KRA Portal API Overview

The KRA Portal module integrates with Kenya Revenue Authority's developer.go.ke API gateway, providing programmatic access to 22 KRA services through a unified Salami Gateway interface. Validate PINs, check tax compliance, generate payment references, file returns, and more -- all via simple REST calls.

What It Covers
Architecture
Authentication Flow
KRA App Model
Environments
API Categories
Base URL
Required Scopes
Rate Limiting
Error Handling

What It Covers

Salami wraps 22 developer.go.ke APIs across six categories:

Category	APIs	Description
Checkers	13	PIN validation, TCC checks, tax obligations, invoices, customs, exemptions, excise licenses
Payments	3	PRN generation for IT, Rental, and VAT withholding taxes
Compliance	1	Tax Compliance Certificate (TCC) applications
Registration	1	Individual KRA PIN registration
Returns	2	TOT (Turnover Tax) and NIL return filing
Customs	1	Customs declaration status checking
App Management	1	Credential testing and app listing

Architecture

Your Application
       |
       v
  Salami Gateway API   (Bearer token auth)
       |
       v
  KRA App Credentials  (per-app consumer key/secret)
       |
       v
  developer.go.ke      (OAuth2 client_credentials)
       |
       v
   KRA Backend Systems

Each request flows through three layers:

Your app authenticates to Salami with a Bearer token (Sanctum)
Salami looks up the KRA App's stored credentials
Salami obtains an OAuth token from KRA and proxies the request

Authentication Flow

KRA's developer.go.ke uses OAuth 2.0 Client Credentials grant:

Register an application on developer.go.ke
Subscribe to the APIs you need (checkers, payments, etc.)
Obtain your Consumer Key and Consumer Secret
Store these in a KRA App within Salami

Token generation (handled automatically by Salami):

POST https://sbx.kra.go.ke/v1/token/generate?grant_type=client_credentials
Authorization: Basic base64(consumer_key:consumer_secret)

Response:

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOi...",
  "token_type": "Bearer",
  "expires_in": 3600
}

Salami caches the token and refreshes it automatically with a 60-second safety buffer before expiry.

KRA App Model

Each KRA integration is configured through a KRA App record. A single tenant can have multiple KRA Apps (e.g., one sandbox app for testing, one production app for live use).

App Types

Type	Description	Required Credentials
`portal`	developer.go.ke APIs (checkers, payments, returns, etc.)	`consumer_key`, `consumer_secret`
`etims`	eTIMS OSCU integration	`tin`, `bhf_id`, `dvc_srl_no`, `cmc_key`

KRA App Fields

Field	Type	Description
`id`	integer	Auto-increment primary key
`name`	string	Descriptive name (e.g., "Production Portal")
`type`	string	`portal` or `etims`
`environment`	string	`sandbox` or `production`
`consumer_key`	string	OAuth consumer key from developer.go.ke
`consumer_secret`	string	OAuth consumer secret from developer.go.ke
`tin`	string	Taxpayer Identification Number (eTIMS only)
`bhf_id`	string	Branch ID (eTIMS only)
`dvc_srl_no`	string	Device serial number (eTIMS only)
`cmc_key`	string	CMC key (eTIMS only)
`is_active`	boolean	Whether the app is currently active
`settings`	JSON	Additional configuration (optional)
`last_used_at`	timestamp	Last API call timestamp

Environments

Environment	Base URL	Purpose
Sandbox	`https://sbx.kra.go.ke`	Testing and development
Production	`https://api.kra.go.ke`	Live KRA operations

Switching Environments

Each KRA App has its own environment setting. To test:

Create a KRA App with environment: sandbox and sandbox credentials from developer.go.ke
Run all your tests against it
Create a separate KRA App with environment: production and production credentials
Point your production API calls to the production app ID

Important: Sandbox and production credentials are different. You cannot use sandbox credentials with the production endpoint or vice versa.

API Categories

Checkers (13 endpoints)

Read-only validation and lookup services. No side effects on KRA systems.

Payments (3 endpoints)

Generate Payment Reference Numbers (PRNs) for withholding tax remittance.

Compliance (1 endpoint)

Tax Compliance Certificate management.

TCC Application

Registration (1 endpoint)

New taxpayer registration.

Individual PIN Registration

Returns (2 endpoints)

Tax return filing.

Customs (1 endpoint)

Customs and border operations.

Declaration Status

Base URL

All KRA Portal API requests go through your Salami tenant:

https://yourtenant.salami.dgl.co.ke/api/kra/

Required Scopes

Scope	Description	Endpoints
`kra:apps`	List and test KRA app configurations	App management
`kra:checkers`	PIN validation, TCC checks, invoice lookup, customs, exemptions	All 13 checker endpoints
`kra:payments`	Generate PRNs for withholding taxes	IT, Rental, VAT withholding
`kra:compliance`	Apply for Tax Compliance Certificates	TCC application
`kra:registration`	Register new KRA PINs	PIN registration
`kra:returns`	File TOT and NIL tax returns	TOT filing, NIL returns

Scope Groups

Group	Included Scopes
`kra_full`	All 6 KRA scopes
`kra_read_only`	`kra:apps`, `kra:checkers`

Rate Limiting

Salami rate limit: 200 requests per minute per token
KRA rate limits: Vary by API; typically 60 requests per minute per consumer key
Salami caches OAuth tokens to minimize token generation calls

Error Handling

Salami-Level Errors

{
  "success": false,
  "message": "Your API token does not have the required permissions to access this endpoint.",
  "error": "insufficient_scope",
  "required_route": "api.kra.checkers.pin",
  "your_scopes": ["kra:apps"]
}

KRA-Level Errors

{
  "success": false,
  "message": "KRA API error: Invalid PIN format",
  "error": "kra_error",
  "kra_response": {
    "errorCode": "400",
    "errorMessage": "Invalid PIN format"
  }
}

Common Error Scenarios

Status	Error	Resolution
`401`	Invalid or expired Salami token	Regenerate your API token
`403`	Missing required scope	Add the necessary scope to your token
`422`	Validation error (missing fields)	Check required fields in the request body
`502`	KRA server unreachable	Retry later; KRA may be under maintenance
`503`	KRA token generation failed	Verify consumer key/secret are correct

Next Steps

KRA App Management -- Create and test your KRA Apps
KRA Checkers -- PIN validation and lookup APIs
KRA Payments -- PRN generation for withholding taxes
KRA Compliance -- TCC applications
KRA Returns -- TOT and NIL return filing
KRA Registration -- Individual PIN registration
KRA Customs -- Customs declaration checking

Back to: Getting Started | eTIMS API | Account Tokens

Salami Gateway