KRA App Management

KRA Apps store your developer.go.ke credentials and eTIMS device configurations. Each app represents a single set of credentials tied to a specific environment (sandbox or production).

Overview
Endpoints
List KRA Apps
Test KRA App Credentials
Creating KRA Apps
Environment Switching
Best Practices

Overview

Required Scope

Scope	Description
`kra:apps`	List and test KRA app configurations

Endpoint Summary

Method	Endpoint	Description
`GET`	`/api/kra/apps`	List all KRA apps
`POST`	`/api/kra/apps/{id}/test`	Test app credentials

List KRA Apps

Retrieve all KRA apps configured for your tenant.

Endpoint: GET /api/kra/apps

Required Scope: kra:apps

Request:

curl -X GET \
  https://yourtenant.salami.dgl.co.ke/api/kra/apps \
  -H 'Authorization: Bearer YOUR_API_TOKEN' \
  -H 'Accept: application/json'

Response:

{
  "success": true,
  "data": [
    {
      "id": 1,
      "name": "KRA Sandbox Portal",
      "type": "portal",
      "environment": "sandbox",
      "is_active": true,
      "last_used_at": "2026-03-28T14:30:00Z",
      "created_at": "2026-03-01T10:00:00Z"
    },
    {
      "id": 2,
      "name": "Production Portal",
      "type": "portal",
      "environment": "production",
      "is_active": true,
      "last_used_at": "2026-03-29T08:15:00Z",
      "created_at": "2026-03-15T09:00:00Z"
    },
    {
      "id": 3,
      "name": "eTIMS Main Branch",
      "type": "etims",
      "environment": "production",
      "is_active": true,
      "last_used_at": "2026-03-29T11:45:00Z",
      "created_at": "2026-03-10T14:00:00Z"
    }
  ]
}

Response Fields

Field	Type	Description
`id`	integer	Unique app identifier
`name`	string	Descriptive name
`type`	string	`portal` (developer.go.ke) or `etims` (OSCU)
`environment`	string	`sandbox` or `production`
`is_active`	boolean	Whether the app is enabled
`last_used_at`	string/null	ISO 8601 timestamp of last API call
`created_at`	string	ISO 8601 creation timestamp

Note: Credentials (consumer_key, consumer_secret, cmc_key) are never returned in API responses for security.

Test KRA App Credentials

Verify that a KRA app's credentials are valid by attempting to generate an OAuth access token from KRA.

Endpoint: POST /api/kra/apps/{id}/test

Required Scope: kra:apps

Path Parameters:

Parameter	Type	Required	Description
`id`	integer	Yes	KRA App ID

Request:

curl -X POST \
  https://yourtenant.salami.dgl.co.ke/api/kra/apps/1/test \
  -H 'Authorization: Bearer YOUR_API_TOKEN' \
  -H 'Accept: application/json'

Success Response (200):

{
  "success": true,
  "data": {
    "app_id": 1,
    "app_name": "KRA Sandbox Portal",
    "environment": "sandbox",
    "status": "connected",
    "token_generated": true,
    "token_expires_in": 3600,
    "tested_at": "2026-03-29T12:00:00Z"
  },
  "message": "KRA credentials are valid. Token generated successfully."
}

Failure Response (422):

{
  "success": false,
  "data": {
    "app_id": 1,
    "app_name": "KRA Sandbox Portal",
    "environment": "sandbox",
    "status": "failed",
    "token_generated": false
  },
  "message": "Failed to generate access token. Please verify your consumer key and secret.",
  "error": "kra_auth_failed"
}

Test Behavior by App Type

App Type	Test Action
`portal`	Attempts OAuth token generation via `GET /v1/token/generate` with Basic Auth
`etims`	Attempts a ping to the eTIMS API using the stored TIN/BHFID/CMC key

Creating KRA Apps

KRA Apps are created through the Salami dashboard:

Navigate to KRA > KRA Apps > Add New
Select the app type:
- Portal for developer.go.ke APIs
- eTIMS for OSCU integration
Fill in credentials:

Portal App Fields

Field	Required	Description
Name	Yes	Descriptive label (e.g., "Sandbox Portal")
Environment	Yes	`sandbox` or `production`
Consumer Key	Yes	From developer.go.ke app dashboard
Consumer Secret	Yes	From developer.go.ke app dashboard

eTIMS App Fields

Field	Required	Description
Name	Yes	Descriptive label (e.g., "Main Branch eTIMS")
Environment	Yes	`sandbox` or `production`
TIN	Yes	Taxpayer Identification Number
Branch ID (BHFID)	Yes	Branch ID from KRA (typically `00` for head office)
Device Serial No	Yes	eTIMS device serial number
CMC Key	No	Communication key (obtained after device initialization)

Environment Switching

Recommended Setup

Create two portal apps per use case:

App #1: "Sandbox Portal"    → environment: sandbox
App #2: "Production Portal" → environment: production

How Environment Affects Requests

Environment	OAuth Endpoint	API Endpoint
`sandbox`	`https://sbx.kra.go.ke/v1/token/generate`	`https://sbx.kra.go.ke/...`
`production`	`https://api.kra.go.ke/v1/token/generate`	`https://api.kra.go.ke/...`

Testing Workflow

Create sandbox KRA App with sandbox credentials
Test credential validity: POST /api/kra/apps/1/test
Run all your integration tests against the sandbox app
Create production KRA App with production credentials
Test production credential validity: POST /api/kra/apps/2/test
Switch your application to use the production app ID

Best Practices

Separate apps per environment -- Never reuse sandbox credentials in production
Test before use -- Always verify credentials with the test endpoint after setup
Name clearly -- Use descriptive names like "Production WHT Portal" or "Sandbox Checkers"
Deactivate unused apps -- Set is_active: false for retired configurations
Rotate secrets -- Periodically regenerate consumer secrets on developer.go.ke and update the app
One app per subscription -- If you have different API subscriptions on developer.go.ke, create separate apps

Status Codes

Code	Description
`200`	Success
`401`	Invalid or missing Salami API token
`403`	Token lacks `kra:apps` scope
`404`	KRA App not found
`422`	Credential test failed
`500`	Internal server error

Salami Gateway