Connecting KSeF
You link your account to KSeF once. It's the one "scary" step — we walk you through it.
Token vs XAdES
Two authentication methods:
| Method | What you provide | When |
|---|---|---|
| Token | a KSeF token (machine-to-machine) | the default, simplest |
| XAdES | certificate + private key (PEM) | qualified signature |
You generate a token in the KSeF taxpayer app. We store it encrypted. XAdES requires both PEM blocks — without them we won't persist the connection.
TEST first
The TEST environment is preselected. Accidental PROD is the nightmare, so the environment choice comes first and is deliberate. On TEST you file to the KSeF sandbox — no legal effect, perfect for verifying your setup.
Test connection
The "Test connection" button tries to authenticate against the chosen environment using your method (token or XAdES). It returns only success or failure — it never breaks the form. Use it before you save.
Switching to PROD
Once test invoices work, switch the environment to PROD. The switch requires an explicit confirmation — these are irreversible legal effects. After PROD and your first successful production invoice you are fully ready. For the full promotion path and the readiness checklist, see Going live.
Token expired? Reconnect
When KSeF rejects with a stale-key code (21470), generate a fresh token and paste it again in the connection settings. The secret fields are write-only (blank in the form) — leaving one blank will not overwrite the stored secret. See Rejections & troubleshooting.