ZATCA Phase 2 E-Invoicing Integration Guide for Saudi Businesses (2026): API, XML, QR Codes & Compliance
Back to Blog
Tax Compliance May 25, 2026 10 min read

ZATCA Phase 2 E-Invoicing Integration Guide for Saudi Businesses (2026): API, XML, QR Codes & Compliance

Vocxa Engineering

If your business operates in Saudi Arabia, ZATCA (Zakat, Tax and Customs Authority) e-invoicing compliance is no longer optional — it's the law. Phase 2 (the Integration Phase) requires businesses to integrate their invoicing systems directly with ZATCA's Fatoora platform, generating cryptographically signed electronic invoices in a specific format.

This guide explains exactly what ZATCA Phase 2 e-invoicing integration involves — the technical requirements, the XML format, cryptographic stamping, QR codes, and the difference between clearance and reporting — so you can integrate your POS or ERP with confidence.

ZATCA Phase 1 vs Phase 2: What Changed

Phase 1 (Generation Phase, since December 2021) simply required businesses to generate and store electronic invoices with a QR code — no direct integration with ZATCA. Phase 2 (Integration Phase, rolling out in waves since January 2023) is far stricter: invoices must be transmitted to ZATCA's Fatoora platform for validation in real time or near-real time.

  • Phase 1: Generate compliant e-invoices with QR codes, stored electronically. No API integration.
  • Phase 2: Integrate directly with ZATCA Fatoora — cryptographic stamping, UUID, hash chaining, and XML in UBL 2.1 format.
  • Businesses are onboarded in waves based on annual revenue thresholds announced by ZATCA.

Two Invoice Types: Standard vs Simplified

ZATCA distinguishes between two invoice types, and they follow different workflows — this is the single most important concept to get right:

  1. 1Standard Tax Invoice (B2B/B2G): Must be CLEARED by ZATCA before being shared with the buyer. This is the 'clearance' model — ZATCA validates and returns a cleared, stamped invoice.
  2. 2Simplified Tax Invoice (B2C): Issued to the customer immediately, then REPORTED to ZATCA within 24 hours. This is the 'reporting' model — common for retail and restaurants.

Why this matters

A restaurant or retail POS almost always issues Simplified invoices (B2C), so it uses the reporting flow — the customer gets their receipt instantly and the invoice is reported afterward. An ERP issuing B2B invoices uses the clearance flow. Mixing these up is the most common compliance failure.

The Technical Building Blocks

A compliant ZATCA Phase 2 e-invoice is more than a PDF. Each invoice must include:

  • UBL 2.1 XML — the invoice structured in Universal Business Language format with all mandatory fields.
  • Cryptographic stamp (CSID) — a digital signature using a certificate issued by ZATCA during onboarding.
  • Invoice hash & previous invoice hash (PIH) — invoices are chained, each referencing the previous one's hash.
  • UUID — a unique identifier for every invoice.
  • Cryptographic QR code — a Base64-encoded TLV (Tag-Length-Value) structure containing seller name, VAT number, timestamp, total, VAT amount, and the cryptographic stamp.
text
ZATCA QR Code — TLV structure (Base64 encoded):
Tag 1: Seller name
Tag 2: VAT registration number
Tag 3: Timestamp (ISO 8601)
Tag 4: Invoice total (with VAT)
Tag 5: VAT amount
Tag 6: Hash of XML invoice
Tag 7: ECDSA signature
Tag 8: Public key
Tag 9: Signature of the public key (for standard invoices)

The Onboarding & Integration Flow

Before you can send a single invoice, your system must onboard with ZATCA to obtain a cryptographic certificate. The flow looks like this:

  1. 1Generate a CSR (Certificate Signing Request) with your business details and a generated key pair.
  2. 2Call the Compliance CSID API with an OTP from the ZATCA Fatoora portal to get a compliance certificate.
  3. 3Pass the compliance checks by submitting sample standard and simplified invoices (and credit/debit notes).
  4. 4Call the Production CSID API to receive your production certificate.
  5. 5Begin clearing (standard) or reporting (simplified) live invoices.
bash
# Simplified view of the ZATCA Phase 2 API endpoints
POST /compliance              # Get compliance CSID (using OTP)
POST /compliance/invoices     # Submit sample invoices for validation
POST /production/csids        # Get production CSID
POST /invoices/clearance/single   # Clear a Standard (B2B) invoice
POST /invoices/reporting/single   # Report a Simplified (B2C) invoice

Why Middleware Is the Smart Approach

Most businesses don't want to rebuild their POS or ERP to handle XML signing, certificate management, hash chaining, and ZATCA's evolving API. Instead, a ZATCA integration middleware sits between your existing systems and Fatoora, handling all the compliance complexity.

  • Your POS/ERP sends a simple invoice payload to the middleware via a clean API.
  • The middleware generates compliant UBL 2.1 XML, applies the cryptographic stamp, builds the QR code, and chains the hash.
  • It calls the correct ZATCA endpoint (clearance or reporting) and handles retries, errors, and certificate renewal.
  • It returns the cleared/reported invoice plus a compliance dashboard for monitoring and multi-branch oversight.

Multi-branch & multi-system

A single middleware can serve multiple branches and multiple source systems (POS, ERP, e-commerce) at once — centralizing compliance, monitoring, and reporting across the whole business.

Who Needs ZATCA Phase 2 Integration

  • Restaurants & cafes — high volume of simplified (B2C) invoices via POS.
  • Retail & supermarkets — point-of-sale reporting at scale.
  • Pharmacies & clinics — mixed B2C and B2B invoicing.
  • Wholesalers & distributors — standard (B2B) invoices requiring clearance.
  • Any VAT-registered business in the ZATCA onboarding waves.

Conclusion: Get Compliant Without the Headache

ZATCA Phase 2 e-invoicing integration is technically demanding — UBL 2.1 XML, cryptographic stamping, QR codes, hash chaining, and a strict clearance vs reporting distinction. But with the right middleware, your existing POS or ERP can become fully compliant without a rebuild, and you gain a real-time compliance dashboard across every branch.

At Vocxa, we build custom ZATCA Phase 2 e-invoicing integration platforms that connect your POS and ERP to Fatoora — automated XML, QR generation, cryptographic stamping, clearance, reporting, and multi-branch compliance monitoring.

ZATCAE-InvoicingSaudi ArabiaComplianceFatoora

Frequently Asked Questions

What is ZATCA Phase 2 e-invoicing?

ZATCA Phase 2 (the Integration Phase) requires Saudi businesses to integrate their invoicing systems directly with ZATCA's Fatoora platform, generating cryptographically signed UBL 2.1 XML invoices with QR codes that are either cleared (B2B) or reported (B2C) to ZATCA.

What is the difference between clearance and reporting in ZATCA?

Standard tax invoices (B2B/B2G) must be cleared by ZATCA before being shared with the buyer. Simplified tax invoices (B2C) are issued to the customer immediately and then reported to ZATCA within 24 hours. Restaurants and retail typically use reporting; wholesalers and B2B sellers use clearance.

Can I integrate my existing POS or ERP with ZATCA?

Yes. The most efficient approach is a ZATCA integration middleware that sits between your POS or ERP and the Fatoora platform, handling XML generation, cryptographic stamping, QR codes, hash chaining, and the clearance/reporting API calls — without rebuilding your existing systems.

What does a ZATCA-compliant QR code contain?

A ZATCA QR code is a Base64-encoded TLV structure containing the seller name, VAT registration number, invoice timestamp, invoice total with VAT, the VAT amount, the invoice hash, and the cryptographic signature.

Build It With Vocxa

We build custom integration platforms, AI apps, and software for startups and SMEs. Let's turn this into reality for your business.

Book a Free ConsultationView Case Studies