GSP credentials overview
NIC's IRP and EWB portals don't authenticate you against your GSTIN directly. Each portal issues a portal user credential (username + password) bound to a GSTIN, and NIC expects every API call to be signed with that credential.
OneFinOps stores those credentials for you and signs to NIC on your behalf. You don't call NIC's portals directly — you upload the username and password once through the Developer hub in the OneFinOps web app, and from then on every /v1/einvoices/* and /v1/ewaybills/* call you make is automatically authenticated against the right NIC credential keyed by the gstin header.
Where credentials live. Credential management runs through the OneFinOps app (Developer hub → GSP credentials). It is intentionally not exposed on the public API — credentials never need to be set programmatically from your integration.
How it fits together
You ──upload(username, password)──► OneFinOps app (Developer hub) ──encrypted storage
You ──POST /v1/einvoices/generate──► OneFinOps ──signs to NIC IRP using stored credential──► NICYou create the API user on NIC's portal once (a one-time NIC-side setup). After that, all credential operations happen in the OneFinOps app.
Two portals, two credentials
For every GSTIN you want to file under, two credentials are managed independently:
| Credential | Issued by | Used for |
|---|---|---|
| IRP credential | NIC IRP portal (einvoice1.gst.gov.in → API user) | E-Invoice (IRN) generation and management |
| EWB credential | NIC EWB portal (ewaybillgst.gov.in → API user) | E-Way Bill generation and management |
The IRP and EWB portals have separate enrolments and separate username/password pairs. To do both flows for one GSTIN, upload both credentials.
Transporters without a GSTIN can register a TRANSIN on the EWB portal and treat it as the gstin value when uploading.
How the password is handled
- Sent from the browser over TLS to OneFinOps.
- Stored encrypted at rest with AES-256 keys held in OneFinOps' key-management vault.
- Never written to disk in plaintext, never logged.
- Never exposed back through the public API — credential management is dashboard-only.
Rotation
NIC's API passwords expire on a fixed cadence (90 days by default). When rotation is due, replace the password from Developer hub → GSP credentials → [your GSTIN] → Rotate. The record is replaced in place; no historical passwords are retained.
Test-rotate against a non-production GSTIN first so a typo doesn't lock you out of live filing.
Where to next
- Upload IRN portal credentials — IRP portal flow.
- Upload EWB portal credentials — EWB portal flow.
- Generate an IRN — first place the credential is used.