Encryption Certificates
KSeF publishes public certificates used to encrypt session keys and export
material. High-level invoice and batch helpers load these certificates
automatically. Use client.encryption directly when you need to inspect,
cache, or pre-load certificate material.
Fetch certificates
Section titled “Fetch certificates”certificates = client.encryption.get_certificates()
for certificate in certificates: print(certificate.public_key_id, certificate.usage)Filter by usage when you only need one certificate family:
certificates = client.encryption.get_certificates( usage=["symmetric_key_encryption"],)How the SDK uses them
Section titled “How the SDK uses them”Authenticated invoice sessions and exports call the encryption certificate branch before encrypting payload keys:
with auth.online_session(form_code=FormSchema.FA3) as session: ...
zip_parts = auth.invoices.export_and_download(filters=filters)Recommended flow
Section titled “Recommended flow”-
Let high-level invoice workflows load certificates lazily by default.
-
Optionally pre-load public certificates during application startup.
-
Alert if no certificate supports the usage required by your workflow.
-
Retry later rather than hard-coding certificate data in your application.