API Terms and Developer Agreement

Effective Date: February 18, 2026

1. API Access and Authentication

1.1 API Keys

You must keep API keys secure. Store them in environment variables, never in client-side code. Rotate immediately if compromised. Use separate keys for sandbox and production environments.

1.2 Authentication

All API requests must include a Bearer token in the Authorization header.

2. Sandbox and Production Environments

2.1 Sandbox

The sandbox environment is for testing and development. It is free to use. Data submitted in sandbox is not sent to real government or business systems. Sandbox data may be reset periodically.

2.2 Production

The production environment connects to live systems. Data submitted has legal consequences. ZATCA invoices submitted via production are official tax documents under Saudi law.

3. Rate Limits and Usage

3.1 Rate Limits

Each plan has per-month request limits. When exceeded, the API returns HTTP 429. Implement exponential backoff in your retry logic.

3.2 Fair Use

Do not use the API in ways that degrade service for other users. Abusive usage may result in suspension.

3.3 Usage Monitoring

Monitor your usage via the dashboard or the usage API endpoint.

4. Connector-Specific Terms

4.1 ZATCA Connector

  • Invoices submitted via the production API are official tax documents under Saudi law
  • You are responsible for the accuracy of all invoice data
  • Jibrid generates UBL 2.1 XML, cryptographic signatures, and QR codes on your behalf
  • You must maintain a valid ZATCA compliance certificate (Jibrid manages this via the onboarding process)
  • The invoice counter (ICV) is managed by Jibrid to ensure sequential integrity

4.2 Additional Connectors

Each connector may have specific terms documented in the API documentation.

5. Data Handling

5.1 Request/Response Data

Processed solely for the purpose of the requested operation, in accordance with the Data Processing Agreement.

5.2 Logging

Request metadata and bodies are retained for 90 days. Metadata only is retained for 24 months.

5.3 Caching

Read-only responses may be cached with documented TTL values.

6. SDKs and Client Libraries

Official SDKs are provided under open-source licenses. Their use is optional.

7. Webhooks

HTTPS endpoints are required. Jibrid will timeout after 10 seconds. Failed deliveries are retried with exponential backoff for up to 72 hours. You must validate webhook signatures.

8. API Changes and Versioning

8.1 Versioning

The API uses URL-based versioning (/v1/). Changes within a major version are backward compatible.

8.2 Deprecation

Deprecated endpoints receive 6 months notice. Migration paths are documented.

8.3 Changelog

All changes are published at docs.jibrid.com/changelog.

9. Service Level

9.1 Uptime Target

99.5% monthly uptime (target, not guarantee). Business plan customers can negotiate a formal SLA.

9.2 Status Page

Real-time status at status.jibrid.com.

9.3 Scheduled Maintenance

48 hours advance notice for planned maintenance.

10. Restrictions

You may not replicate Jibrid’s core functionality, scrape the API, or misrepresent your relationship with Jibrid.

Terms of Service|Privacy Policy|Questions? Contact legal@jibrid.com