Authentication
Ta treść nie jest jeszcze dostępna w Twoim języku.
Authenticated commands create an SDK client for one operation, authenticate it with the selected method, run the command, and close the client. Authentication settings usually come from the active profile. Direct global options are also supported and must appear before the command group.
Profiles for local work
Section titled “Profiles for local work”Create one profile per KSeF subject/context:
uv run ksef2 profile create demo-client \ --env test \ --nip 6880313213 \ --cert /path/accountant-auth-cert.pem \ --key /path/accountant-auth-key.pemAfter that, authenticated commands can omit the repeated global auth options:
uv run ksef2 invoices metadata --role buyer --date-from 2026-01-01T00:00:00ZUse --profile NAME for one command or KSEF2_PROFILE for the current shell.
Choose one method
Section titled “Choose one method”Provide exactly one authentication method, either in the selected profile or in direct global options:
| Method | Options | Environment variables |
|---|---|---|
| KSeF token | --token, --ksef-token | KSEF2_TOKEN |
| TEST certificate | --test-cert | KSEF2_TEST_CERT |
| PEM XAdES credentials | --cert, --key, optional --key-password | KSEF2_CERT, KSEF2_KEY, KSEF2_KEY_PASSWORD |
| PKCS#12/PFX XAdES archive | --p12, optional --p12-password | KSEF2_P12, KSEF2_P12_PASSWORD |
All authenticated methods also need a taxpayer or context NIP:
--nip 5261040828or:
export KSEF2_NIP=5261040828Token authentication
Section titled “Token authentication”uv run ksef2 --nip "$KSEF2_NIP" --token "$KSEF2_TOKEN" \ invoices metadata --role seller --date-from 2026-01-01T00:00:00ZUse --context-type or KSEF2_CONTEXT_TYPE when token authentication needs a
context other than the default nip.
TEST certificate authentication
Section titled “TEST certificate authentication”uv run ksef2 --env test --nip 5261040828 --test-cert auth login --jsonThis method is for TEST environment workflows only.
PEM XAdES credentials
Section titled “PEM XAdES credentials”uv run ksef2 --nip "$KSEF2_NIP" \ --cert cert.pem \ --key private-key.pem \ invoices metadata --role seller --date-from 2026-01-01T00:00:00ZFor encrypted private keys, pass --key-password or set
KSEF2_KEY_PASSWORD.
PKCS#12/PFX credentials
Section titled “PKCS#12/PFX credentials”uv run ksef2 --nip "$KSEF2_NIP" \ --p12 signing-credentials.p12 \ --p12-password "$KSEF2_P12_PASSWORD" \ auth login --jsonRefresh an access token
Section titled “Refresh an access token”uv run ksef2 auth refresh --refresh-token "$KSEF2_REFRESH_TOKEN" --jsonauth refresh does not require the other global authentication method options.
Polling options
Section titled “Polling options”Authentication commands use polling while KSeF processes authentication:
uv run ksef2 --nip "$KSEF2_NIP" --token "$KSEF2_TOKEN" \ --auth-poll-interval 2 \ --auth-max-poll-attempts 90 \ auth loginPrecedence
Section titled “Precedence”When a setting is available in multiple places, the CLI resolves it in this order:
- CLI option
- Environment variable
- Selected profile
- Built-in default
Use --no-config to ignore profiles for one invocation.