KSeF & e-invoices

KSeF Tokens Disappear in 2027. Why We Built Biurko on Certificates From Day One

December 31, 2026 is the last day KSeF tokens will work. From January 1, 2027, KSeF certificates become the only way to authenticate with KSeF — Poland's mandatory national e-invoicing system. That's not industry gossip; it's the official position of the Polish Ministry of Finance, announced well before KSeF 2.0 went live. And yet a surprising number of invoicing tools on the Polish market still run their KSeF integration on tokens. Does it work? Sure. Until December. When we designed Biurko, we made the opposite call: no token support at all, certificates only, from the first line of integration code. Here's the reasoning — and what it means for you if you issue invoices in Poland or run a business with a Polish entity.

IT· 7 min read 125 views
KSeF Tokens Disappear in 2027. Why We Built Biurko on Certificates From Day One

Token vs. certificate: not the same thing in new packaging

If you're new to the Polish system: every business invoicing in Poland must submit structured invoices through KSeF (Krajowy System e-Faktur), the government's central e-invoicing platform. The rollout is staged — large taxpayers from February 1, 2026, everyone else from April 1, 2026, and the smallest businesses from January 1, 2027. Your software talks to KSeF via API, and that connection has to be authenticated.

Two mechanisms exist today, and they're architecturally very different.

A token is an access key that carries the taxpayer's permissions inside it, declared at the moment of generation. It never expires on its own, and once generated, whoever holds it can act in KSeF within the permissions baked into it.

A KSeF certificate is purely an identity credential — conceptually closer to a qualified electronic signature. Permissions aren't embedded; the system checks them at every login based on the tax identifier (NIP or PESEL) recorded in the certificate. Change an employee's permissions and the certificate stays valid — KSeF simply applies the new scope.

The timeline:

Date What happens November 1, 2025 Certificate applications open February 1, 2026 KSeF 2.0 launches — certificates and tokens run in parallel December 31, 2026 Last day tokens work January 1, 2027 Certificates become the only authentication method

Since February 2026, you apply for a certificate via the KSeF 2.0 API or the official Taxpayer Application, after authenticating with a Polish trusted profile (Profil Zaufany), a qualified electronic signature, or — for companies — a qualified electronic seal.

Why we didn't build token support "just for now"

Honestly? It was tempting. Token integration is technically trivial — attach a key to your requests and you're in. Certificates demand far more: an XAdES-BES signature flow for API authentication, private key management, expiry tracking. The Ministry's technical documentation makes it clear this is a different order of complexity.

But we ran the opportunity cost. Building token support meant weeks of engineering on a mechanism with a published death date. Then a forced migration of every customer — in Q4 2026, exactly when accounting offices hit peak season and KSeF faces its heaviest load since the mandate began. The worst possible moment to ask users to "generate a new credential and reconfigure your integration from scratch."

There was a second, bigger argument: without a type 2 certificate, there are no offline modes. And offline modes aren't an exotic edge case — they're the core business-continuity safeguard in the whole system.

The type 2 certificate: something tokens never could do

The Ministry of Finance issues two certificate types, generated separately:

  • Type 1 (authentication) — logging into KSeF, in both interactive and batch sessions. The functional successor to today's token.

  • Type 2 (offline) — required to stamp an invoice with a code confirming the issuer's identity in the special modes: offline24, offline during system unavailability, and emergency mode.

Type 2 is genuinely new capability. When KSeF has scheduled downtime, or your internet drops on invoicing day, an invoice issued offline with QR verification codes generated from a type 2 certificate is fully valid — you just submit it to the system within the statutory deadline. A token never enabled this and never will.

Biurko has supported both types since our first integration release: type 1 handles login, type 2 signs offline invoices, and verification links plus QR codes are generated automatically under the hood. The user sees one message: "KSeF unavailable — invoice issued in offline24 mode, we'll submit it automatically once the system is back."

Mini-case: an outage at 4:40 PM on a Friday

One of our early pilot customers — a sole proprietor in IT services, the classic last-minute invoicer — hit a KSeF interface outage right before a weekend. With a token-based tool, he'd have stared at a connection error. In Biurko, the invoice went out in offline24 mode with verification codes, the client received a PDF with QR codes instantly, and the document flowed into KSeF automatically once availability was restored. Zero action required.

What this decision cost us (the honest part)

So this doesn't read like "our decision was brilliant and painless":

Onboarding got harder. With a token, users pasted a string. With a certificate, they first authenticate with KSeF (Profil Zaufany, qualified signature, or qualified seal for companies), file an application, and download the credential. We built a step-by-step wizard inside Biurko, but let's be real — it's more clicks than pasting a token.

Certificates expire. Maximum validity is 2 years from issuance or a chosen start date. An expired certificate halts the integration. We had to build expiry monitoring and advance notifications — for accounting offices managing dozens of tax IDs, that's a dedicated module, not a side feature.

The learning curve was real. XAdES-BES, key management, NIP/PESEL permission contexts — our first weeks of development were slower than the token route would have been.

Even so, six months before the token shutdown, we're migrating exactly nobody. Our customers face no change whatsoever on January 1, 2027. That was the entire bet.

What to do in 2026 — pre-shutdown checklist

  1. Find out what your integration runs on. If your invoicing software connects to KSeF with a token, your deadline is December 31, 2026.

  2. Ask your vendor for a concrete migration plan. Specifically: do they support certificate type 1 and type 2, and since when.

  3. Obtain your certificate early. Apply through the KSeF 2.0 Taxpayer Application after authenticating with Profil Zaufany or a qualified signature. Don't wait for December.

  4. Running a company (not a sole proprietorship)? Get a qualified electronic seal. A certificate issued on the company's NIP requires seal-based authentication, and procurement takes time.

  5. Plan certificate governance. Separate certificates for the owner, the accounting team, and each sales system mean revoking one doesn't paralyze the rest.

  6. Track the expiry date. Certificates last at most 2 years — set a renewal reminder or use a tool that watches it for you.

Bottom line

KSeF tokens were a bridge solution, and on December 31, 2026 the bridge closes. Certificates aren't just a new login method — they're the only path to offline invoicing modes and a cleaner access-management model.

With Biurko there's no migration to plan, because our KSeF integration has run on certificates — type 1 and type 2, with automatic expiry monitoring — since day one. Start a free 14-day trial at biurko.io and enter 2027 with zero technical debt.

FAQ

When do KSeF tokens stop working?

KSeF tokens work until December 31, 2026. From January 1, 2027, KSeF certificates are the only authentication method for Poland's e-invoicing system. During the transition (from February 1, 2026) both run in parallel, but tokens don't support offline invoicing modes.

What is a KSeF certificate?

A KSeF certificate is an electronic identity credential used to authenticate with Poland's national e-invoicing system, similar in concept to a qualified signature. Unlike tokens, it carries no embedded permissions — KSeF checks the holder's current permissions at each login based on their NIP or PESEL identifier.

What's the difference between type 1 and type 2 certificates?

Type 1 certificates authenticate you in KSeF for interactive and batch API sessions. Type 2 certificates are required to stamp invoices issued in offline modes (offline24, system unavailability, emergency mode) with identity-verification codes. They're issued separately — one certificate can't cover both uses.

How do foreign-owned companies in Poland get a KSeF certificate?

The company applies via the KSeF 2.0 API or Taxpayer Application after authenticating with a qualified electronic seal issued on the company's Polish NIP. The certificate is valid for up to 2 years, and the company can issue multiple certificates for different teams or systems.

What happens if I'm still on a token in 2027?

From January 1, 2027, token-based authentication simply stops working — your invoicing software loses its KSeF connection. Since penalties for KSeF non-compliance also apply from that date, migrate to certificates well within 2026 rather than at the deadline.

Tags

#KSeF
Share
Back to blog

Previous article

Most Common KSeF Invoice Submission Errors and How to Fix Them

Next article

KSeF Login via Profil Zaufany: A Step-by-Step Guide Without the Jargon

Stay in the Loop

Get notified when we publish new articles. No spam, unsubscribe anytime.

We respect your privacy. Unsubscribe at any time.

Cookies

We use cookies to keep the service running and — with your consent — to improve it. You can accept all, reject the optional ones, or customize your choices. Cookie Policy