Who has KSeF access and who doesn't
By default, full owner-level permissions belong to the sole proprietor (JDG, a one-person business) or the person authorised to represent a company. That person authenticates first, and the entire chain of access starts from them.
Everyone else starts at zero. An employee gains nothing automatically by being hired. An accountant at an external office cannot see your invoices until you point the permission module at them or at their firm. This is deliberate: the system separates responsibility and lets you control precisely who does what.
KSeF permission types
Under § 3 of the Regulation of the Minister of Finance and Economy of 12 December 2025 on the use of KSeF, permissions fall into three core categories:
Managing permissions (granting, changing, and revoking other users' access). This is the administrative role.
Issuing invoices, including in offline24 mode and emergency mode.
Accessing invoices (viewing and downloading both sales and purchase invoices).
On top of these sit special permissions: self-invoicing (where the buyer issues the invoice) and issuing VAT RR invoices for flat-rate farmers.
The key point is that scopes can be split. One person can have view-only access, another the right to issue, and a third the right to manage permissions. You do not have to grant the full package to everyone. The official Ministry of Finance page on permissions and authorisation covers the categories in detail.
Employee or accounting office: direct and indirect permissions
You have two models to choose from, depending on who actually handles your invoices.
Direct permissions go to a specific individual. You identify them by their PESEL (personal ID number) or NIP (tax ID) plus their name. This works well when invoicing is handled by your own employee or by a single, steady accountant.
Indirect permissions go to an entire entity, such as an accounting office, identified by its NIP. The office then distributes access to its own staff, with no need to register each person separately. This is convenient when several people handle your invoices or when the office's staff changes.
One important limit: delegation only works one level down. The office can pass permissions to its employees, but those employees cannot pass them further. And the scope the office grants an accountant can never be broader than what you granted the office.
Example. Anna runs a one-person service business and outsources all bookkeeping to an external office. Instead of naming each of the office's employees one by one, she grants permissions to the whole office (by its NIP) for issuing and viewing invoices. From then on, whichever employee the office assigns handles her invoices in KSeF.
How to grant permissions step by step
The simplest route is the KSeF Taxpayer App (Aplikacja Podatnika), the Ministry of Finance's free tool. You can also grant permissions through commercial software integrated with KSeF over the API, if the vendor supports it.
Granting permissions to an individual (e.g. your accountant):
Go to ap.ksef.mf.gov.pl and enter your company's NIP.
Authenticate with Profil Zaufany (Poland's Trusted Profile), a qualified electronic signature, or a KSeF certificate.
Open the Permissions tab and choose Grant permissions.
Select individual and enter their PESEL or NIP plus their name.
Tick the scope: access to invoices, issuing invoices, or managing permissions.
Confirm. The person can now act in the context of your NIP.
Granting permissions to an accounting office (an entity):
Log in as above.
Under Grant permissions, choose entity and enter the office's NIP and full name.
Set the scope: issuing and/or viewing invoices.
If the office should distribute access to its own staff, add the office head as an administrator (the Add administrator action).
A note on technical authentication. For an office or accounting software to act on your NIP in the background, it needs credentials. The recommended, stable method is a KSeF certificate, which once installed lets the software connect without logging in again. A token is an alternative, but its validity rules are subject to ongoing changes at the Ministry of Finance, so treat it with caution.
ZAW-FA: when you need the paper form
Not every entity can authenticate electronically. A company without a qualified electronic seal cannot log into the permission module on its own. In that case, it files the paper ZAW-FA form (a notification of granting or revoking KSeF permissions) with the head of its competent tax office. On the form, it designates the individual who will be the first to access KSeF on the entity's behalf.
One important change: with ZAW-FA version 3, filed from 1 February 2026, the invoice-issuing permission is granted automatically. Having to self-activate permissions in the system applied only to older version-2 notifications filed before that date.
For most businesses that hold a Profil Zaufany or qualified signature, the electronic route is faster and simpler, so ZAW-FA is mainly left for entities that cannot authenticate.
What to keep in mind so nothing breaks
A few things that are easy to miss and can cause real trouble:
Responsibility stays with you. Even an office with full access does not decide the content of an invoice or whether a transaction took place. The taxpayer answers for the tax consequences.
Invoices in KSeF cannot be cancelled. A faulty document is fixed only with a correcting invoice. This applies to the office too.
You don't see the office's employees. When you grant permissions to a whole office, you only see that you authorised that entity, not the specific people who work there.
Revoke access when the engagement ends. Permissions do not expire on their own. When you part ways with an office or employee, revoke them immediately.
Checklist: before you grant permissions
Decide whether you're granting to a person (employee, single accountant) or an entity (accounting office).
Choose the scope: view only, issuing, or full management.
Gather the data: the person's PESEL or NIP, or the office's NIP and name.
Check how you'll authenticate: Profil Zaufany, qualified signature, or KSeF certificate.
If the office should distribute access to its team, add its head as an administrator.
Put the rules for revoking permissions after the engagement into your contract with the office.
Summary
Granting KSeF permissions isn't a formality. It's the condition for anyone other than you to legally issue and receive your invoices. Decide the model (person or entity), pick the scope, and work through it in the Taxpayer App or, if you must, through ZAW-FA.
Once the KSeF-side permissions are in place, Biurko takes over the rest. You connect to the system with a certificate, work across multiple companies in one panel, and the internal roles (owner, admin, accountant, observer) mirror exactly the scopes you set in KSeF. Start a free account at biurko.io and get access sorted once, properly.
FAQ
Does an employee get KSeF access automatically after being hired? No. An employee has no KSeF permissions until the business owner or an administrator grants them. You can give them view-only access, issuing only, or both, depending on their tasks.
Should I grant permissions to the whole accounting office or to a specific accountant? It depends on your setup. Granting to the office (by NIP) is convenient when several people handle you or staff changes, because the office distributes access itself. Naming a specific person makes sense with one steady accountant.
When do I file ZAW-FA instead of granting permissions electronically? You file the paper ZAW-FA form with the tax office head when an entity cannot authenticate electronically, for example a company without a qualified electronic seal. It designates the first person authorised for KSeF.
Can an accounting office pass my permissions further? Only one level down, to its own employees, and only within the scope you granted. For the office to do this, you must add its head as an administrator. The office's employee cannot pass permissions on to anyone else.
Does granting permissions to an office shift invoice responsibility to them? No. Even with full access, the office is not responsible for invoice content or whether a transaction was real. Tax responsibility stays with the taxpayer. It's worth separating technical permissions from substantive responsibility in your contract.
