Generating an Authorization Token in Romania’s ANA...

mahesh_varma · ‎10-26-2023

Note: The steps and processes described here are accurate as of the time of writing, but it's essential to stay updated with any changes on the ANAF portal that may affect this procedure.

In this blog post, I will guide you through the process of generating an authorization token from Postman and ANAF's portal. This authorization token is essential for establishing a connection between SAP Document and Reporting Compliance, cloud edition and ANAF. This will allow you to submit and monitor electronic invoices from eDocument cockpit.

ANAF, which stands for Agenția Națională de Administrare Fiscală (National Agency for Fiscal Administration), enables you to electronically send and receive electronic invoices through their e-Invoicing platform.

Prerequisites:

You should be a registered user on the ANAF portal with a qualified digital certificate, holding one of the SPV PJ rights (legal representative, designated representative, or authorized representative). You can register in the SPV by visiting this link: https://www.anaf.ro/InregPersFizicePublic/#tabs-2.
After completing the registration process on the ANAF portal, you will receive a Client ID and Client Secret, which are required for the subsequent steps.

Now, let's go over the management URLs used for generating the authorization token:

Authorization Endpoint: https://logincert.anaf.ro/anaf-oauth2/v1/authorize
Token Issuance Endpoint: https://logincert.anaf.ro/anaf-oauth2/v1/token

Once you are registered on the ANAF portal, follow these steps to generate an authorization token:

Open Postman application and create a GET operation for the Authorization Endpoint.
Under the Authorization tab, complete the required fields as shown below:

Grant Type	Authorization Code
Callback URL	https://oauth.pstmn.io/v1/callback
Auth URL	https://logincert.anaf.ro/anaf-oauth2/v1/authorize
Access Token URL	https://logincert.anaf.ro/anaf-oauth2/v1/token
Client ID	<Enter the Client ID received during the registration process>
Client Secret	<Enter the Client Secret received during the registration process>
Client Authentication	Send as Basic Auth Header

- Check the 'Authorize using Browser' checkbox.

3. Click the 'Get New Access Token' button.

4. Since you've checked 'Authorize using Browser' in step 2, your browser will automatically open, and you will be prompted to select your certificate for authentication.
Note: Make sure you disable the pop-up blocker in the browser.

5. After a successful authentication, provide your ANAF portal username and password as prompted by the browser and click the 'OK' button.

6. A new token will be generated, and you will see a success message in the browser.

7. You will be automatically redirected back to Postman with a popup displaying the newly generated authorization token. Click the 'Use Token' button.

8. The new token will automatically populate the token field.

To configure the generated token with in the Business Technology Platform(BTP) portal, follow the documentation provided below:

If your business system is SAP S/4HANA Cloud, refer to Managing Communication Settings | SAP Help Portal.

If your business system is SAP S/4HANA, refer to Managing Communication Settings | SAP Help Portal
If your business system is SAP ERP, refer to Managing Communication Settings | SAP Help Portal

I hope you find this information useful. You can leave a comment on this blog or follow us for more information about SAP Document and Reporting Compliance here in SAP Community.

olivia_vorstheim · ‎10-27-2023

Very useful, thanks for sharing!

Vignesh_Sridhar · ‎10-27-2023

Hi Mahesh,

As of now, there is no automated procedure in DRC cloud edition to renew the access token using refresh token upon expiry.

Is there any plans to integrate this feature in DRC? Considering DRC, cloud edition comes with SAP Integration suite which already have this capability to renew the OAUTH access token based on access token automatically?

Thanks,

Vignesh Sridhar.

mahesh_varma · ‎10-28-2023

Hi Vignesh,

As of now, we haven't committed to any specific timelines for integrating the auto-renewal of access tokens in DRC. However, it is a topic under discussion for our future development plans. We will keep our customers informed through our communication channels once we have a concrete plan in place.

Best regards,
Mahesh Varma

GCET · ‎10-31-2023

Fantastic kmvarma_440 ! Super Essencial document. May I suggest to include this blog into following MAIN SAP note ?

3262931 - eDocument Romania: Overview Note

I believe if in any country comes with this Blog/guidance facilitate life to everyone!

BR

Gaspar

piotr_prannik · ‎10-31-2023

Hi Mahesh,

Thanks for sharing such a document.

In anaf.ro official documentation it is easy to be lost.

Yet, I have an issue at step 4 of your instruction. After pressing "Get New Access Token" button we do not see the popup window for selection of the certificates (yet the pop-up blocked is disabled in the browser),

Later, in Console in Postman I see: 'Error: access_denied'

So, it seems like there is no even attempt to seek for a certificate.

Tried to do it from the user who is a registered user on the ANAF portal with a qualified digital certificate, holding one of the SPV PJ rights (legal representative, designated representative, or authorized representative). Tried to do it from my PC (I am not the authorized user at anaf.ro).

The result is the same.

Could you please provide some advice here?

mahesh_varma · ‎11-01-2023

Hi Piotr,

I assume you've already checked the 'Authorize using Browser' checkbox in Postman, which should allow you to generate a token using your browser. However, if you're still unable to select certificates, I recommend that you raise an incident with SAP, specifying the component as 'CA-GTF-CSC-EDO-RO'. This will route the issue to our team, and we can then investigate your specific problem and provide you with the necessary assistance.

mahesh_varma · ‎11-01-2023

Hi Olivia,

Thank you for your feedback. I am glad you found it useful.

piotr_prannik · ‎11-03-2023

Hello Mahesh, thanks for your reply.

Yet, the issue seems to be solved.

In our case, user had the digital certificate stored physically (kind of flash-USB).

It seems initially system just did not see the certificate.

The second time we initially checked if the certificate is visible in the certificate list in browser, and it worked properly.

Nevertheless, thank you for your help!

mahesh_varma · ‎11-06-2023

Hi Gaspar,

Thank you for your positive feedback. Appreciate your input and am glad to hear that the content has been helpful to you.

However, I wanted to clarify that we don't add blogs to SAP Notes, as it's not the appropriate channel for such content. The blog has been added to the Romania workzone, which is accessible to customers, to make it more widely available and useful.

Best Regards

Mahesh Varma

GCET · ‎11-06-2023

Hello Mahesh, Then end-goal of my suggestion is to have all necessary's in 1 place becauase now you have the SAP Overview note, this fantastic Blog, Help Portal and Workzone (non mentioned in the MAIN SAP know so how to know this info is there) with Key info.

I give you the feedback from Customer side.

BR

Gaspar

Solaz · ‎11-28-2023

Hi Mahesh,

thank you for sharing. We are issuing a problem with the following step:

After completing the registration process on the ANAF portal, you will receive a Client ID and Client Secret, which are required for the subsequent steps.

Our contact in Romania can't find on the ANAF website where the client ID and secret should be generated.

Could you help me?

Francesca

GCET · ‎11-28-2023

Hello Francesca, That person should received an email or SMS with the information I understand. I suggest to double check if contact information where updated at ANAF Portal 1st.

Gaspar

Solaz · ‎11-28-2023

Hi Gaspar,

thank you for your response. We are a private company already registered on the ANAF portal, not an individual.

Best regards,

Francesca

GCET · ‎11-28-2023

I got that. we faced the situation you are mentioned. For sure someone register their ID and have to received the information you are looking for.

That why I suggest to check who is authorization at ANAF in your company. That person should received it.

BR

Gaspar

giulia-felappi · ‎12-07-2023

Hi mahesh_varma

we received clientID and client secret from ANAF. Please note that there's no documentation on what to put in the "Callback URL" field in ANAF oauth request, so it might have put the wrong one.
I used the url from DRC service instance (as suggested here https://answers.sap.com/questions/13997379/sap-btp-document-compliance-for-romania-what-callb.html)

When I try to generate the token with Postman i receive error "invalid_credentials"

{

"error": "invalid_request",

"error_description": "Redirect-URI (https://oauth.pstmn.io/v1/callback) does not match with client app configuration."

}

The users authenticate with his certificate saved in flash-USB, its certificate is visible in the available certificates in the browser.

Can you please help?

Thank you

Regards

former_member306877 · ‎12-08-2023

Hi, do you know if the connection between SAP and Romanian authorities can only be done through BTP or there are other solutions?

Thank's.

mahesh_varma · ‎12-09-2023

Hi Marin,

The connection between SAP and the Romanian Tax Authorities only happens through BTP by subscribing to the Document and Reporting Compliance, cloud edition service

kevin_qiu · ‎12-12-2023

Hi, Mahesh,

Thank you for the detailed and helpful document.

Can you please provide the corresponding URLs for the test environment?

Kevin

mahesh_varma · ‎12-13-2023

Hi Felappi,

Thanks for reaching out. I see you're having trouble generating a token using Postman. To assist you better, could you please raise an incident with SAP for the CA-GTF-CSC-EDO-RO component? This will help us address your case specifically. We're here to support you through this.

mahesh_varma · ‎12-13-2023

Hi Kevin,

I'm glad the document was helpful!

Regarding connecting to ANAF's test environment, the token generated from the process I outlined above can be used across all environments. There's no need for different token.

giulia-felappi · ‎12-13-2023

Hi Mahesh,

I have this doubt too: if i use the same token for DRC test and DRC prod, and then I send a test invoice from ERP Quality, how can I ensure that this invoice is handled by ANAF in test?

From this section of the help guide it seems that I need to pay attention on the credentials:

Thank you & Regards

Giulia

mahesh_varma · ‎12-13-2023

Hi Felappi,

When you subscribe to the Document and Reporting Compliance, cloud edition through your Business Technology Platform portal, you'll have the option to select a plan. If you want access to the test environment, choose the 'test' plan. For the production environment, select the 'standard' plan. It's important to note that although the same token will be used for authorization in both environments, the credentials provided after service binding will differ for each. These credentials will be utilized in both Soamanager (for OP) and communication arrangement (for the cloud), ensuring that you correctly trigger the eDocuments to the intended environment.

kevin_qiu · ‎12-13-2023

Thank you, Mahesh, very clear now about test vs prod. Appreciate that!!

mahesh_varma · ‎12-19-2023

Hi Felappi,

The call back URL that has to be used on both ANAF portal and on postman is https://oauth.pstmn.io/v1/callback.

Regards

Mahesh Varma

former_member848907 · ‎12-28-2023

Hello giulia.felappi,

Can you help us, what is the Client ID & Secret key?

Client Id is the registration number?

Secret key is the certificate number?

Regards

Ankush Sharma

former_member848907 · ‎12-28-2023

Hello mahesh_varma,

Can you help us, what is the Client ID & Secret key?

Client Id is the registration number?

Secret key is the certificate number of person who had registered the Company on ANAF Portal?

Regards

Ankush Sharma

mahesh_varma · ‎12-29-2023

Hello Ankush,

As outlined in the pre-requisite section, upon completion of the registration process on the ANAF portal at https://www.anaf.ro/InregPersFizicePublic/#tabs-2, you will be provided with your client ID and secret. These credentials are what you'll utilize in Postman for token generation.

Regards

Mahesh Varma

barsalex · ‎01-08-2024

Hello mahesh_varma,

In our case the access to SPV PJ is owned by a third party (accounting company) that has several of their clients linked to one SPV PJ account. I understand that this token should be a unique generated code for every client CIF code (VAT number). Could you maybe provide several print screens with this scenario as well?
In other words, how do you generate the token when you have several CIF codes linked to the same SPV PJ account?

Thanks,

Alex

barsalex · ‎02-02-2024

Hi Mahesh Varma,

Did you get any chance to check this?

Thanks,

Alex

ramiz_sipai · ‎02-07-2024

Hello Mahesh,

While implementing this Romania eInvoicing, we are stuck with client id and secret.

We are not sure how to get it while registering with ANAF portal.

Does this clientid/secret comes by email or pop-us on the screen ?

How can we get this again if we missed that client id/secret during registration time ?

Thank you.

Ramiz.

mahesh_varma · ‎02-07-2024

Hi @barsalex,

Since your query is mostly related to ANAF portal registration process, it is better to clarify the same from Tax Authority itself, since we are not sure how your scenario can be handled at ANAF.

Regards

Mahesh Varma

mahesh_varma · ‎02-07-2024

Hi @ramiz_sipai

You can get both client ID and secret by logging into your ANAF portal.

Best Regards

Mahesh Varma

ramiz_sipai · ‎02-08-2024

Thank you Maehsh for the reply.

We got one document for getting client id and secret. But that document does not say whether that clientid/secret is of TEST system or Produciton system.!

So do you know how to identify that ?

How SAP DRC will undertand if it is connecting to TEST Romania or PROD Romaina ?

Kindly help further.

Thank you.
Ramiz.

mahesh_varma · ‎02-08-2024

Hello @ramiz_sipai ,

Kindly check my comment in which I outlined how the system will differentiate between test and production environments.

Additionally, I'd like to mention that only one token is necessary for both the test and production environments. Therefore, a single set of client ID and secret would be adequate to generate the token.

Best Regards,

Mahesh Varma

DanielaZ · ‎02-20-2024

Hi, we have a registered digital signature in ANAF. We access ANAF with it. However, we don't know how to get this Client ID and password. Can you get help on that? I see a lot of people have the same problem....Thanks.

cnova · ‎02-27-2024

@DanielaZ if you have an ANAF account with digital certificate, you have to use it to create another user for registering application and the last user will give the possibility to get Client Id and Client Secret.

Check ANAF OAuth procedure for registering application.

Oauth procedura inregistrare aplicatii portal ANAF

giulia-felappi · ‎03-15-2024

Hi @mahesh_varma

the authorization token has a validity of only 90 days. It's very inconvenient to have to ask the accounting people (who have the ANAF certificate for authentication) to use Postman and get a new token every 3 months.

Are there any updates on automatic renewal? I think the topic is quite urgent, since it's a missing block of the whole integration.

Thank you

GCET · ‎03-15-2024

Totally agree with @giulia-felappi ! I fully support this message

mahesh_varma · ‎03-15-2024

Hi @giulia-felappi & @GCET

Thank you for reaching out and expressing your concerns regarding the validity period of the authorization token. At present, our system unfortunately does not support automatic renewal of tokens.

We understand the inconvenience this may cause, and please rest assured that we are actively discussing on this feature. Once token auto-renewal becomes part of our development roadmap, we'll make sure to communicate this update through our official channels, keeping all our valued customers informed.

GCET · ‎03-15-2024

Thanks for you answer Mahesh. Is this technically possible like have a Colombia program EDOC_CO_QUERY_RANGES to retrieve technical Key? If yes, Do you think can we put a date in the Roadmap to be deliverable?

Thanks a lot!

BR

Gaspar

HanhTran · ‎03-21-2024

Hello @mahesh_varma,

while trying to put the JWT token on our BTP, we got this error:

Is it a known issue?

Could you please support!

Thank you very much

mahesh_varma · ‎03-21-2024

Hi @HanhTran

Yes, it's a known issue. Support for JWT tokens in the app is not available yet. It will be available in early April. In the meantime, you can use the regular token as demonstrated in the blog.

Thanks and Regards

Mahesh Varma

Nairpic · ‎03-24-2024

Hi Mahesh,

Thank you so much for the valuable information! It s very helpful.

I have a question - are the process steps for generating the JWT tokens different than what you demonstrated above?
I am not clear on the difference and what exactly determines the decision which type of token we need to request - JWT or regular.

Thank you!

mahesh_varma · ‎03-24-2024

Hi @Nairpic

Thank you for reaching out. I'm glad to hear that you found the blog helpful.

The steps for generating JWT tokens differ slightly from the ones demonstrated above. Currently, you can utilize the opaque token generated from the provided steps, as JWT tokens are not yet supported in the BTP portal. However, it is expected to be available in the early first week of April. After this update, you can replace the existing token with a JWT token. You can find the steps for generating JWT tokens on the 23rd page of the PDF linked below:
OAuth Procedure for Registering Applications on the ANAF Portal

Thank you.

Mahesh Varma

Nairpic · ‎03-25-2024

Hello @mahesh_varma , thank you for your answer.

One doubt we have - as a prerequisite, besides registering to the ANAF portal with a qualified digital certificate in SPV, shall we also register as "application developer" as per below screenshot? or this step is not required for the SAP-ANAF integration (our case) but only for the applications developers?

Thank you so much,

ramiz_sipai · ‎03-26-2024

@giulia-felappi @mahesh_varma

Yes Agree, it is not easy for accounting/business team to generate token every time.

But we technical team can do the same by using "refresh-token" and we can generate token whenever required without accounting/business team to do it.

curl --location 'https://logincert.anaf.ro/anaf-oauth2/v1/token' \

--header 'Content-Type: application/x-www-form-urlencoded' \

--header 'Authorization: Basic ****' \

--data-urlencode 'grant_type=refresh_token' \

--data-urlencode 'refresh_token=***'

Note :

If we get new token using refresh token, the both previous access token & Refresh token gets invalid.
After getting token from Refresh token, Update Access token in DRC and keep refresh token with you for next time.

Thank you.

Ramiz.

GCET · ‎03-26-2024

Then this can be apply into a SAP tcode like EDOC_CO_QUERY_RANGES or the tcodes for Saudi Arabia. @violeta_cristache @mahesh_varma Can you please put into the queue of Roadmap Romania Solution please?

Thanks a lot!
BR

Gaspar

maschaefer_stab · ‎03-27-2024

@ramiz_sipai

Hello,

we are currently in process of implementing eInvoice for Romania and I also have concerns about needing to get the token every 90 days.

You write, that the technical team can get the token each time, but is this actually possible?

If I see the token retrieval process, then the finance team needs to login with their certificate, which the technical team does not have (and maybe also should not have).

Kind regards,

Matthias

giulia-felappi · ‎03-27-2024

Hi @maschaefer_stab

I confirm that the renewal of the token does not involve the certificate authentication and can be performed with Postman by anyone, I've tested it myself! The procedure is documented in the ANAF pdf documentation. This simplifies a bit the process, but still, would be nice to have it automated.

Thank you
Regards

maschaefer_stab · ‎03-27-2024

@giulia-felappi

Thanks for the quick response! It indeed simplifies the process a little bit.

Hoping for a solution by SAP sooner rather than later..

Generating an Authorization Token in Romania’s ANAF Portal Using Postman

Get Your SAP HANA Idea Incubator Badge Today!

SCN Mission - SAP HANA Quiz Challenge is now retired

Share your #HANAStory and Win