Mexico's SAT (Servicio de Administración Tributaria) exposes authenticated SOAP services for fiscal data including issued and received CFDI invoices, compliance opinion (32-D), fiscal status certificate, tax regimes, and the 69-B blacklist of taxpayers with non-existent operations. CRiskCo abstracts these SOAP services into a modern REST/JSON API.

Which authorization method does CRiskCo use?

CRiskCo's SAT onboarding runs exclusively on CIEC (the taxpayer's SAT password). SAT also offers e.firma (.cer/.key) as an authorization mechanism, but CRiskCo does not currently require or accept e.firma files. CIEC is sufficient for the services we offer: CFDI extraction, RFC validation, compliance opinion, fiscal certificate, FinScore, and continuous monitoring.

What are CIEC and e.firma?

CIEC (the SAT password, formerly 'CIECF') is an 8-character alphanumeric password the taxpayer creates in the SAT portal. e.firma (formerly FIEL) is a digital certificate consisting of a .cer file (public), a .key file (private), and a key password; it is valid for 4 years. Both authorize access to fiscal data, but e.firma additionally enables electronic signing of documents. For data-read integrations, CIEC is the industry standard.

How long does SAT onboarding take with CRiskCo?

After submitting the CIEC to the OnboardingSatIntegration endpoint, initial processing takes 30 seconds to 5 minutes. Full historical CFDI download can take 1 to 4 hours depending on volume. Status is polled via GET /get-applicants?onboardingStatus=true until status returns 'Available'.

Does the CIEC expire?

The CIEC itself doesn't expire by time, but it stops working if the taxpayer changes it in the SAT portal or if SAT invalidates it for security reasons. CRiskCo detects invalid credentials automatically and sends a webhook so the client can request the new password from the taxpayer.

What data can I get from SAT via API?

The main ones: issued and received CFDI (income, expenses, payroll, payments, transfers), compliance opinion (32-D positive/negative), fiscal status certificate, active tax regimes, fiscal obligations, fiscal address, 69-B list (EFOS/EDOS), and RFC validation.

Is it legal to access SAT data through a third party?

Yes, as long as there is explicit taxpayer consent and compliance with Mexico's Federal Law on Protection of Personal Data Held by Private Parties. CRiskCo operates as a data processor under service agreements and maintains SOC 2 certification.

What is the Compliance Opinion (32-D)?

An SAT-issued document indicating whether a taxpayer is current with their fiscal obligations. The API exposes the result as PayingTax with value 'POSITIVO' (compliant) or 'NEGATIVO' (non-compliant), accompanied by the list of pending obligations when applicable. It's required for public-sector contracts and many credit operations.

How do I validate an RFC against SAT?

Via the ValidateRFC endpoint (single, GET with rfc, name, postal query params) or ValidateRFCBulk (up to 5,000 RFCs in one call). SAT confirms whether the RFC exists, is active, and matches the legal name. It's the foundation of any KYS/KYB flow in Mexico.

Is there a sandbox or free trial?

Yes. Registering at app.criskco.com issues test credentials (test-mode apiId/apiKey) that return sandbox data at no cost. There is no separate endpoint: the same base URL responds with real or sandbox data depending on the key used.

What happens if SAT is down?

SAT has maintenance windows and intermittent incidents. CRiskCo implements exponential retries, caches the last valid responses, and publishes real-time service status at /sat-service-status-mexico.

What's the difference between API integration and scraping the SAT portal?

Scraping the SAT portal violates terms of service, is fragile against UI changes, and gets blocked easily. CRiskCo uses SAT's official SOAP services with valid taxpayer authorization (CIEC), which is the legally recognized and operationally stable method.

Are there API rate limits?

Yes. Rate limits depend on the plan and are tailored to the use case. When exceeded, the API responds with HTTP 429 and includes a Retry-After header. For Enterprise volumes, contact the sales team.

How do I receive change notifications?

Register your URL with POST /Subscriptions sending { CallbackUrl }. CRiskCo first issues a GET validation request to that URL — your server must respond HTTP 200 within 2 seconds. After that you'll receive POST events in one of two modes: FileType='JSON' (full payload inline in the APIResponse field) or FileType='JSON_LINK' (signed download URLs in DownloadUrlList). Every event includes SubscriptionId, ReferrerId, WebhookUrl, ApiServiceName, applicantId, and refApplicantId. List subscriptions with GET /Subscriptions and delete them with POST /Subscriptions?id={SubscriptionId}.

SAT API Integration in Mexico

Connect SAT fiscal data to your product via CIEC: key endpoints, JSON responses, continuous monitoring, and a technical FAQ — all in one hub.

Developer resources

Five resources, five purposes. Pick the one that matches where you are in your integration.

You are here

SAT Integration Hub

Start here: what the SAT API exposes, how CRiskCo abstracts SOAP/CIEC, and technical FAQ.

API Integration Guide

End-to-end walkthrough: authentication, integration models (Approve / White-label / Webhook), and the full endpoint catalog.

Go to page

Code Samples

Copy-paste snippets in Python, Node.js, and cURL for every common flow.

Go to page

Tutorials

Step-by-step beginner guides: first request, authentication, and monitoring.

Go to page

API Docs

Complete technical reference: every endpoint, parameter, response schema, and error code.

Open docs

What the SAT API exposes

Mexico's SAT (Servicio de Administración Tributaria) provides authenticated SOAP services to access taxpayer fiscal data. These include issued and received CFDIs, the 32-D compliance opinion, fiscal status certificate, tax regimes and obligations, the 69-B list (EFOS/EDOS), and RFC validation. Direct integration requires credential handling, XML/SOAP parsing, session token management, and handling SAT maintenance windows.

CRiskCo abstracts all that complexity behind a modern REST/JSON API with apiId/apiKey authentication, webhooks, automatic retries, and continuous monitoring. It's the standard way used by banks, SOFOMs, fintechs, and accounting firms in Mexico to connect SAT data to their systems.

SAT authorization methods: CIEC and e.firma

SAT allows two ways to authorize access to fiscal data. Here we explain both and which one CRiskCo uses today.

CRiskCo runs SAT onboarding with CIEC

We currently accept only the taxpayer's CIEC password. We do not require or store e.firma .cer/.key files. CIEC is sufficient for all services we offer: CFDI extraction, RFC validation, 32-D compliance opinion, fiscal certificate, FinScore, and continuous monitoring.

Attribute	CIEC	e.firma
What it is	8-character SAT password	Digital certificate (.cer + .key + password)
Validity	Indefinite (until the taxpayer changes it)	4 years, renewable
Can sign documents	No	Yes (advanced electronic signature)
Read fiscal data	Yes (CFDI, RFC, regimes, 32-D opinion, certificate)	Yes (same data)
Supported by CRiskCo today	Yes	No

Onboarding flow (CIEC)

1Collect RFC, CIEC password, email, and terms acceptance from the taxpayer.
2Call POST /OnboardingSatIntegration with the payload {IsAgreeTerms, DateAgreeTerms, VersionAgreeTerms, Email, User, Password, RefApplicantId}.
3Poll GET /get-applicants?taxId=RFC&onboardingStatus=true every 5–10 seconds until status='Available'.
4Call data endpoints: /applicantinfo, /GetCompanyTaxStatus, /GetCompanyFiscalDetails, /GetHistoricalFinscore.
5Register a webhook with POST /Subscriptions to receive automatic updates.

Runnable snippets at Code Samples.

Key endpoints with JSON responses

Base URL: https://service.criskco.com/apiservice.svc. Required headers on every call: apiId, apiKey, Content-Type: application/json.

OnboardingSatIntegration

Applicant onboarding with their CIEC password.

Request

POST /apiservice.svc/OnboardingSatIntegration
Headers: apiId, apiKey, Content-Type: application/json

{
  "IsAgreeTerms": true,
  "DateAgreeTerms": "2026-04-16",
  "VersionAgreeTerms": "1",
  "Email": "contact@empresa.com",
  "User": "GAPXXXXXXXXX",
  "Password": "CIEC_PASSWORD",
  "RefApplicantId": "loan-app-00482"
}

Response

{
  "success": true,
  "applicantId": "1000143693",
  "RefApplicantId": "loan-app-00482",
  "message": "Applicant onboarding initiated"
}

GET /get-applicants

List applicants and their onboarding status (poll after OnboardingSatIntegration).

Request

GET /apiservice.svc/get-applicants?taxId=GAPXXXXXXXXX&onboardingStatus=true

Query params: refApplicantId · taxId · onboardingStatus · fullResponse

Response

{
  "responseDetails": "Data retrieved successfully",
  "success": true,
  "ApiApplicantData": {
    "applicantId": "1000143693",
    "taxId": "GAPXXXXXXXXX",
    "onboardingStatus": "Available"
  }
}
// Use fullResponse=true for the complete dataset (financials, blackLists).
// See full schema at api-docs.criskco.com.

GET /ValidateRFC

Validates a single RFC against SAT (existence, status, and name match).

Request

GET /apiservice.svc/ValidateRFC?rfc=GAPXXXXXXXXX&name=GAP&postal=06600

Response

{
  "Success": true,
  "message": "RFC valid and active",
  "rfc": "GAPXXXXXXXXX"
}

POST /ValidateRFCBulk

Bulk validation: up to 5,000 RFCs in one call (plain text, one RFC per line).

Request

POST /apiservice.svc/ValidateRFCBulk
Headers: apiId, apiKey
Content-Type: multipart/form-data

file=@rfcs.txt   // one RFC per line, or RFC|Name|Postal pipe-separated

Response

// Returns plain-text results, one line per RFC.
// See API Docs for the exact format and runnable snippets in Code Samples.

GET /GetCompanyTaxStatus

Compliance Opinion (32-D). Returns PayingTax (POSITIVO/NEGATIVO) and pending obligations.

Request

GET /apiservice.svc/GetCompanyTaxStatus?taxId=GAPXXXXXXXXX

Response

{
  "CompanyTaxStatus": [
    {
      "taxId": "GAPXXXXXXXXX",
      "PayingTax": "NEGATIVO",
      "RetrievedAt": "2026-04-15T08:30:00Z",
      "CompanyObligationsList": [
        { "Obligation": "ISR Mensual", "Month": 2, "Year": 2026 },
        { "Obligation": "IVA Mensual", "Month": 2, "Year": 2026 }
      ]
    }
  ]
}

GET /GetCompanyFiscalDetails

Fiscal Status Certificate: legal name, regimes, obligations, and fiscal address.

Request

GET /apiservice.svc/GetCompanyFiscalDetails?taxId=GAPXXXXXXXXX

Response

// Shape varies. See full reference at api-docs.criskco.com.
// Includes: legalName, regimes[], obligations[], fiscalAddress, registrationDate.

GET /GetHistoricalFinscore

Monthly history of the FinScore (CRiskCo's proprietary credit model).

Request

GET /apiservice.svc/GetHistoricalFinscore?taxId=GAPXXXXXXXXX

Response

// Returns a HistoricalFinscores array with monthly entries
// (Year, Month, FinScore). See full schema at api-docs.criskco.com.

POST /Subscriptions

Request

POST /apiservice.svc/Subscriptions
Headers: apiId, apiKey, Content-Type: application/json
{ "CallbackUrl": "https://yourdomain.com/webhooks/criskco" }

// CRiskCo issues a GET to CallbackUrl for validation —
// your server must reply HTTP 200 within 2 seconds.

Response

{
  "success": true,
  "responseDetails": "Subscription 1 created successfully",
  "ApiSubscriptionData": [
    {
      "Active": true,
      "CallbackUrl": "https://yourdomain.com/webhooks/criskco",
      "ReferrerId": "your_referrer_id",
      "SubscriptionId": 1
    }
  ]
}

Full endpoint catalog in the API Integration Guide and detailed reference at api-docs.criskco.com.

Frequently asked questions

Technical answers to the most common questions about integrating with the SAT API.

Ready to integrate the SAT API

Get free sandbox credentials and start testing in minutes. No credit card required.

Explore More

navAPIGuide navCodeSamples API Tutorials SAT Status Compliance for Accounting Firms

SAT API Integration in Mexico

Developer resources

SAT Integration Hub

API Integration Guide

Code Samples

Tutorials

API Docs

What the SAT API exposes

SAT authorization methods: CIEC and e.firma

CRiskCo runs SAT onboarding with CIEC

Onboarding flow (CIEC)

Key endpoints with JSON responses

OnboardingSatIntegration

GET /get-applicants

GET /ValidateRFC

POST /ValidateRFCBulk

GET /GetCompanyTaxStatus

GET /GetCompanyFiscalDetails

GET /GetHistoricalFinscore

POST /Subscriptions

Frequently asked questions

What is the SAT API?

Which authorization method does CRiskCo use?

What are CIEC and e.firma?

How long does SAT onboarding take with CRiskCo?

Does the CIEC expire?

What data can I get from SAT via API?

Is it legal to access SAT data through a third party?

What is the Compliance Opinion (32-D)?

How do I validate an RFC against SAT?

Is there a sandbox or free trial?

What happens if SAT is down?

What's the difference between API integration and scraping the SAT portal?

Are there API rate limits?

How do I receive change notifications?

Ready to integrate the SAT API

Explore More