KSeF / Access governance

KSeF permissions and API token: access governance for finance teams

An API token without internal control may be a bigger risk than the KSeF implementation itself.

11.05.20267 min readKSeF / ERP / Internal controls
01
KSeF access must separate employee permissions, technical API tokens, ERP integrations and governance ownership.
02
A shared or unmanaged token can bypass normal invoice approval and create cybersecurity and tax-risk exposure.
03
Finance should own the control framework, even if IT owns the integration technology.
Executive summary for finance governance:
KSeF access governance is not only an IT configuration task. It is a finance control environment covering who can issue, receive, view, authorise and technically transmit invoices. API tokens should have a named owner, limited scope, rotation rules and an audit trail.

Four access layers that must be separated

LayerPurposeRisk
Employee permissionsNamed user access for invoice workFormer employees or excessive rights
API tokenTechnical system accessUncontrolled invoice transmission
ERP integrationAutomated data exchangeIncorrect mapping or missing validation
GovernanceReview, approval and monitoringNo ownership of exceptions

Who should own the API token?

The token should have a business owner in finance and a technical custodian in IT. Finance decides the process risk, approval logic and exception handling. IT protects the secret, manages integration security and logs technical events.

Segregation of duties

No single role should be able to create suppliers, change bank accounts, issue invoices, approve exceptions and manage the integration token without review. KSeF does not remove segregation of duties. It makes weak segregation more visible.

Emergency access

Emergency access should be temporary, approved, logged and reviewed after use. The review should identify which invoices were affected, whether manual intervention was necessary and whether the same access remains open.

Audit trail and monitoring

A useful audit trail shows who granted access, when it was used, which invoices were processed, which errors occurred and who closed the exception. This supports internal control, statutory audit and tax-risk management.

FAQ

Frequently asked questions

Can one API token be used by several systems?
Technically it may be possible, but from a control perspective it is usually weak. Separate tokens or clearly identified technical accounts improve accountability.
Should finance or IT own KSeF permissions?
Finance should own business permissions and invoice controls. IT should own security, integration and technical monitoring. Both responsibilities should be documented.
How often should access be reviewed?
At least quarterly during implementation and after go-live, and always after role changes, outsourcing changes or incidents.

Is your KSeF token controlled?

JMFC can review KSeF access matrices, token ownership and invoice authorisation controls from a finance-governance perspective.

office@jmfc.pl+48 502 960 170
Book a consultation20 minutes • no obligation • direct statutory auditor discussionView services
Related services

Related JMFC services

D
Accounting advisory
Technical accounting support for policies, judgements, postings and closing documentation.
View service
F
Financial X-Ray
Independent review of finance, reporting, tax and control risks before they become audit findings.
View service
H
Accounting hot-line
Fast support for urgent closing questions, corrections, reconciliations and deadline pressure.
View service
Related articles

Read next

O
KSeF offline mode and failure
Emergency invoicing controls and archive requirements.
Read article
C
KSeF 2026 for CFOs
Invoice workflow readiness and finance governance.
Read article
T
KSeF and tax audit risk
Why inconsistent invoice data becomes a tax signal.
Read article
Book a free consultation