KSeFGPT
Get started for free
Settings

How to configure a KSeF connection in KSeFGPT

Connect a company to KSeF using a token or certificate. You can upload an existing certificate or configure one by signing a downloaded request with Trusted Profile.

Module
Settings
Reading time
4 min
Difficulty
Easy
Published
July 17, 2026
Author
KSeFGPT Team
Format
Written guide and video
KSeFGPT interface view
KSeFGPT KSeF connection settings with certificate and token credential options

Written procedure

What you will do

You will select a company in KSeFGPT settings and connect it to KSeF using one of two credential types: a token or certificate.

For a certificate, you can upload an existing private key and certificate pair or use Trusted Profile to sign a one-time request downloaded from KSeFGPT and then upload the signed XML file.

After the credential is saved, KSeFGPT will be able to perform KSeF operations in the context of that company, within the scope of the granted permissions.

Requirements

Before you start

A connection is saved separately for each company. Before you begin, make sure the correct company has already been added to KSeFGPT.

ItemRequirement
AccessPermission to open Settings and manage KSeF authorization.
CompanyA company added to KSeFGPT with a valid NIP tax identification number.
Starting pointAfter signing in, open Settings and then the KSeF connection tab.
Connection detailsA KSeF token; an existing private key and certificate pair; or access to the Trusted Profile of a person authorized to sign the certificate request for the specified NIP.

Process recording

The video shows how to generate a certificate for connecting to KSeF.

2:42
How to generate KSeF certificates and connect an application in the test environment
01Step

Select a company

In the KSeF connection tab, find the KSeF credentials section. KSeFGPT displays a separate card for every company added to the account.

Check the company name and NIP on the correct card. If the company is not connected yet, you will see a message saying that no credentials are available for this company, along with buttons for starting the setup.

02Step

Choose a credential type

KSeFGPT connects to KSeF using a token or certificate. If you choose a certificate, you can upload existing files or use the separate Trusted Profile button to sign and upload the one-time certificate request.

CredentialWhat to prepareHow setup works
TokenAn access token generated in the KSeF application.Paste the token into KSeFGPT and save the credential.
Certificate - existing filesA .key or .pem private key, a .crt, .cer or .pem certificate, and the key password if required.Upload the private key and certificate files.
Certificate - Trusted Profile flowAccess to the Trusted Profile of a person authorized to act for the company's NIP.Download a one-time request, sign it at gov.pl, and upload the signed XML file so KSeFGPT can configure the certificate credential.
Step 2
KSeFGPT KSeF connection settings with certificate and token credential options

Option 1. KSeF token

On the company card, select Add credential and then choose Token. Paste the access token previously generated in the KSeF application into the KSeF token field.

Select Add. KSeFGPT verifies the token before saving it. If the token is invalid or has been revoked, you will see a message explaining that the KSeF token is invalid or revoked.

Option 2A. KSeF certificate from files

On the company card, select Add credential and then Certificate. KSeFGPT marks this method as the default.

Add a private key in .key or .pem format and a certificate in .crt, .cer or .pem format. If the key is encrypted, also enter its password in the optional Key password field.

Select Save PEM certificate. After successful verification, the credential list will show the certificate subject and its expiration date.

Option 2B. KSeF certificate using Trusted Profile

Trusted Profile is not a separate KSeF credential in this flow. It is used to sign the one-time request needed to configure the certificate connection. On the company card, select Connect with Trusted Profile. KSeFGPT prepares a request linked to the company and its NIP.

In the Download request step, save the prepared file. Then select Open gov.pl and sign the request, sign in with the Trusted Profile, sign the document, and save the signed file on your device.

Return to KSeFGPT, go to Upload file, and select the signed XML file. Finally, select Finish and connect. KSeFGPT uses the signed request to complete the certificate-based KSeF connection.

Option 2B. KSeF certificate using Trusted Profile
KSeFGPT dialog for downloading a one-time request to be signed with Trusted Profile

Final state

Check the result

After you save a token or certificate, the new credential appears on the card for the correct company. For a certificate, KSeFGPT shows its subject and expiration date; for a token, it shows a masked part of the value.

After uploading the request signed with Trusted Profile, close the window and verify that the certificate credential is visible on the company card.

Diagnostics

If something does not work

Compare the message displayed in KSeFGPT with the most common reasons for a rejected connection.

SymptomLikely causeWhat to do
The token was rejectedThe token is invalid or has been revoked in KSeF.Generate or copy the correct token and try again.
The certificate cannot be savedThe key or certificate is missing, or the encrypted key password is incorrect.Check the .key/.crt file pair and the key password.
The NIP in the certificate does not match the companyThe certificate belongs to another entity.Use a certificate issued for the company being configured in KSeFGPT.
The certificate request expiredThe request was not signed with Trusted Profile and uploaded before it expired.Select Generate again and sign the new request.
The signed request was rejectedThe signer is not authorized to act for the specified NIP in KSeF.Check the signer's permissions, including the required ZAW-FA authorization.