Skip to content

Encryption Certificates

KSeF publishes public certificates used to encrypt session keys and export material. High-level invoice and batch helpers load these certificates automatically. Use client.encryption directly when you need to inspect, cache, or pre-load certificate material.

certificates = client.encryption.get_certificates()
for certificate in certificates:
print(certificate.public_key_id, certificate.usage)

Filter by usage when you only need one certificate family:

certificates = client.encryption.get_certificates(
usage=["symmetric_key_encryption"],
)

Authenticated invoice sessions and exports call the encryption certificate branch before encrypting payload keys:

with auth.online_session(form_code=FormSchema.FA3) as session:
...
zip_parts = auth.invoices.export_and_download(filters=filters)
  1. Let high-level invoice workflows load certificates lazily by default.

  2. Optionally pre-load public certificates during application startup.

  3. Alert if no certificate supports the usage required by your workflow.

  4. Retry later rather than hard-coding certificate data in your application.