PEPPOL API
Overview
Section titled “Overview”The PEPPOL API Layer provides REST endpoints for sending and receiving PEPPOL invoices programmatically. It requires the Growth plan or higher and is configured through API key generation and webhook setup.
The system enables communication between your ERP, the PEPPOL API layer, and the PEPPOL network, supporting XML input/output, webhooks, 7 endpoints, authentication, and metering capabilities.
Enabling API Access
Section titled “Enabling API Access”- Ensure your plan supports API access (Growth or Enterprise)
- Generate API keys in Settings → API Access → Generate Keys
- Keys are scoped to a user and inherit that user’s Legal Entity permissions
Authentication
Section titled “Authentication”All API requests use token authentication with the format:
Authorization: token {api_key}:{api_secret}Available Endpoints
Section titled “Available Endpoints”| Endpoint | Method | Description | Metered |
|---|---|---|---|
send_invoice | POST | Send UBL/CII XML via PEPPOL | Yes |
validate_xml | POST | Validate against PEPPOL rules | Yes |
lookup_participant | GET | Verify a PEPPOL participant | Yes |
check_status | GET | Check delivery status / MLR | No |
get_received_invoices | GET | List inbound invoices | No |
get_received_invoice | GET | Get single invoice + raw XML | No |
configure_webhook | POST | Subscribe to PEPPOL events | No |
Webhook Setup
Section titled “Webhook Setup”Register webhooks to receive real-time notifications for PEPPOL events:
- invoice_received: Fires when a new inbound PEPPOL invoice is processed
- mlr_received: Fires when a Message Level Response arrives for a sent invoice
Configure via the configure_webhook endpoint or in Settings → Webhooks.
Security
Section titled “Security”- Webhook URLs must use HTTPS
- Private IP ranges are blocked (SSRF protection)
- HMAC-SHA256 signing is supported for payload verification
- Authentication options: Bearer token, API key header, Basic auth
Rate Limits
Section titled “Rate Limits”| Limit | Value |
|---|---|
| Requests per minute | 100 per API key |
| Burst rate | 20 requests/second |
| Quota exceeded | HTTP 429 with retry_after header |