and handling API clearance in milliseconds.

This is the definitive, authoritative 2026 technical guide to ZATCA Phase 2 API integration. Whether you are upgrading a legacy SAP/Oracle ERP or building a custom enterprise web application from scratch, this roadmap will navigate you through the technical labyrinth of the Fatoora portal.

Chapter 1: The Paradigm Shift – Phase 1 vs. Phase 2

To understand the architectural requirements, developers must first understand the fundamental shift in ZATCA’s technical strategy.

Phase 1 (The Generation Phase): Implemented in late 2021, Phase 1 was essentially an offline mandate. It required businesses to stop using manual, handwritten invoices. Electronic Point of Sale (POS) systems and ERPs had to generate a digital invoice containing specific fields (VAT number, timestamp, total amount) and render a Base64 encoded QR code on the printed or PDF receipt. The data stayed on the company's local servers. There was no internet connection required to ZATCA.

Phase 2 (The Integration Phase): Phase 2 transforms the Saudi tax landscape into a live, monitored ecosystem. It requires electronic invoice generation systems to be directly linked to ZATCA via APIs.

  • Your system can no longer just generate a PDF and send it to the client.

  • Your system must generate the invoice data, structure it, digitally sign it, and send it to ZATCA's servers via the internet.

  • For certain transactions, you cannot even share the invoice with your buyer until ZATCA’s servers have received the API call, validated it, and responded with an official "Clearance" stamp.

This transition requires robust API integration services to bridge the gap between internal sales data and external government compliance portals.

Chapter 2: B2B vs. B2C – The Two API Workflows

ZATCA dictates two entirely different API workflows depending on the type of transaction. Your software architecture must intelligently route invoices through the correct API endpoint based on the buyer's profile.

1. Standard Tax Invoices (B2B and B2G – Clearance Flow) If your company is selling to another business (B2B) or to the government (B2G), you use a "Standard Invoice." This requires the Clearance Flow.

  • The Rule: A standard invoice is not legally valid until ZATCA clears it. You cannot send the invoice to your client until the API call is successful.

  • The Technical Flow: 1. Your ERP generates the invoice data. 2. Your system packages it into XML and sends a POST request to the ZATCA Clearance API endpoint. 3. ZATCA’s servers validate the XML schema, the hash, and the cryptographic stamp. 4. ZATCA responds with a success payload containing their official cryptographic stamp and a cleared QR code. 5. Your system integrates this cleared QR code into the final PDF/Digital invoice and then sends it to the buyer.

  • Latency Engineering: Because the buyer is waiting for the invoice to complete the transaction, your middleware must be engineered for extreme speed, handling the API round-trip in milliseconds.

2. Simplified Tax Invoices (B2C – Reporting Flow) If your company is a retailer selling to an individual consumer (B2C), you use a "Simplified Invoice." This requires the Reporting Flow.

  • The Rule: You do not need to wait for ZATCA to clear the invoice before handing the receipt to the customer. You must generate the invoice, hand it to the customer with your own generated QR code, and then report that invoice to ZATCA within 24 hours.

  • The Technical Flow:

    1. The POS system generates the invoice and your internal Cryptographic Stamp.

    2. The receipt is printed/emailed to the customer instantly.

    3. Your backend system queues the XML payload and sends it asynchronously via a POST request to the ZATCA Reporting API endpoint within the 24-hour window.

Chapter 3: The Data Payload – Mastering UBL 2.1 XML

ZATCA’s APIs do not accept standard JSON payloads for invoice data. They require a highly specific, globally recognized XML standard: Universal Business Language (UBL) 2.1.

For web developers accustomed to RESTful APIs and lightweight JSON, working with strictly validated UBL XML is one of the highest barriers to entry in Phase 2.

The Anatomy of a ZATCA XML Invoice: Your system must map your internal database fields to exactly match the ZATCA UBL schema. A single missing tag or incorrect data type will result in an immediate API rejection (a 400 Bad Request HTTP status).

Key required components include:

  • Invoice Type Code: Specifically coded to denote if it is a Standard Invoice (0100000), a Simplified Invoice (0200000), a Credit Note, or a Debit Note.

  • UUID (Universally Unique Identifier): A randomly generated 128-bit number (RFC 4122 standard) that uniquely identifies the document.

  • Invoice Hash: A Base64 encoded SHA-256 hash of the XML document before the cryptographic stamp is applied. This ensures that if even one cent is altered on the invoice after generation, the hash will break, and ZATCA will flag it as tampered data.

  • Previous Invoice Hash (PIH): To create an immutable, blockchain-like audit trail, every new invoice XML must contain the SHA-256 hash of the previously generated invoice. This creates an unbroken chain of invoices. If you delete an invoice from your database, the chain breaks, and your API calls will fail.

Developing a robust XML builder and parser is critical. When companies outsource their custom software development in Saudi Arabia, evaluating the agency's proficiency in complex data serialization is a mandatory vetting step.

Chapter 4: Cryptography and Security – CSID and CSR

Phase 2 is fundamentally an exercise in cybersecurity and cryptographic trust. ZATCA needs mathematical proof that the invoice came from your specific, registered POS or ERP system and that the data has not been altered.

To achieve this, developers must master the Cryptographic Stamp Identifier (CSID) lifecycle.

Step 1: Generating the Private Key and CSR Your application must generate an ECDSA (Elliptic Curve Digital Signature Algorithm) private key using the secp256k1 curve. This private key must be stored with maximum security (often utilizing a Hardware Security Module or secure cloud key management) and must never be transmitted over the internet. Using this private key, your system generates a Certificate Signing Request (CSR). This CSR contains your company's Tax Identification Number (TIN), device serial number, and organization name.

Step 2: Obtaining the Compliance CSID (CCSID) In the onboarding phase, your system sends an API request to ZATCA containing the CSR and a One-Time Password (OTP) generated from the Fatoora portal. ZATCA validates this and returns a Compliance CSID. This is a temporary certificate used strictly for API testing.

Step 3: Obtaining the Production CSID (PCSID) Once your system successfully passes the API simulation tests (proving it can format XML and handle hashes correctly), you request the final Production CSID.

Step 4: Digital Signing When generating a B2C Simplified Invoice, your system uses the private key associated with your Production CSID to digitally sign the XML invoice. This digital signature is what ZATCA validates during the Reporting Flow API call.

If your cryptography is flawed, your integrations will fail. This overlap of tax compliance and cybersecurity emphasizes why understanding PDPL and data security is vital when selecting a development team.

Chapter 5: Building the API Middleware Architecture

The most common mistake Saudi enterprises make is attempting to write ZATCA XML generators directly into their legacy ERP systems (like an ancient version of Oracle, SAP, or Microsoft Dynamics). Legacy languages (like older Java or C#) are cumbersome, and altering the core ERP code introduces massive risks of crashing the entire financial system.

The industry best practice in 2026 is to build a Custom API Middleware Layer.

How the Middleware Operates:

  1. Extraction: Your legacy ERP functions normally. When a sale is made, the ERP fires a simple, lightweight JSON payload or database webhook to the Custom Middleware.

  2. Transformation: The Middleware—ideally built on a high-performance framework like Node.js within the MERN stack—receives the JSON. It instantly transforms the data into the strict UBL 2.1 XML format.

  3. Cryptography: The Middleware calculates the SHA-256 hashes, manages the Previous Invoice Hash (PIH) chain in its own fast database (like MongoDB), and applies the digital signature using the securely stored private keys.

  4. Transmission: The Middleware handles the actual HTTP API call to the ZATCA servers.

  5. Handling Responses: If ZATCA returns a 200 OK (Clearance), the Middleware parses the response, extracts the official ZATCA QR code and cryptographic stamp, packages it back into a simple JSON, and sends it back to the ERP to generate the final PDF.

Why Middleware is Superior:

  • Decoupling: If ZATCA updates their API endpoints or XML schema requirements (which happens frequently), you only update the agile Middleware codebase. You never have to touch or risk breaking your fragile legacy ERP.

  • Queue Management: If ZATCA's API experiences downtime, or your company's internet drops, the Middleware acts as a buffer. It queues the B2C reporting invoices and automatically retries the API calls when the connection is restored, ensuring you never miss the 24-hour reporting window.

Chapter 6: Navigating the Fatoora Developer Portal and Sandbox

ZATCA provides a robust developer ecosystem, but navigating it requires a structured approach. You cannot simply build the code and push it to production.

1. The Developer Portal (Sandbox) ZATCA offers a Sandbox environment. Here, developers can test their API calls using dummy TIN numbers and mock data. This environment is highly forgiving and is used to verify that your basic HTTP requests, headers (like Accept-Version and Accept-Language), and Base64 encodings are structurally correct.

2. The Simulation Environment This is the proving ground. You must connect your system using your actual company TIN. In this environment, ZATCA simulates the live production servers. Your system must successfully complete a rigorous series of automated tests:

  • Generate a Standard Invoice.

  • Generate a Simplified Invoice.

  • Generate Credit and Debit notes linked to original invoices.

  • Successfully manage the PIH (Previous Invoice Hash) chain across multiple calls.

Only when your software passes 100% of the Simulation API tests will ZATCA issue the final Production CSID allowing you to go live.

Chapter 7: The "Buy vs. Build" Dilemma for ZATCA Integration

Many global ERP providers offer "ZATCA integration add-ons." However, local enterprises often find these plugins to be prohibitively expensive, charging massive recurring fees based on "invoice volume" (API call volume). Furthermore, these generic plugins often struggle with localized Saudi business workflows or custom invoice fields unique to your specific industry.

This brings us to the crucial SaaS vs. Custom Software debate.

By partnering with a top-tier software house to build custom ZATCA middleware, Saudi enterprises gain total digital independence.

  • Zero Volume Penalties: You own the middleware. Whether you generate 100 invoices a day or 100,000, your software costs do not increase.

  • Absolute Customization: The middleware can be tailored to pull data from multiple fragmented systems (e.g., combining data from your inventory software and your accounting software) before generating the final ZATCA XML.

  • Speed to Deployment: Rather than waiting months for a global ERP vendor to patch their software for a new ZATCA update, your dedicated local development team can adjust the custom middleware routing in a matter of hours.

When evaluating your IT budget, reviewing a transparent website development cost breakdown reveals that a one-time investment in custom middleware yields a drastically higher ROI over a three-year timeline than renting third-party API connectors.

Conclusion: Integration is the Backbone of Vision 2030

ZATCA Phase 2 E-Invoicing is not merely a tax collection mechanism; it is the foundational layer of Saudi Arabia's digitized, data-driven economy.

Attempting to bypass the technical complexities with manual workarounds or cheap, non-compliant software will inevitably lead to API failures, halted business operations, and severe government penalties. By investing in robust, custom-engineered API middleware, your enterprise not only achieves seamless tax compliance but also modernizes its entire internal data architecture, preparing your business to scale aggressively in the Vision 2030 era.

Are you struggling to connect your legacy ERP to the ZATCA Phase 2 APIs? Explore our case studies to see how our engineering teams have successfully architected compliant, high-speed middleware for major Saudi enterprises.

📣 CTA 📩 Want to build scalable, legally compliant IT solutions for your Saudi business?

📞 WhatsApp: +92 334 1780699 , +966 54 1682383

🌐 devbrickstech.com — Free consultation

🔗 Connect with us: LinkedIn | Facebook

← Back to BlogApril 22, 2026