Sandbox live & free

KRA eTIMS compliance
in 10 lines of code.

TaxID manages your VSCU JAR, cmcKey lifecycle, offline queuing, and Z-reports. Your team makes one API call. We handle everything KRA requires.

Get sandbox access Browse the docs
VSCU Spec v2.0 compliant AES-256-GCM at rest KDPA 2019 §4.7 
from kra_etims_sdk import TaxIDClient

client = TaxIDClient(
    client_id="txs_sb_••••••••",
    client_secret="sk_sb_••••••••••••"
)

receipt = client.sign_sale(
    supplier_pin="A000123456B",
    amount=5800.00,
    tax_band="B",          # 16% standard VAT
    tax_amount=800.00,
    buyer_pin="P051234567X",
    buyer_name="Acacia Enterprises Ltd",
    item_description="MacBook Pro M3"
)

print(receipt.cu_invoice_number)
# KRACU0100000001/152 NS
curl -X POST https://api.taxid.co.ke/v2/etims/sale \
  -H "X-API-Key: txs_sb_••••••••" \
  -H "Content-Type: application/json" \
  -d '{
    "supplierPin":     "A000123456B",
    "amount":          5800.00,
    "taxBand":         "B",
    "taxAmount":       800.00,
    "buyerPin":        "P051234567X",
    "buyerName":       "Acacia Enterprises Ltd",
    "itemDescription": "MacBook Pro M3"
  }'
Response 200 OK · SIGNED 
{
  "status":           "SIGNED",
  "purchaseId":      152,
  "cuInvoiceNumber": "KRACU0100000001/152 NS",
  "sdcId":           "KRACU0100000001",
  "receiptSignature":"A1B2C3D4E5F6...",
  "kraQrPayload":    "11032026#143022#KRACU...",
  "vscuTimestamp":   "20260311143022"
}
⚖️

KRA eTIMS is law, not a recommendation. Effective 1 January 2026, every VAT-registered business in Kenya must transmit invoices in real-time via eTIMS. Non-compliant invoices are ineligible for expense deduction under Section 16(1)(c) of the Income Tax Act — and iTax is actively cross-referencing 2025 expense claims against PIN numbers on transmitted invoices.

The alternative

Here's what direct eTIMS integration actually requires.

Before your first signed receipt, you own all of this. Every item is a production incident waiting to happen.

01

Obtain a VSCU JAR from KRA

The JAR is not publicly downloadable. It requires formal device registration and KRA approval. Approval timelines are not published and not guaranteed.

Ops
02

Deploy it as a persistent stateful sidecar

One JAR instance per branch — no horizontal scaling. Kubernetes StatefulSet with a dedicated PVC. One misconfigured volume mount overwrites your device state and resets your KRA activation.

Ops
03

Manage the cmcKey lifecycle

The cryptographic machine code key must be AES-256-GCM encrypted at rest. It cannot appear in logs, stack traces, environment variable dumps, or Kubernetes secret output. Key rotation must be hot, zero-downtime, and auditable.

Legal
04

Enforce the 24-hour offline hard ceiling

Per VSCU Spec v2.0 §2.2 Policy 4: after 24 hours without KRA connectivity, the VSCU JAR stops issuing receipt numbers. No workaround exists. You must monitor connectivity continuously and auto-generate KRA Downtime Notification Letters at the 15-minute mark.

Hard limit
05

Run daily X/Z reports at exactly 23:59 EAT

Z-reports reset the VSCU day counter — irreversible per KRA TIS v2.0 §21.6.1. Your retry logic must be bounded to 3 attempts maximum to prevent a duplicate day-reset if the original command was processed but the HTTP response was lost.

Legal
06

Monitor receipt sequence integrity continuously

Gaps in the rcptNo sequence trigger KRA audit flags. Duplicates on the same sdcId are a compliance violation. You need gap detection, duplicate detection, and a physical UNIQUE(sdc_id, rcpt_sequence_number) DB constraint.

Legal
07

Build durable offline queuing from scratch

Three-phase outbox protocol to prevent double-signing. SHA-256 payload validation before every replay. Exponential backoff with jitter. Survives pod restarts. Replay in chronological order. Back-fill all signed receipt fields into the original purchase record.

Hard
08

Maintain strict per-tenant isolation at the DB layer

Row-level security on every table. Distinct AES-256-GCM keys per branch. Branch 001 must never be able to read the Electronic Journal or cmcKey of Branch 002. KDPA 2019 §4.7 compliance is a legal obligation, not optional hardening.

Legal

Or call our API.

We've built and operate all of the above. It took us months.

Integration

Three steps. One afternoon.

Most teams are signing receipts in their sandbox environment within a few hours of receiving credentials.

Step 01

Get credentials

Fill in the form below. We provision your sandbox environment and send you a client_id and client_secret pointed at KRA's sandbox — the same VSCU device, isolated from production.

APP_ENVIRONMENT=SANDBOX
Step 02

Integrate

Install the Python SDK or call the REST API directly. One function call per transaction — sign a sale, issue a credit note, adjust stock. The offline queue and Z-reports require zero code on your end.

pip install kra-etims-sdk
Step 03

Go live

When you're ready, swap your sandbox credentials for production credentials. We handle KRA VSP certification, VSCU deployment, and cmcKey provisioning on our side. Your integration code doesn't change.

Swap credentials. Ship.
Your ERP / POS
REST + API key
HTTPS
TaxID API
:8080 · Spring Boot
localhost:8088
VSCU JAR
KRA-issued · stateful
encrypted
KRA eTIMS
GavaConnect API
What's included

Production-grade compliance infrastructure, fully managed.

Every feature below is live and battle-tested against KRA's sandbox environment.

Offline-first resilience

PostgreSQL-backed queue survives pod restarts. Three-phase outbox ensures the VSCU is never called twice for the same transaction — no duplicate receipt numbers. Replay in chronological order on KRA restore.

SHA-256 payload validation · exponential backoff
📋

Automated Z-reports

Daily Z-reports auto-submit at 23:59 EAT. Bounded to 3 retry attempts — the VSCU day-reset is irreversible per KRA TIS v2.0 §21.6.1. After 3 failures, a CRITICAL alert fires and automatic retrying permanently stops.

ZReportScheduler · DailyZReportRetryWorker
🔒

Strict tenant isolation

Row-level security enforced at the PostgreSQL layer. Distinct AES-256-GCM keys per branch. Branch 001 cannot read Branch 002's Electronic Journal or cmcKey — guaranteed at the database constraint level, not just application logic.

pgcrypto · per-branch key material · KDPA §4.7
💬

Supplier onboarding gateway

Send unregistered suppliers a confirmation request via SMS or WhatsApp. On YES reply, TaxID generates a Category 5 reverse invoice on their behalf. For suppliers below KShs 5M turnover who can't issue eTIMS receipts independently.

Africa's Talking · WhatsApp Cloud API
🔍

Receipt integrity monitoring

Monotonic sequence counter on every rcptNo. Continuous gap and duplicate detection. Physical database constraint on (sdc_id, rcpt_sequence_number). You know before KRA does.

KRA_AUDIT_RISK error class · DB UNIQUE constraint
🔑

cmcKey lifecycle management

AES-256-GCM encrypted at rest. Zero-downtime hot rotation without a pod restart. Version-tracked per device — every rotation increments an audit column. The raw key never appears in logs, stack traces, or API responses.

CmcKeyRotationService · version-tracked per device
Early access

Sandbox is free.
Production pricing is being finalized.

We're onboarding early partners now. Waitlist members get sandbox access immediately, input on pricing before it's published, and guaranteed early access to production.

Join the waitlist
Questions

The things developers actually ask.

We are currently pursuing KRA VSP (VSCU Service Provider) certification. The sandbox environment runs against KRA's own test infrastructure. Production credentials will be issued after certification completes. We will notify everyone on the waitlist when production access opens — we are not going to quietly slip that past you.
The offline queue is PostgreSQL-backed and survives pod restarts. When KRA connectivity drops, the VSCU JAR continues signing locally — this is a KRA-enforced capability, not something we built. You get an alert at 15 minutes of disconnection, and a critical alert at 20 hours. At 24 hours, the VSCU hard-stops per KRA VSCU Spec v2.0 §2.2 Policy 4 — this is a KRA limit, not ours. When connectivity restores, queued transactions replay automatically in chronological order. KRA Downtime Notification Letters are generated automatically at 15 minutes.
Each merchant branch maps to an isolated tenant with its own API key, AES-256-GCM encryption key, Electronic Journal, and VSCU device. Row-level security at the PostgreSQL layer enforces isolation — one tenant cannot query another's data. This is KDPA 2019 §4.7 compliant. If you're building an ISV platform serving multiple merchants, reach out for the multi-branch management API and volume pricing. That's the ISV/Enterprise tier.
Band B = 16% standard VAT. Not Band A. This mapping is routinely inverted. Per KRA VSCU/OSCU Specification v2.0 §4.1: A = Exempt (0%), B = Standard VAT (16%), C = Zero-Rated (0%), D = Non-VAT (0%), E = Special Rate (8%, petroleum). We maintain a full eTIMS error code and tax band reference covering all 30 KRA resultCd values, including production-only codes absent from the official KRA spec document.
VSCU (Virtual Sales Control Unit) is a KRA-issued JAR file deployed on your infrastructure. It signs receipts locally and can operate offline for up to 24 hours — critical for POS systems with unreliable connectivity. OSCU is KRA's cloud-hosted signing service — no JAR to deploy, but no offline capability. TaxID uses VSCU for resilience. OSCU support is planned for a future phase.
The core API is REST — any language that can make an HTTPS request works. We have a first-class Python SDK (kra-etims-sdk) built for high-throughput workloads. If your stack is Odoo, ERPNext, Sage, or a custom Java/PHP backend, the REST API integrates cleanly. Node.js and PHP SDKs are planned. Reach out if you need help scoping an integration for a specific ERP.
Early access

Get sandbox credentials.

Sandbox is live and free. We provision credentials manually during early access — usually within one business day.

Production access opens after KRA VSP certification. Everyone on this list gets notified first, ahead of any public launch.

Developers already waiting from POS, ERP, accounting SaaS, and SACCO platforms across Kenya.

No spam. No sales call unless you ask for one.
One email when your credentials are ready.

You're on the list.

We'll send your sandbox credentials to your email within one business day. In the meantime, browse the eTIMS reference docs — all 30 KRA error codes, including production codes absent from the official spec.