Credentials

To issue Portuguese fiscal documents on a taxpayer’s behalf, SIGN PT must communicate with the Autoridade Tributária e Aduaneira (AT) — for example, to register document series, obtain ATCUD validation codes, and submit invoicing or transport data in real time.

This communication uses dedicated AT Web Service credentials that the taxpayer creates on the Portal das Finanças and shares with fiskaly. These credentials authenticate SIGN PT to the AT — they are separate from any SIGN PT API keys.

For security and traceability, AT communication must never use the taxpayer’s main Portal das Finanças account. Instead, the taxpayer creates a dedicated subuser (Portuguese: utilizador autorizado) under their NIF, granted only the specific Web Service permissions SIGN PT needs.

Required permissions

The subuser must be granted one or more of the following permissions, depending on which SIGN PT features you intend to use:

Permission	Purpose	Required?
WSE — Comunicação e Gestão de Séries por Webservice	Register and manage document series; obtain ATCUD validation codes	Always required
WFA — Webservice de Comunicação de Dados de Faturas	Submit invoices to the AT in real time	Required for real-time invoice reporting
WDT — Webservice de Comunicação de Documentos de Transporte	Submit transport documents to the AT in real time	Required for real-time transport document reporting

💡Tip

If you only intend to report via monthly SAF-T (PT) export, you still need WSE — series registration and ATCUD validation always go through the AT Web Service, even when invoicing data itself is reported by SAF-T file.

Creating the subuser on the Portal das Finanças

Before you start, make sure you have:

Main account credentials for the Portal das Finanças (NIF and password, Cartão de Cidadão, or Chave Móvel Digital). You must authenticate as the main account holder, not as an existing subuser.
A secure place to store the subuser password, since you will share it with fiskaly afterwards.

Go to https://www.portaldasfinancas.gov.pt and click Iniciar Sessão. Sign in using any of the available authentication methods.

2. Open the user management page

Use the search box and search for Gestão de Utilizadores, then click Aceder on the matching result.

Alternatively, navigate via Todos os Serviços → Autenticação de Contribuintes → Gestão de Utilizadores, or use the direct link: https://www.acesso.gov.pt/gestaoDeUtilizadores/consulta?partID=PFAP.

3. Create a new user

Click Criar Novo Utilizador and fill in:

Nome — a label for the subuser (purely identifying, no fiscal relevance). Use something descriptive, e.g. fiskaly or SIGN PT.
Senha / Confirmar Senha — choose a strong password. It must be different from the main Portal das Finanças password. Save it; you will share it with fiskaly later.
Email — an address for AT notifications related to this subuser.

4. Assign the required permissions

In the Perfis Atribuíveis (assignable profiles) list, tick the permissions from the table above (WSE, plus WFA and/or WDT as needed).

💡Tip

The list is paginated. Type W in the Filtrar field to quickly locate the W-prefixed profiles.

5. Submit

Click Submeter. The Portal will create the subuser and display a summary page.

6. Note the subuser identifier

The subuser is identified using the format NIF/number — your NIF, followed by a slash, followed by a sequential number assigned by the Portal. For example: 501234567/5.

This identifier, together with the password set in step 3, is what SIGN PT will use to authenticate against the AT.

Updating an existing subuser

If a subuser already exists (for example, one created previously to communicate transport documents or submit SAF-T), there is no need to create a new one. Instead:

Open Gestão de Utilizadores.
Locate the existing subuser and click Alterar Dados.
Add the missing permissions (typically WSE, plus WFA and/or WDT if applicable).
Click Alterar Utilizador to save.

⚠️Caution

Older subusers created before 2020 (e.g. for legacy SAF-T submission) may have no W-permissions at all. In that case, add WSE at minimum, plus WFA and/or WDT as needed.

The credentials created for the subuser are then configured in SIGN PT via the createTaxpayer / updateTaxpayer endpoints, in the credentials section of the Portuguese fiscalisation block. They are stored per Taxpayer (Company or Individual).

📘Note

The subuser password should be treated as a secret and must not be hard-coded in your application. It must be provided via a secure configuration interface and stored encrypted. If the password is changed in the Portal das Finanças, it must also be updated in SIGN PT.

Keeping credentials valid

SIGN PT uses the AT Web Service credentials to register series and, where applicable, transmit invoicing or transport data in real time. If credentials expire, are locked, or are entered incorrectly, SIGN PT can no longer communicate with the AT on behalf of that taxpayer. As a result:

new document series may fail to register;
real-time submission of invoices may stop working; and
transaction data may no longer reach the AT as expected.

To avoid service disruption, the end user (the taxpayer) needs an interface in your application where they can configure and periodically update their AT Web Service credentials. We strongly recommend implementing:

Periodic health checks — for example, a lightweight scheduled call that verifies the credentials are still accepted by the AT.
Proactive alerts — email notifications or dashboard warnings when credentials are about to expire or have started failing.
Clear error handling — surface authentication errors to the merchant in plain language so they know to update their credentials.

Was this page helpful?