Qoyod
Pricing

Knowledge Base

Onboarding with the Fatoora Platform: A Step-by-Step Guide

Before your business can issue its first digitally signed invoice, it must pass through a single gateway: setting up its account and linking it to the Fatoora platform run bythe Zakat, Tax and Customs Authority (ZATCA). This journey, known as Onboarding, is the step that moves a business from Phase One (Generation) to Phase Two (Integration) of the e-invoicing.

Many business owners confuse “registering in the system,” “technical integration,” and “device onboarding.” In reality these are sequential stages, each with its own requirement and outcome. This guide breaks the onboarding journey down step by step: from preparing your data, through requesting a One-Time Password (OTP) and generating a Certificate Signing Request (CSR), to receiving the Compliance certificate and then the Production certificate that signs every live invoice.

Here we focus on the onboarding sequence and its requirements on the business side. As for the deep technical side of the APIs and how data is exchanged with the Authority in real time, we have devoted a separate guide you can refer to: Integration with the Zakat, Tax and Customs Authority.

What is Onboarding?

Onboarding is the process of registering the business’s “issuing unit” with the Fatoora platform, so it becomes able to issue digitally signed and approved invoices. The unit here may be a point-of-sale device, a branch, or a software environment inside the accounting system. Each unit needs its own cryptographic identity.

The purpose of this process is for the Authority to confirm two things: that the system the business uses is technically compliant with Phase Two requirements, and that every invoice the business issues is signed with a cryptographic stamp that proves its origin and prevents tampering. In other words, onboarding is the “formal introduction” between your accounting system and the Fatoora platform.

The importance of this step stems from the nature of Phase Two itself. In Phase One (Generation) it was enough for a business to issue its invoices through an electronic system and keep them on file. There was no direct integration with the Authority. In Phase Two (Integration), however, the Authority is not satisfied with merely issuing an electronic invoice; it requires your system to be able to communicate with it directly, and every invoice to carry a cryptographic signature issued from a certificate it has approved. Onboarding is the bridge that turns your system from an “invoice issuer” into an “entity connected to the Authority.”

This transformation does not happen automatically just because you update the system. The business must request its cryptographic certificates and prove to the Authority that its invoices meet the required structure. This is exactly where the onboarding journey lies: a sequence of steps that ends with you obtaining an approved cryptographic identity with which you sign your invoices.

It is important to distinguish between three concepts that are frequently confused:

  • VAT registration: a separate prior step done through the Authority’s portal, which grants the business its tax number. It has no direct relation to e-invoicing onboarding.
  • Onboarding: registering the issuing unit with the Fatoora platform and obtaining the cryptographic certificates.
  • Ongoing technical integration: the daily exchange of invoices with the Authority through the APIs after onboarding is complete.

When a business owner says “I want to register for e-invoicing,” they usually mean the onboarding journey as a whole: from creating the issuing-unit account, through verification, to activating signed invoices. That is why in this guide we treat “registration” and “onboarding” as one continuous journey, because from the business owner’s perspective they are a single step whose goal is to make their invoices approved by the Authority.

Three stops: tax registration, onboarding, and technical integration
The difference between tax registration, onboarding, and technical integration.
1

VAT registration

2

Onboarding with the Fatoora platform

3

Ongoing technical integration with the Authority

Onboarding is the bridge between tax registration and daily technical operation.

Prerequisites before starting onboarding

Before you open the Fatoora platform and begin the integration steps, make sure these elements are ready. Missing any one of them halts the process midway.

1. A valid tax registration

Your business must be registered for VAT and have a valid tax number. Registration is mandatory once annual taxable revenue exceeds SAR 375,000, and optional once it exceeds SAR 187,500. This tax number is what the Fatoora platform recognizes when onboarding begins.

2. Access to the Fatoora portal

You need an active account on the Fatoora platform, with permission to log in using the business’s credentials. The person performing the onboarding must be authorized, because the OTP step is tied to the business’s official account with the Authority.

3. Correct business data

Prepare the business data in its official formats: the legal name, the tax number, the commercial register, and the national address. Any error in the formatting of these identifiers leads to onboarding being rejected or to warnings appearing later when issuing invoices.

4. An accounting system compliant with Phase Two

This is the essential requirement. The system you use must be able to generate the Certificate Signing Request (CSR), produce invoices in XML format compliant with the UBL 2.1 standard, and add the QR Code and the cryptographic stamp. Accounting software such as Qoyod handles these technical requirements on your behalf, so you don’t need to write any code.

Onboarding requirements before integration
Four conditions that must be met before starting onboarding with the Fatoora platform.
Before you start onboarding

A valid VAT registration

Permission to log in to the Fatoora portal

Correct and up-to-date business data

An accounting system compliant with Phase Two

Meeting all four requirements makes onboarding smooth and uninterrupted.

Who is responsible for each step? The business vs. the system vs. the Authority

One source of anxiety about onboarding is the ambiguity around “who does what.” In reality, the responsibilities are clearly divided among three parties, and understanding this division removes most of the confusion.

The business (you): responsible for entering correct data, holding a valid tax registration, and requesting the OTP from the Fatoora portal as the authorized owner. The decisions and the data are your responsibility.

The accounting system: handles the technical side on your behalf: generating the signing request, producing invoices in the correct format, adding the cryptographic stamp and the QR code, and managing the certificates. You do not write code or handle cryptographic keys manually.

The Authority (Fatoora platform): issues the certificates, checks your system’s compliance in the test environment, and clears standard invoices or receives reports of simplified invoices. The Authority is the approving and certifying body.

In short: you decide and enter the data, the system translates it technically, and the Authority approves. The more mature your system is, the more your role shrinks to simply entering clean data.

How long does onboarding take? And how to prepare in advance

Onboarding time varies depending on the readiness of your data and system. If your business data is accurate and your system is compliant, the journey may be completed within hours. But if the data is inconsistent or the identifiers are in the wrong format, it may stretch into days because of correction and retry cycles.

To shorten the time, before you start prepare a list of your official data in a single document: the legal name exactly as held by the Authority, the tax number, the commercial register, the national address, and the number of issuing units you plan to onboard. Review that this data matches between your accounting system and the Authority’s records before you begin, because most delays arise from a simple discrepancy in how a name or address is written.

If you manage several branches, plan the order in which you onboard them: start with one branch as a model, complete its journey fully, then repeat the process for the remaining branches once you are familiar with the steps. This gradual approach reduces errors and gives you confidence before scaling.

The onboarding journey step by step

Once the requirements are ready, the actual onboarding journey begins. The journey passes through five sequential stops, each producing an output used in the next stop.

Step 1: Generate the Certificate Signing Request (CSR)

The Certificate Signing Request is a file containing the issuing unit’s data and its public key. The accounting system generates this request automatically based on the business data you entered. The request contains the tax number, the business name, the commercial register, and the unit identifier. This file is what you upload to the Fatoora platform to request that it issue your certificate.

Technically, the system generates a pair of keys: a private key that stays inside your system and never leaves it, and a public key sent within the signing request. The Authority signs the public key so you obtain an approved certificate, while the private key remains the one that actually signs your invoices. This separation between the two keys is the foundation of the system’s security: even the Authority does not hold your private key.

The most common mistake at this stage is entering data in an incorrect format. If the commercial register format (10 digits) or the tax number (starts with the digit 3 and consists of 15 digits) is entered wrong, it produces a rejected signing request. This is why some systems provide instant validation of the identifier format before generating the request.

Step 2: Request the OTP from the Fatoora portal

The One-Time Password is what links the certificate request to your business’s official account with the Authority. You log in to the Fatoora portal, request the OTP for the issuing unit, and receive a temporary code valid for a short period.

This code proves that you are the authorized owner of the business, and that the certificate request is made with your knowledge and consent. You enter this code into your accounting system alongside the signing request, and the system sends both requests together to the Fatoora platform. Watch the code’s time validity: if it expires before you complete the submission, you must request a new one.

Step 3: Receive the Compliance certificate (Compliance CSID)

When the signing request and the OTP are accepted, the Fatoora platform issues the Compliance certificate (Compliance CSID). This certificate is not for actual production, but for testing your system’s compliance with the Authority’s requirements in a test environment (Sandbox). For full details on it, see our dedicated guide: The Compliance CSID and technical compliance certificate.

Using the Compliance certificate, your system calls the Authority’s Compliance APIs. The purpose is for the Authority to confirm that your system generates invoices according to the correct specifications before allowing it to operate for real.

Step 4: Pass the compliance checks (Sandbox)

At this stage your system sends sample invoices to the test environment: a standard tax invoice, a simplified tax invoice, a credit note, and a debit note. The Authority verifies that each sample carries the correct structure: valid XML format, a complete QR code, a valid cryptographic stamp, and a connected hash chain.

The purpose of these checks is to prove that your system applies the technical specification to the letter before it touches real data. The hash chain, for example, links each invoice to the one before it through a digital fingerprint, so an invoice cannot be deleted from the chain or its order tampered with without being detected. And the QR code carries the invoice’s essential data encoded, so any party can verify it later. Passing these samples means your system has mastered all these rules.

These checks are run on the document types you will actually issue. If you issue credit and debit notes, their samples must pass too, because they are subject to the same clearance or reporting rules that apply to the original invoice they relate to.

If all samples pass the check, your system is registered as “compliant” and moves to the final step. But if a sample fails, an error message appears explaining the reason for rejection (such as a missing field or a wrong identifier format), so you correct it and retry.

Step 5: Receive the Production certificate (Production CSID)

After passing the checks, you request the Production certificate (Production CSID) from the Fatoora platform. This is the certificate that signs every real invoice the business issues from that moment onward. Its full details are in our guide: The PCSID production certificate in e-invoicing.

Once the Production certificate is activated, your business officially moves into live operation mode. Every standard tax invoice (B2B) will be sent to the Authority for Clearance before it is delivered to the buyer, and every simplified invoice (B2C) will be reported within 24 hours. To understand the full structure of the cryptographic stamp identifier in both its types, see: The CSID and the cryptographic stamp identifier.

The onboarding journey step by step
Five steps from generating the request to the Production certificate.
The onboarding journey
1

Generate the CSR signing request inside the system

2

Request the OTP from the Fatoora platform

3

Issue the Compliance certificate (CCSID)

4

Pass the compliance checks in the Sandbox

5

Issue the Production certificate (PCSID) and start operating

Completing the five steps moves your business from onboarding to actual issuance.

The difference between the Compliance certificate and the Production certificate

Confusing the two certificates is one of the most common mistakes, so let us clarify the difference briefly.

Compliance certificate Temporary, and its function is testing. You use it in the test environment to make sure your system produces correct invoices. You do not sign any real invoice with it, and your customers never see it.

Production certificate Permanent (within its validity period), and its function is actual signing. Every live invoice that leaves your system carries a stamp signed with this certificate. It is the official cryptographic identity of your issuing unit.

The simple rule: the Compliance certificate proves that your system “knows how” to issue a correct invoice, and the Production certificate grants it “permission” to actually issue one.

The certificate lifecycle and when to renew it

The Production certificate is not permanent forever; it has a defined validity period that ends after a while. As its expiry approaches, it must be renewed by repeating part of the onboarding journey: generating a new signing request, requesting an OTP, and receiving an updated certificate. Neglecting renewal means your system loses its ability to sign invoices, which freezes the issuance of tax invoices until you resolve the matter.

This is an additional reason to choose an accounting system that manages the certificate lifecycle on your behalf. A good system tracks the certificate’s expiry date and alerts you well in advance, or handles the renewal automatically, so you are not caught out by an invoice that won’t issue on a busy working day.

Renewal also happens when essential business data changes, such as changing the legal name or restructuring branches. In these cases the issuing unit may need a new certificate reflecting the updated data, because the old certificate carries the previous data stamped inside it.

How many issuing units does your business need?

Each issuing unit needs its own certificate. The unit may be:

  • a point-of-sale device in a particular branch.
  • a full branch that issues standard tax invoices.
  • a software environment inside the accounting system that issues invoices on behalf of several points.

A small business with one branch and one accounting system may make do with a single issuing unit. A commercial chain with ten branches and twenty points of sale, however, may need multiple units, each with its own onboarding journey and separate certificate. Planning the number of units early saves you from repeating the process ad hoc later.

Common onboarding mistakes and how to avoid them

We have observed recurring patterns that halt or delay onboarding. Avoiding them shortens the journey from days to hours.

Wrong identifier formatting

The most common reason for onboarding rejection. The tax number starts with the digit 3 and consists of 15 digits, the commercial register is 10 digits, the national ID number starts with the digit 1, and the residence (Iqama) number starts with the digit 2. Any identifier in the wrong format produces a rejected signing request. A system that validates the identifier format at the moment of entry catches the error before it reaches the Authority.

OTP expiry

The OTP is valid for a short period. If you delay between requesting the code and submitting the signing request, the code expires and the request is rejected. The fix: prepare the signing request first, then request the code and submit immediately.

Confusing the test environment with production

Attempting to issue a real invoice with the Compliance certificate (designated for testing) always fails. Verify that you have completed the fifth step and received the Production certificate before running live invoices.

Mismatched business data

If the business name or address in the accounting system differs from what is registered with the Authority, warnings appear. Unify the data across all sources before starting onboarding.

How Qoyod helps you with onboarding and integration with the Fatoora platform

Qoyod is a cloud accounting software ready for Phase Two of e-invoicing, and it handles the technical side of the onboarding journey for you:

  • Automatic generation of the signing request: Qoyod builds the Certificate Signing Request (CSR) from your business data without any programming intervention from you.
  • Instant validation of identifier formats: Qoyod validates the format of the commercial register, tax number, ID, and residence number at the moment of entry in the company settings, customer files, and invoices, catching one of the most common causes of warnings before submission to the Authority.
  • Managing certificates on your behalf: Qoyod manages the cryptographic stamp identifier automatically, from the Compliance certificate for testing to the Production certificate for live signing.
  • Issuing fully compliant invoices: Qoyod produces invoices in XML format according to the UBL 2.1 standard, with the QR code, the cryptographic stamp, and the hash chain, and it handles clearance for standard invoices and reporting for simplified ones.
  • An embedded PDF/A-3 file: Qoyod merges the tax XML file inside a single PDF file for the invoice, instead of two separate files, in line with the display requirement in Phase Two.

This frees your business to focus on entering its correct data, while Qoyod translates it into invoices approved by the Authority.

What comes after onboarding is complete?

After activating the Production certificate, your business enters the daily operation phase. Here the role of ongoing technical integration begins: exchanging every invoice with the Authority in real time. Standard invoices go through clearance before being delivered to the buyer, and simplified ones are reported within 24 hours.

The requirements of this phase (the APIs, the clearance-versus-reporting mechanism, handling the Authority’s messages) are explained in detail in a separate guide. To go deeper into the technical side of the daily exchange, see: Integration with the Zakat, Tax and Customs Authority. And to understand the full security architecture of the e-invoicing system, view the Qoyod’s Phase Two compliance andFatoora platform integration in Qoyod.

Start today

Prepare your business for Phase Two with no technical complexity

Qoyod handles generating the signing request, managing certificates, and issuing invoices compliant with the Fatoora platform. You enter the data, and Qoyod connects you to the Authority.

Try Qoyod free for 14 days

Frequently asked questions

Is onboarding the same as VAT registration?

No. VAT registration is a separate prior step done through the Authority’s portal that grants you the tax number. Onboarding is registering the issuing unit with the Fatoora platform after you have a valid tax number.

What is the difference between the Compliance certificate and the Production certificate?

The Compliance certificate is temporary, for testing in the test environment, and does not sign real invoices. The Production certificate is permanent and is the one that signs every live invoice your business issues after passing the checks.

Do I need technical knowledge to complete onboarding?

No, if you use a compliant accounting system. The system generates the signing request and handles the certificates automatically. Your role is limited to entering the correct business data and requesting the OTP from the Fatoora portal.

How many issuing units does my business need?

It depends on the number of your branches, points of sale, and how you issue invoices. A small business with one branch may make do with a single unit, while multi-branch chains need separate units for each issuing point.

What happens if the signing request is rejected?

Rejection is usually due to a wrong identifier format or data that does not match the Authority’s records. Correct the data and regenerate the request. Instant validation of the identifier format before submission greatly reduces this likelihood.

When did I become obligated for Phase Two?

This is determined by the integration wave your business falls into based on its annual revenue, and the Authority notifies you of your wave’s date at least six months in advance. As of 30 June 2026, all businesses registered for VAT have come within the scope of Phase Two.

Can I issue invoices during the onboarding period?

You continue issuing your invoices using your established method until onboarding is complete and the Production certificate is activated. After activation, all your invoices switch to the digitally signed mode with clearance or reporting depending on the invoice type. There is no gap in which you stop issuing, because the transition happens the moment the certificate is activated.

What if I have several branches with varying revenues?

The scope of obligation is calculated at the business level (the tax number), not at the level of a single branch. When your business enters the integration wave, you onboard all its issuing units. So plan to onboard all your branches and points of sale within the same time frame, with a separate certificate for each unit.

Guides

Continue your learning journey

Explore the rest of Qoyod’s guides, or start applying what you’ve learned.

Live webinars hosted by the Qoyod team to help you use the software easily and answer your questions.

Discover Qoyod’s latest updates, ongoing improvements, and new features in one place.

Our team is ready to help you and provide instant support for any issue you face, around the clock.