Invoice Security

The service's invoices and credit notes use a public URL by default, meaning that there is no login required by the merchant or end-user in order to access the invoice. To make it secure, the invoice URL uses a globally unique identifier which has a 28 character suffix (for example YbHYAAESdFi-sHyIN5ONemYo1aBI). This effectively means the URL cannot be guessed as the space of possible URLs is extremely large.

There are other settings that can provide additional levels of security when enabled. These include a 16-character random suffix in addition to the globally unique identifier, and also the option to store invoices in a private directory. If you choose to enable these settings, only invoices created going forward will be affected. Historical invoices and credit notes will still be publicly available, if applicable. To enable these features within your dashboard, access the invoicing rules section by navigating to Settings > Invoicing rules > decide when invoices are generated and sent by email.

Click the hyperlink and you should see the following settings:

  • Add a random suffix in TEST/LIVE mode: With this setting enabled, a sixteen character random suffix will be added to the invoice URL
  • Block public access to invoice HTML/PDF images in TEST/LIVE mode: With this setting enabled, the invoice URL will be available in the Taxamo Merchant Portal but your private token will be required in order to access the invoice or credit note. This may be suitable if you wish to provide access to the invoice through your website. Only invoices sent after you enable the setting are blocked.