Skip to content

Authentication

Authentication turns a root Client into an authenticated client. Use the root client to choose the KSeF environment, then choose exactly one authentication method for the context you are operating as.

These names are used by examples in this documentation and by ksef2-cli profiles:

VariablePurpose
KSEF2_ENVtest, demo, or production for SDK examples.
KSEF2_NIPTaxpayer/context NIP used during authentication.
KSEF2_TOKENKSeF token for token authentication.
KSEF2_PROFILECLI profile name selected by ksef2-cli and SDK profile auth.
KSEF2_CONFIGOptional path to the CLI profile config file.
KSEF2_KEY_PASSWORDOptional encrypted PEM private-key password.
KSEF2_P12_PASSWORDOptional PKCS#12/PFX archive password.
Terminal window
export KSEF2_ENV=test
export KSEF2_NIP=5261040828
export KSEF2_TOKEN=replace-with-a-real-ksef-token

The SDK reads KSEF2_PROFILE and KSEF2_CONFIG when you use client.authentication.with_profile(). For direct token or certificate auth, keep the boundary explicit in your application:

import os
from ksef2 import Client, Environment
environment_name = os.environ.get("KSEF2_ENV", "test").upper()
client = Client(Environment[environment_name])

Use a KSeF token when your application already has a valid token for the context. Token auth works in TEST, DEMO, and PRODUCTION.

import os
auth = client.authentication.with_token(
ksef_token=os.environ["KSEF2_TOKEN"],
nip=os.environ["KSEF2_NIP"],
context_type="nip",
)

ksef2-cli already has local profile support. A profile stores non-secret defaults such as environment, NIP, auth method, certificate paths, and the name of the environment variable that contains a secret.

Terminal window
ksef2 profile create test-company \
--env test \
--nip 5261040828 \
--test-cert
ksef2 profile create prod-token \
--env production \
--nip "$KSEF2_NIP" \
--token-env KSEF2_TOKEN

Select a profile for CLI commands:

Terminal window
export KSEF2_PROFILE=prod-token
ksef2 profile current

Use the same profile file from SDK code:

from ksef2 import Client, Environment
from ksef2.profiles import Profile, ProfileStore, TokenProfileAuth
store = ProfileStore.default()
store.save(
"prod-token",
Profile(
environment=Environment.PRODUCTION,
nip="5261040828",
auth=TokenProfileAuth(token_env="KSEF2_TOKEN"),
),
activate=True,
overwrite=True,
)
client = Client(Environment.PRODUCTION)
auth = client.authentication.with_profile()
# Or select a named profile explicitly.
auth = client.authentication.with_profile("prod-token")

The root client environment must match the selected profile environment. Pass config_path="..." when the profile file is not at the default ~/.config/ksef2-cli/config.toml location.

  1. Put secrets into environment variables.

    Use KSEF2_TOKEN, KSEF2_KEY_PASSWORD, or KSEF2_P12_PASSWORD.

  2. Keep non-secret defaults in one place.

    Use application config for fully custom setups, or ksef2-cli profiles when the same environment is also operated from the command line.

  3. Create the root client for the selected environment.

    Use Client(Environment.TEST), Client(Environment.DEMO), or Client(Environment.PRODUCTION).

  4. Authenticate once, then pass the authenticated client into workflows.

    The authenticated client owns access tokens and exposes workflow branches.

Catch SDK-classified failures with KSeFException. Catch httpx.HTTPError separately for transport failures before KSeF returns a response.

import httpx
from ksef2 import KSeFException
try:
auth = client.authentication.with_test_certificate(nip="5261040828")
except KSeFException as exc:
print(exc)
except httpx.HTTPError as exc:
print(f"Transport failed: {exc}")