How to configure a KSeF connection in KSeFGPT
Connect a company to KSeF using a token or certificate. You can upload an existing certificate or configure one by signing a downloaded request with Trusted Profile.
- Module
- Settings
- Reading time
- 4 min
- Difficulty
- Easy
- Published
- July 17, 2026
- Author
- KSeFGPT Team
- Format
- Written guide and video

Written procedure
What you will do
You will select a company in KSeFGPT settings and connect it to KSeF using one of two credential types: a token or certificate.
For a certificate, you can upload an existing private key and certificate pair or use Trusted Profile to sign a one-time request downloaded from KSeFGPT and then upload the signed XML file.
After the credential is saved, KSeFGPT will be able to perform KSeF operations in the context of that company, within the scope of the granted permissions.
Requirements
Before you start
A connection is saved separately for each company. Before you begin, make sure the correct company has already been added to KSeFGPT.
| Item | Requirement |
|---|---|
| Access | Permission to open Settings and manage KSeF authorization. |
| Company | A company added to KSeFGPT with a valid NIP tax identification number. |
| Starting point | After signing in, open Settings and then the KSeF connection tab. |
| Connection details | A KSeF token; an existing private key and certificate pair; or access to the Trusted Profile of a person authorized to sign the certificate request for the specified NIP. |
Process recording
The video shows how to generate a certificate for connecting to KSeF.
Select a company
In the KSeF connection tab, find the KSeF credentials section. KSeFGPT displays a separate card for every company added to the account.
Check the company name and NIP on the correct card. If the company is not connected yet, you will see a message saying that no credentials are available for this company, along with buttons for starting the setup.
Choose a credential type
KSeFGPT connects to KSeF using a token or certificate. If you choose a certificate, you can upload existing files or use the separate Trusted Profile button to sign and upload the one-time certificate request.
| Credential | What to prepare | How setup works |
|---|---|---|
| Token | An access token generated in the KSeF application. | Paste the token into KSeFGPT and save the credential. |
| Certificate - existing files | A .key or .pem private key, a .crt, .cer or .pem certificate, and the key password if required. | Upload the private key and certificate files. |
| Certificate - Trusted Profile flow | Access to the Trusted Profile of a person authorized to act for the company's NIP. | Download a one-time request, sign it at gov.pl, and upload the signed XML file so KSeFGPT can configure the certificate credential. |

Option 1. KSeF token
On the company card, select Add credential and then choose Token. Paste the access token previously generated in the KSeF application into the KSeF token field.
Select Add. KSeFGPT verifies the token before saving it. If the token is invalid or has been revoked, you will see a message explaining that the KSeF token is invalid or revoked.
Option 2A. KSeF certificate from files
On the company card, select Add credential and then Certificate. KSeFGPT marks this method as the default.
Add a private key in .key or .pem format and a certificate in .crt, .cer or .pem format. If the key is encrypted, also enter its password in the optional Key password field.
Select Save PEM certificate. After successful verification, the credential list will show the certificate subject and its expiration date.
Option 2B. KSeF certificate using Trusted Profile
Trusted Profile is not a separate KSeF credential in this flow. It is used to sign the one-time request needed to configure the certificate connection. On the company card, select Connect with Trusted Profile. KSeFGPT prepares a request linked to the company and its NIP.
In the Download request step, save the prepared file. Then select Open gov.pl and sign the request, sign in with the Trusted Profile, sign the document, and save the signed file on your device.
Return to KSeFGPT, go to Upload file, and select the signed XML file. Finally, select Finish and connect. KSeFGPT uses the signed request to complete the certificate-based KSeF connection.

Final state
Check the result
After you save a token or certificate, the new credential appears on the card for the correct company. For a certificate, KSeFGPT shows its subject and expiration date; for a token, it shows a masked part of the value.
After uploading the request signed with Trusted Profile, close the window and verify that the certificate credential is visible on the company card.
Diagnostics
If something does not work
Compare the message displayed in KSeFGPT with the most common reasons for a rejected connection.
| Symptom | Likely cause | What to do |
|---|---|---|
| The token was rejected | The token is invalid or has been revoked in KSeF. | Generate or copy the correct token and try again. |
| The certificate cannot be saved | The key or certificate is missing, or the encrypted key password is incorrect. | Check the .key/.crt file pair and the key password. |
| The NIP in the certificate does not match the company | The certificate belongs to another entity. | Use a certificate issued for the company being configured in KSeFGPT. |
| The certificate request expired | The request was not signed with Trusted Profile and uploaded before it expired. | Select Generate again and sign the new request. |
| The signed request was rejected | The signer is not authorized to act for the specified NIP in KSeF. | Check the signer's permissions, including the required ZAW-FA authorization. |