Guides
  1. GSP Credentials

Set up IRN credentials

Required to generate IRNs against a GSTIN. One credential per GSTIN.

Prerequisites

  • An An OAuth client provisioned via the Developer hub (single gstn-india scope).
  • A user account on einvoice1.gst.gov.in for the target GSTIN. Create one from the IRP portal under API Registration → Create API User. The username and password you set there are what you upload below.

Upload (or rotate)

POST /v1/gsp-credentials/irn HTTP/1.1
Host: api.in.onefinops.com
Authorization: Bearer ...
{
  "sellerGstin": "29ABCDE1234F1Z5",
  "userName": "29ABCDEAPI001",
  "password": "<plaintext>",
  "notes": "Created 2026-05-04, rotates every 90 days"
}

password is required on create. On update, you can omit password to keep the existing one (handy for changing the notes field without rotating).

Response:

{
  "id": "irn_01HRXY...",
  "organizationId": "...",
  "sellerGstin": "29ABCDE1234F1Z5",
  "userName": "29ABCDEAPI001",
  "hasPassword": true,
  "lastVerifiedAt": null,
  "lastVerifiedStatus": null,
  "addedAt": "2026-05-04T11:00:00Z"
}

hasPassword: true confirms the password was stored. We do not echo the plaintext back.

This endpoint is rate-limited to 10 requests/minute per OAuth client — credential management is not a hot path.

Verify metadata

GET /v1/gsp-credentials/irn/{sellerGstin}

Returns the same record without the password. Use this to check lastVerifiedAt / lastVerifiedStatus and confirm a credential exists.

Testing without persisting

Probe a candidate set of credentials against the IRP without saving them:

POST /v1/gsp-credentials/irn/test-connection HTTP/1.1
Host: api.in.onefinops.com
Authorization: Bearer ...
{
  "sellerGstin": "29ABCDE1234F1Z5",
  "userName": "29ABCDEAPI001",
  "password": "<plaintext>"
}
{
  "ok": true,
  "latencyMs": 412,
  "vendorErrorCode": null,
  "vendorMessage": null
}

A failed probe returns ok: false along with the verbatim vendor error so you can diagnose. Use this before upsert during onboarding or rotation.

Remove

DELETE /v1/gsp-credentials/irn/{sellerGstin}

Soft-deletes the record. Returns 204 No Content on success, 404 not_found if no credential exists for that GSTIN. After deletion you cannot generate IRNs for the GSTIN until a new credential is uploaded.

Audit trail

Every upsert / delete / use is logged on the gsp-india side with timestamps and the OAuth client that performed the action. We make this audit available via the Developer hub (under Audit log) and on request to support.

Updated about 5 hours ago