> ## Documentation Index
> Fetch the complete documentation index at: https://invoiceapi.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Validate a CFDI

> Validate a CFDI 4.0 XML: structure, arithmetic, the digital seal (sello), and — when already stamped — live SAT status. Send either JSON `{ "xml_base64": "..." }` or a raw CFDI XML body with Content-Type application/xml.



## OpenAPI

````yaml /api-reference/openapi.json post /v1/validations
openapi: 3.1.0
info:
  title: Invoice API
  description: >-
    Mexican CFDI 4.0 invoicing API. Versioned via the Invoice-Version header;
    current: 2026-07-15. See GET /v1/versions.
  version: 0.1.0
servers:
  - url: https://api.newinvoice.dev
    description: Production
  - url: http://localhost:3000
    description: Local development
security:
  - bearerAuth: []
tags:
  - name: api_keys
    description: Platform API-key lifecycle (create, list, revoke)
  - name: accounts
    description: 'Connect: platform-owned connected accounts (multi-tenant)'
  - name: fiscal_profiles
    description: Emitter RFC + CSD/FIEL registration
  - name: invoices
    description: Create, stamp, cancel CFDI 4.0 invoices
  - name: validations
    description: Validate arbitrary CFDI XML
  - name: downloads
    description: SAT descarga masiva jobs
  - name: webhook_endpoints
    description: HMAC-signed event delivery
  - name: events
    description: Event log
  - name: balance
    description: Remaining stamp credits
  - name: usage
    description: Metered usage records (stamps consumed)
  - name: catalogs
    description: SAT reference catalogs (uso CFDI, payment forms/methods, tax regimes, …)
  - name: docs
    description: Served documentation (error catalog + guides)
paths:
  /v1/validations:
    post:
      tags:
        - validations
      summary: Validate a CFDI
      description: >-
        Validate a CFDI 4.0 XML: structure, arithmetic, the digital seal
        (sello), and — when already stamped — live SAT status. Send either JSON
        `{ "xml_base64": "..." }` or a raw CFDI XML body with Content-Type
        application/xml.
      parameters:
        - $ref: '#/components/parameters/InvoiceVersion'
        - $ref: '#/components/parameters/InvoiceAccount'
        - $ref: '#/components/parameters/IdempotencyKey'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              anyOf:
                - type: object
                  properties:
                    xml_base64:
                      type: string
                      minLength: 1
                      description: >-
                        Base64 of the CFDI XML to validate (Content-Type
                        application/json).
                  required:
                    - xml_base64
                - type: string
                  minLength: 1
                  description: Raw CFDI XML (Content-Type application/xml or text/xml).
            example:
              xml_base64: PGNmZGk6Q29tcHJvYmFudGUgLi4uLz4=
      responses:
        '200':
          description: Default Response
          content:
            application/json:
              schema:
                type: object
                properties:
                  object:
                    type: string
                    description: Always "validation".
                    enum:
                      - validation
                  id:
                    type: string
                    description: Validation record id.
                  valid:
                    type: boolean
                    description: True when the CFDI passed all structural/SAT checks.
                  errors:
                    type: array
                    items:
                      type: object
                      properties:
                        code:
                          type: string
                          description: >-
                            Stable machine code for this validation failure,
                            e.g. "cfdi.invalid_rfc".
                        path:
                          type: string
                          description: Dotted path into the CFDI where the problem is.
                        message:
                          type: string
                          description: Human-readable description of the failure.
                        remediation:
                          type: string
                          description: Actionable fix for a human or agent.
                      required:
                        - code
                        - path
                        - message
                        - remediation
                      additionalProperties: false
                    description: The validation failures found (empty when valid).
                  summary:
                    type: object
                    properties:
                      uuid:
                        anyOf:
                          - type: string
                          - type: 'null'
                        description: CFDI folio fiscal (UUID), or null if unstamped/absent.
                      version:
                        anyOf:
                          - type: string
                          - type: 'null'
                        description: CFDI version, e.g. "4.0", or null.
                      tipo_de_comprobante:
                        anyOf:
                          - type: string
                          - type: 'null'
                        description: CFDI TipoDeComprobante (I/E/P/N/T), or null.
                      emisor:
                        anyOf:
                          - type: string
                          - type: 'null'
                        description: Issuer (Emisor) RFC, or null.
                      receptor:
                        anyOf:
                          - type: string
                          - type: 'null'
                        description: Customer (Receptor) RFC, or null.
                      moneda:
                        anyOf:
                          - type: string
                          - type: 'null'
                        description: Currency (Moneda) code, or null.
                      sub_total:
                        anyOf:
                          - type: string
                          - type: 'null'
                        description: SubTotal as a decimal string, or null.
                      total:
                        anyOf:
                          - type: string
                          - type: 'null'
                        description: Total as a decimal string, or null.
                      stamped:
                        type: boolean
                        description: >-
                          True when the CFDI carries a TimbreFiscalDigital
                          (already stamped).
                      sat:
                        anyOf:
                          - type: object
                            properties:
                              estado:
                                type: string
                                description: >-
                                  SAT `estado` verbatim, e.g. "Vigente" or
                                  "Cancelado".
                              es_cancelable:
                                type: string
                                description: >-
                                  SAT `esCancelable` verbatim, e.g. "Cancelable
                                  sin aceptación".
                              cancel_status:
                                type: string
                                enum:
                                  - none
                                  - pending
                                  - cancelled
                                  - rejected
                                  - unknown
                                description: >-
                                  Normalized cancellation lifecycle derived from
                                  SAT estatusCfdi.
                            required:
                              - estado
                              - es_cancelable
                              - cancel_status
                            additionalProperties: false
                          - type: 'null'
                        description: >-
                          SAT status enrichment, present only when stamped and
                          the PAC returned it.
                    required:
                      - uuid
                      - version
                      - tipo_de_comprobante
                      - emisor
                      - receptor
                      - moneda
                      - sub_total
                      - total
                      - stamped
                      - sat
                    additionalProperties: false
                    description: Parsed summary of the CFDI plus SAT status.
                  livemode:
                    type: boolean
                    description: True if validated with a live-mode key.
                  created_at:
                    type: string
                    description: Creation timestamp, ISO-8601 UTC.
                required:
                  - object
                  - id
                  - valid
                  - errors
                  - summary
                  - livemode
                  - created_at
                additionalProperties: false
              example:
                object: validation
                id: obj_2P9K3sample
                valid: true
                errors:
                  - code: string
                    path: string
                    message: string
                    remediation: string
                summary:
                  uuid: 5FB2822E-396D-4725-8521-CDC4BDD20CCF
                  version: string
                  tipo_de_comprobante: string
                  emisor: string
                  receptor: string
                  moneda: MXN
                  sub_total: string
                  total: '116.00'
                  stamped: true
                  sat:
                    estado: string
                    es_cancelable: string
                    cancel_status: none
                livemode: false
                created_at: '2026-07-10T18:25:43Z'
          headers:
            Request-Id:
              $ref: '#/components/headers/RequestId'
            Invoice-Version:
              $ref: '#/components/headers/InvoiceVersionResponse'
            traceparent:
              $ref: '#/components/headers/Traceparent'
            RateLimit-Limit:
              $ref: '#/components/headers/RateLimitLimit'
            RateLimit-Remaining:
              $ref: '#/components/headers/RateLimitRemaining'
            RateLimit-Reset:
              $ref: '#/components/headers/RateLimitReset'
        '401':
          description: Missing or invalid API key.
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Problem'
              example:
                type: https://errors.invoiceapi.mx/auth_unauthorized
                title: Authentication required
                status: 401
                code: auth.unauthorized
                detail: Missing or invalid API key.
                remediation: >-
                  Send `Authorization: Bearer sk_test_...` (or sk_live_...) with
                  a valid API key.
                doc_url: /docs/errors#auth-unauthorized
                request_id: req_2P9K3sample
          headers:
            Request-Id:
              $ref: '#/components/headers/RequestId'
            Invoice-Version:
              $ref: '#/components/headers/InvoiceVersionResponse'
            traceparent:
              $ref: '#/components/headers/Traceparent'
        '409':
          description: Conflict (e.g. idempotency/state).
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Problem'
              example:
                type: https://errors.invoiceapi.mx/idempotency_key_reuse
                title: Idempotency-Key reused with a different request body
                status: 409
                code: idempotency.key_reuse
                detail: This Idempotency-Key was already used for a different payload.
                remediation: >-
                  Reuse an Idempotency-Key only for byte-identical retries; use
                  a fresh key otherwise.
                doc_url: /docs/errors#idempotency-key_reuse
                request_id: req_2P9K3sample
          headers:
            Request-Id:
              $ref: '#/components/headers/RequestId'
            Invoice-Version:
              $ref: '#/components/headers/InvoiceVersionResponse'
            traceparent:
              $ref: '#/components/headers/Traceparent'
        '422':
          description: Request validation failed.
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Problem'
              example:
                type: https://errors.invoiceapi.mx/request_validation_failed
                title: Request validation failed
                status: 422
                code: request.validation_failed
                detail: One or more fields did not satisfy the schema.
                remediation: Fix the fields listed in `errors` and resubmit.
                doc_url: /docs/errors#request-validation_failed
                request_id: req_2P9K3sample
          headers:
            Request-Id:
              $ref: '#/components/headers/RequestId'
            Invoice-Version:
              $ref: '#/components/headers/InvoiceVersionResponse'
            traceparent:
              $ref: '#/components/headers/Traceparent'
        '429':
          description: Rate limit exceeded — back off per the Retry-After header.
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Problem'
              example:
                type: https://errors.invoiceapi.mx/rate_limit_exceeded
                title: Rate limit exceeded
                status: 429
                code: rate_limit.exceeded
                detail: >-
                  Too many requests for this key + request class (reads and
                  writes are limited separately).
                remediation: >-
                  Back off and retry after the number of seconds in the
                  Retry-After header; batch work or lower your request rate.
                doc_url: /docs/errors#rate_limit-exceeded
                request_id: req_2P9K3sample
          headers:
            Request-Id:
              $ref: '#/components/headers/RequestId'
            Invoice-Version:
              $ref: '#/components/headers/InvoiceVersionResponse'
            traceparent:
              $ref: '#/components/headers/Traceparent'
            RateLimit-Limit:
              $ref: '#/components/headers/RateLimitLimit'
            RateLimit-Remaining:
              $ref: '#/components/headers/RateLimitRemaining'
            RateLimit-Reset:
              $ref: '#/components/headers/RateLimitReset'
            Retry-After:
              $ref: '#/components/headers/RetryAfter'
        '500':
          description: Internal server error.
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Problem'
              example:
                type: https://errors.invoiceapi.mx/internal_error
                title: Internal server error
                status: 500
                code: internal.error
                detail: An unexpected error occurred.
                remediation: >-
                  Retry later; contact support with the request_id if it
                  persists.
                doc_url: /docs/errors#internal-error
                request_id: req_2P9K3sample
          headers:
            Request-Id:
              $ref: '#/components/headers/RequestId'
            Invoice-Version:
              $ref: '#/components/headers/InvoiceVersionResponse'
            traceparent:
              $ref: '#/components/headers/Traceparent'
components:
  parameters:
    InvoiceVersion:
      name: Invoice-Version
      in: header
      required: false
      description: >-
        Pin a dated API release (Stripe-style). Omit to use the current version.
        An unknown value returns 400 `request.invalid_version`. Echoed back on
        every response.
      schema:
        type: string
        example: '2026-07-10'
    InvoiceAccount:
      name: Invoice-Account
      in: header
      required: false
      description: >-
        Connect: act on behalf of one of your connected accounts (its
        `acct_…`/`org_…` id). Omit to act as your own organization. Not honored
        on /v1/api_keys.
      schema:
        type: string
        example: org_2P9connectedacct
    IdempotencyKey:
      name: Idempotency-Key
      in: header
      required: false
      description: >-
        Safely retry any POST. The first response is stored for 24h and replayed
        byte-for-byte for identical retries (the replay adds an
        `idempotent-replayed: true` header). Reusing the key with a different
        body is 409 `idempotency.key_reuse`; an in-flight duplicate is 409
        `idempotency.key_processing`. This makes retrying a 502/429 safe — no
        duplicate stamp.
      schema:
        type: string
        example: a1b2c3d4-e5f6-4789-8abc-1234567890ab
  headers:
    RequestId:
      description: >-
        Unique id for this request. Also the `request_id` in every error body —
        log it and quote it to support; idempotency keys off it too.
      schema:
        type: string
        example: req_2P9K3sample
    InvoiceVersionResponse:
      description: >-
        The dated API version resolved for this request (request header → key
        pin → current). Echoed on every response.
      schema:
        type: string
        example: '2026-07-15'
    Traceparent:
      description: >-
        W3C Trace Context. When you send a valid `traceparent`, the response
        continues the trace (same trace-id, a fresh span-id, sampled flag).
      schema:
        type: string
        example: 00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-01
    RateLimitLimit:
      description: >-
        IETF draft rate-limit: the ceiling of the token bucket consulted for
        this request class (reads and writes have independent buckets).
      schema:
        type: integer
        example: 100
    RateLimitRemaining:
      description: 'IETF draft rate-limit: tokens left in the bucket after this request.'
      schema:
        type: integer
        example: 99
    RateLimitReset:
      description: 'IETF draft rate-limit: seconds until the bucket refills to its ceiling.'
      schema:
        type: integer
        example: 1
    RetryAfter:
      description: >-
        Seconds to wait before retrying (RFC 9110). Present on 429 and on
        retryable upstream failures.
      schema:
        type: integer
        example: 1
  schemas:
    Problem:
      type: object
      description: RFC 9457 problem+json error with agent-first extensions.
      properties:
        type:
          type: string
          format: uri
        title:
          type: string
        status:
          type: integer
        code:
          type: string
          description: Stable dotted machine code to switch on.
        detail:
          type: string
        remediation:
          type: string
          description: Actionable next step for a human or agent.
        request_id:
          type: string
        pac:
          type: object
          properties:
            provider:
              type: string
            codigo:
              type: string
            mensaje:
              type: string
        errors:
          type: array
          items:
            type: object
            properties:
              field:
                type: string
              message:
                type: string
      required:
        - type
        - title
        - status
        - code
        - request_id
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: 'API key: `Authorization: Bearer sk_test_...` or `sk_live_...`.'

````