What it changes concretely

Starting May 17, 2026, every client invoice PDF generated by SynkriaOps embeds a QR code at the bottom of the document. The QR encodes a signed JWT containing:

  • The issuing tenant identifier
  • The document number and date
  • The chained SHA-256 hash of the document (already computed internally for NF203/SYSCOHADA art. 24 compliance)
  • A key identifier (kid) enabling graceful rotation over 10 years

Scanning the QR from any smartphone opens the page app.synkriaops.com/v/{token} which returns Authentic document or Altered document along with metadata displayed in plain text.

Why it matters

Article 24 of the revised SYSCOHADA mandates 10-year retention of accounting documents with integrity guarantee. The chained hash already present in SynkriaOps covers this requirement on the internal database side.

The QR adds an external dimension: a third party receiving a paper or PDF invoice can verify its validity without accessing your accounting, just by scanning the code. This is useful in two contexts:

  1. Tax inspection — an inspector can verify live that an invoice presented to them has not been modified after issuance.
  2. Firm audit — a statutory auditor can audit the integrity of a batch of invoices before closing without requesting a full FEC export.

Key rotation

The verification JWT is signed by a symmetric key referenced by a kid (key id). The backend supports multiple kid simultaneously to enable rotation every 18-24 months without invalidating previously-issued QRs.

Historical key retention is mandatory for the entire SYSCOHADA retention period, i.e., 10 years from the last closing using the key.

For existing users

No action required. All invoices issued from May 17, 2026 automatically embed the QR. Earlier invoices are not retroactively updated — their integrity remains verifiable on the database side via the historical chained hash.

Technical implementation details: PR #270, merged 2026-05-17. The mechanism is documented in apps/api/src/modules/pieces-comptables/services/qr-verification-token.service.ts.