Skip to main content

Customer Portal (Share Links)

Tenants can generate a public link for any delivered AR invoice so the buyer can view and download it without logging into InvoStaq.

How it works

  1. You generate a share link for an invoice — you get back a one-time raw token
  2. Share the URL with your buyer (email, WhatsApp, etc.)
  3. The buyer opens the link in any browser — no login required
  4. They see the invoice details and can download the branded PDF
  5. You can revoke the link at any time — it stops working immediately

Token model: InvoStaq generates a 32-byte cryptographically random token. The raw token is shown once. Only a SHA-256 hash is stored — if you lose the URL, you must regenerate.

curl -X POST https://api.invostaq.com/api/invoices/{invoiceId}/share \
  -H "Authorization: Bearer {token}"
{
  "shareToken": "xK3mN8qR...",
  "shareUrl": "https://api.invostaq.com/api/invoices/view/xK3mN8qR...",
  "alreadyShared": false,
  "shareTokenCreatedAt": "2026-05-07T10:30:00Z"
}

Store the shareUrl. The raw token is not stored and cannot be recovered later.

If a link already exists and you call this endpoint again without ?regenerate=true:

{
  "shareToken": null,
  "shareUrl": null,
  "alreadyShared": true,
  "shareTokenCreatedAt": "2026-05-07T10:30:00Z"
}

The shareUrl is null — the raw token was not stored. Revoke and regenerate to get a fresh link.

Regenerate

curl -X POST https://api.invostaq.com/api/invoices/{invoiceId}/share?regenerate=true \
  -H "Authorization: Bearer {token}"

The old URL stops working immediately. A new token is generated and returned.

Buyer view (public)

The share URL opens a clean, branded page showing:

  • Your company name (vendor)
  • Invoice number and amount due
  • Issue date and due date
  • Delivery status (Peppol network)
  • "Download PDF Invoice" button

No InvoStaq account is required. The page works in any browser.

Public API

# View invoice summary
GET https://api.invostaq.com/api/invoices/view/{shareToken}

# Download branded PDF
GET https://api.invostaq.com/api/invoices/view/{shareToken}/pdf

Both endpoints are intentionally unauthenticated. Invalid and revoked tokens return 404 — the response is identical whether the token never existed or was revoked (no information leakage).

curl -X DELETE https://api.invostaq.com/api/invoices/{invoiceId}/share \
  -H "Authorization: Bearer {token}"

Returns 204 No Content. The link stops working immediately.

From the dashboard

In Sent Invoices, delivered AR invoice rows show a Share button:

  1. Click Share → link is generated and copied to clipboard
  2. The button changes to Shared ✓ with a small revoke (×) button beside it
  3. Click × → confirmation → link revoked, button reverts to Share

Restrictions

  • Only AR (sent) invoices can be shared — AP bills are internal and not customer-facing
  • Share links have no expiry — they remain valid until explicitly revoked
  • One link per invoice — regenerating replaces the existing link

Authentication

Generating and revoking links requires Bearer JWT. The buyer view URLs (/invoices/view/...) are intentionally public — no auth required. See Authentication.