CryptoSys Home > FirmaSAT > FirmaSAT Validation REST API

FirmaSAT Validation REST API

The FirmaSAT Validation REST API provides a REST (REpresentational State Transfer) interface to the FirmaSAT On-line Validator.

Summary

The FirmaSAT Validation REST API has only one endpoint and accepts just one method (POST). All communication is in JSON. The API does one thing: it validates a SAT CFDi^[note] XML document. The response contains all the information provided at the On-line Validator but in JSON form. There is YAML documentation in OpenAPI format below.

The API validates 3 things:

That the XML data is well-formed and is valid in accordance with the SAT specifications.
That the signature (Sello node) is valid against the X.509 certificate in the Certificado node.
That the TimbreFiscalDigital (TFD) element, if present, is valid using the public key in the PAC's certificate that counter-signed it. You must provide this certificate in your request if you wish to validate the TFD.

^[note] As well as CFDi, it can also validate Retenciones and Contabilidad and Controles Volumetricos documents. See Supported Document Types.

Endpoint URL and Method

The endpoint URL is

https://di-mgt.com.au/cryptosys/api/fsa_validation

Only the POST method is accepted. There are no URL parameters or query parameters. The only header should be "Content-Type: application/json".

Note that this API is provided on our di-mgt.com.au site (because our cryptosys.net site is on an AWS S3 static platform.

API token

You need an API token to use this service. Get a free api-token here. For the moment, users are limited to 200 requests per calendar month and rate-limiting is enforced. We'll review this limit once we get an idea of demand. If you intend to do bulk requests, please contact us and we'll work something out.

Request Body

The JSON request format is

{
  "api-token": "<your API token>",
  "xmldata": "<input XML data>",
  "pac-cert": "<optional certificate data for PAC>"
}

Get a free api-token here. Encode the input XML data in JSON-compatible form, and encode the pac-cert as a base64 string (with or without the "-----BEGIN CERTIFICATE" PEM-style encapsulation. See the Python and Javascript code examples below.

Response Format

{
  "status": "success|partialsuccess|error",
  "validation-result": { "<results in JSON form>" },
  "timestamp": "2026-05-27T03:58:57+00:00",
  "reference": "181106cc9b"
}

The validation-result object contains all the information provided at the FirmaSAT On-line Validator but in JSON form. See the Example below.

Status results

"status":"success" means that all three validations succeeded:

"xml-valid": true,
"signature-valid": true,
"tfd-valid": true

"status":"error" means that nothing succeeded:

{"status":"error","message":"bad-json"}

"status":"partialsuccess" means that the input was valid but at least one of the three validations failed. Check the *-valid fields and the corresponding error messages. For example

"tfd-valid": false,
"tfd-error": "no certificate was provided.",

"xml-valid": false,
"xml-error": "XML structure is NOT valid.",

Example

Example CFDi XML document and PAC certificate.
Output from On-line Validator: Image
JSON response: ejemplo-response.json
JSON request: ejemplo-request.json (This is ugly! Embedding XML data inside JSON requires lots of messy escape characters. Fortunately it is easily machine generated - see the code below). Note that the "pac-cert" value is just a simple string containing the base64 characters in the PAC certificate "pac-cert":"MIIFgzCCA2ugAwIB...SsvuIBSk="

Python code

Here is a suggested REST validation client in Python for the FirmaSAT validation service:

validation_rest.py

Note that a large part of this code is spent dealing with the (optional) PAC certificate and the different ways it may be passed to the program (binary certificate file, PEM textual file, base64 string). The key parts of the code are:

import requests
import json
url = "https://di-mgt.com.au/cryptosys/api/fsa_validation"
api_token = "YOUR_API_TOKEN_HERE"  # Replace with your own api-token
xml_content = read_text_file(xmlfile)
cert_content = "" # or base64 representation of PAC's certificate
payload = {"api-token": api_token,"xmldata": xml_content, "pac-cert": cert_content}
response = requests.post(url, json=payload)
data = json.loads(response.text)

Javascript code

And a similar REST validation client in Javascript:

validation_rest.js

YAML documentation

Here is OpenAPI YAML documentation.

Disclaimer

Provided for information purposes only. No warranties. Use at your own risk. See the full Disclaimer here

Contact us

To contact us or comment on this page, please send us a message.

[Go to top]

This page first published 17 June 2026. Last updated 17 June 2026