FSSAI NON FORM C ANNEXURE

Endpoint Overview

POST /api/v1/corporate/fssai-non-form-c-annexure

Description

The FSSAI Non Form C Annexure API enables businesses and developers to retrieve official FSSAI (Food Safety and Standards Authority of India) certificate documents in PDF format using a valid FSSAI license number. By submitting the license ID, the API fetches and returns a pre-signed, time-limited URL linking directly to the corresponding FSSAI Non Form C Annexure certificate stored securely in the cloud.

This API is especially useful for automating food business compliance verification workflows, eliminating the need for manual document retrieval from government portals. The returned certificate link provides immediate access to the official annexure document, which can be used for audits, onboarding, legal compliance, and regulatory checks.

Key Benefits

Instant Certificate Retrieval: Programmatically fetch FSSAI Non Form C Annexure documents without manual portal access.

Secure Pre-signed URLs: Each certificate link is secured with AWS Signature V4 and expires after a short window, ensuring document confidentiality.

Seamless Compliance Automation: Integrate into onboarding, vendor verification, or audit pipelines to automate FSSAI document collection.

Sandbox & Production Support: Test integrations safely in a sandbox environment before deploying to production.

Use Cases

Food & Beverage

E-Commerce & Marketplaces

BFSI & Risk Management

Automatically verify FSSAI compliance of food vendors and suppliers during onboarding

Retrieve and archive FSSAI Non Form C Annexure certificates for regulatory audit trails

Cross-check FSSAI license validity and fetch associated documentation in real time

Technical Implementation

Authentication

All API requests require authentication using a JWT Bearer Token. Follow the steps below to authenticate:

Obtain API Credentials: Register with Surepass to receive your API key.

Generate JWT Token: Use your API key to generate a valid JWT token for the desired environment.

Include in Requests: Add the token to the Authorization header using the format Bearer <YOUR_JWT_TOKEN>.

Different base URLs and tokens are used for each environment:

Environment	Base URL
Sandbox	`https://sandbox.surepass.app`
Production	`https://kyc-api.surepass.app`

Note: Ensure you use the JWT token issued for the correct environment. Sandbox tokens will not work against the Production API and vice versa.

Request Parameters

Request Headers

Header	Required	Description
`Authorization`	Yes	Bearer token in the format `Bearer <YOUR_JWT_TOKEN>`
`Content-Type`	Yes	Must be set to `application/json`

Request Body

Parameter	Type	Required	Description
`id_number`	string	Yes	The FSSAI license number for which the Non Form C Annexure certificate is to be retrieved.

Example Request

{
    "id_number": "22819012011312"
}

Process Response

Response Parameters

Parameter	Type	Description
`success`	boolean	Indicates whether the API request was successful.
`status_code`	integer	HTTP status code of the response (e.g., `200` for success).
`message`	string	Human-readable message describing the result of the request.
`message_code`	string	Machine-readable code for the response status (e.g., `success`).
`data`	object	Contains the response payload when the request is successful.
`data.client_id`	string	A unique identifier generated for this specific request.
`data.id_number`	string	The FSSAI license number submitted in the request.
`data.certificate_link`	string	A pre-signed, time-limited URL pointing to the FSSAI Non Form C Annexure PDF certificate stored in cloud storage. The URL expires after 600 seconds (10 minutes).

Example Successful Response

{
    "data": {
        "client_id": "fssai_non_form_c_annexure_unfxytjyiOGrUdgbjPZD",
        "id_number": "22819012011312",
        "certificate_link": "https://aadhaar-kyc-docs.s3.amazonaws.com/fssai_form_3/105813727/fssai_non_form_c_annexure_unfxytjyiOGrUdgbjPZD-2026-03-26-110019253624.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAY5K3QRM5KVPBYKKE%2F20260326%2Fap-south-1%2Fs3%2Faws4_request&X-Amz-Date=20260326T110019Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host&X-Amz-Signature=767656da9fe885841b806e1db3f50e1e2b983ad73e0d3114fe84a4e8b2d8ce9a"
    },
    "status_code": 200,
    "success": true,
    "message": "Success",
    "message_code": "success"
}

Possible Error Responses

Unauthorized (401)

Invalid Input (400)

Server Error (500)

{
    "status_code": 401,
    "success": false,
    "message": "Authentication credentials were not provided or are invalid.",
    "message_code": "unauthorized"
}

This error occurs when the Authorization header is missing, malformed, or contains an invalid/expired JWT token. Ensure the Bearer token is valid and belongs to the correct environment (sandbox or production).

Integration Best Practices

Security Recommendations

Never expose your JWT token in client-side code, public repositories, or logs. Store it securely in environment variables or a secrets manager.

Use environment-specific tokens: Sandbox and production environments require separate JWT tokens. Do not reuse tokens across environments.

Handle certificate link expiry: The certificate_link URL expires after 600 seconds. Download or process the PDF immediately after receiving the response, and do not cache the URL for future use.

Validate the id_number format before submitting to the API to reduce unnecessary API calls and potential errors.

Use HTTPS at all times: All API communication must occur over HTTPS to protect data in transit.

User Experience Guidelines

Provide clear feedback to end users during the API call — show a loading state while the certificate is being fetched, and display a meaningful error message if retrieval fails.

Open the certificate link in a new tab or trigger a direct download to ensure users can access the PDF without navigating away from your application.

Notify users of link expiry: Since the pre-signed URL expires in 10 minutes, prompt users to download or save the document promptly after it is retrieved.

Log client_id for support and audit purposes: Store the client_id returned in each response to help trace and debug specific requests with the Surepass support team.

Gracefully handle errors: Map message_code values to user-friendly messages rather than surfacing raw API errors.

Code Samples

cURL

Python

Node.js

Compliance and Legal Considerations

The FSSAI Non Form C Annexure document is an official regulatory record issued under the Food Safety and Standards Act, 2006. Ensure that your use of this API and the retrieved documents complies with all applicable Indian laws and FSSAI regulations.

The pre-signed certificate URL is intended for single-use, time-bound access. Redistribution or republication of retrieved certificate documents without proper authorization may violate data usage terms and applicable regulations.

As a consumer of this API, your organization is responsible for maintaining the confidentiality of retrieved documents and ensuring they are used only for legitimate compliance, verification, or audit purposes.

Retain logs of API calls, including client_id values, to support audit trails and regulatory inquiries as required by your organization's data governance policies.

Provide your bearer token in the

Authorization

header when making requests to protected resources.

Example:

Authorization: Bearer ********************

curl --location --request POST 'https://kyc-api.surepass.app/api/v1/corporate/fssai-non-form-c-annexure' \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/json' \ --data-raw '{ "id_number": "22819012011312" }'

{ "data": { "client_id": "fssai_non_form_c_annexure_unfxytjyiOGrUdgbjPZD", "id_number": "22819012011312", "certificate_link": "https://aadhaar-kyc-docs.s3.amazonaws.com/fssai_form_3/105813727/fssai_non_form_c_annexure_unfxytjyiOGrUdgbjPZD-2026-03-26-110019253624.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAY5K3QRM5KVPBYKKE%2F20260326%2Fap-south-1%2Fs3%2Faws4_request&X-Amz-Date=20260326T110019Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host&X-Amz-Signature=767656da9fe885841b806e1db3f50e1e2b983ad73e0d3114fe84a4e8b2d8ce9a" }, "status_code": 200, "success": true, "message": "Success", "message_code": "success" }

Description#

Use Cases#

Technical Implementation#

Request Headers#

Request Body#

Example Request#

Response Parameters#

Example Successful Response#

Possible Error Responses#

Integration Best Practices#

Code Samples#

Request

Responses