KSeF Token vs Certificate – Key Differences and What to Choose
With the introduction of the mandatory National e-Invoice System (KSeF) in Poland, businesses and accounting offices must decide how their systems will authenticate and communicate with the platform provided by the Ministry of Finance.
One of the most common questions is: Should you use a KSeF token or a KSeF certificate?
Although both solutions allow systems to connect with KSeF, their role, security level, and long-term usage are different. Below we explain the most important differences and which solution is recommended in practice.
What is a KSeF token?
A KSeF token is a generated string of characters that allows software (for example an accounting or invoicing system) to connect with KSeF.
The token is created inside the KSeF system. Once generated, the token can be inserted into external software to allow communication with the KSeF API.
The token performs two functions simultaneously:
- authentication – confirming the identity of the user
- authorization – because specific permissions are assigned when the token is created
In practice, a token acts like an API key allowing software to send and receive invoices in KSeF on behalf of a company.
Key characteristics of a token
- generated directly inside the KSeF portal
- contains specific permissions assigned to the user
- easy to implement in accounting or invoicing software
- commonly used today for integrations
However, tokens are considered a temporary solution. They are valid only till 31.12.2026. after that date all tokens will expire..
What is a KSeF certificate?
A KSeF certificate is a digital certificate used to confirm the identity of a system or user communicating with KSeF.
Unlike tokens, certificates:
- do not contain permissions
- serve only as a secure authentication mechanism
Permissions in this model are managed separately within the KSeF system.
Certificates use cryptographic technology and therefore provide a higher level of security compared to tokens.
Certificates are issued for period of 2 years.
Key characteristics of a certificate
- used for authentication of systems communicating with KSeF
- based on cryptographic security mechanisms
- permissions are managed separately
- valid for a defined period (typically up to 2 years)
- designed for automated integrations with accounting software
Because of these features, certificates are considered the target authentication method for KSeF.
Token vs Certificate – Key Differences
| Feature | KSeF Token | KSeF Certificate |
|---|---|---|
| Purpose | Authentication + authorization | Authentication only |
| Permissions | Included in the token | Managed separately |
| Form | Text string (API key) | Digital certificate |
| Security level | Standard | Higher |
| Validity | Temporary solution. Only till 31.12.2026 | Long-term solution |
| Future usage | Until the transition period ends | Target standard |
The fundamental difference is that tokens combine authentication and permissions, while certificates are used only to verify identity, with permissions managed independently in the system.
Why certificates will replace tokens
The Ministry of Finance introduced certificates to improve:
- security of the KSeF ecosystem
- scalability of integrations
- flexibility in permission management
During the transition period, both tokens and certificates can be used in parallel.
However, starting January 1, 2027, authentication in KSeF will rely only on certificates, and tokens will no longer be supported.
For this reason, software providers and businesses are already encouraged to implement certificate-based integrations.
When should you use a token or a certificate?
In practice:
Tokens may be useful when
- performing a quick or temporary integration
- testing systems in KSeF
- setting up basic connections with accounting software
Certificates are recommended when
- building a long-term integration with KSeF
- using automated invoicing systems
- ensuring higher security standards
- preparing systems for the future KSeF environment
Practical recommendation for IT professionals and digital businesses
For many IT contractors and software professionals working in Poland, invoicing is done through modern tools such as Saldeo, Fakturownia, or other integrated accounting platforms.
In such cases, using a KSeF certificate is the recommended approach.
The reason is simple:
Tokens are expected to expire during the transition period, and from January 1, 2027, they will no longer be supported.
By configuring a certificate already today, users avoid the need to update their integrations later.
In other words:
Uploading and configuring a certificate now solves the integration problem not only for today but also for the period after December 31, 2026 and beyond.
For companies relying on automated invoicing systems, this means fewer future configuration changes and a smoother transition to the fully mandatory KSeF environment.
