API reference

Reports

REST endpoints for fiscal reports — X (running totals), Z (end-of-day), JE (ANAF Electronic Journal XML) and MF (Fiscal Memory archive) — with request/response schemas, curl examples and per-endpoint error codes.

Reports

The Reports API stores and retrieves the four kinds of fiscal reports that an AMEF integration produces: X reports (daily running totals, non-destructive), Z reports (end-of-day, resets counters), JE reports (Electronic Journal — the ANAF-mandated XML), and MF reports (Fiscal Memory archive). All routes live under /api/v1/reports.

Every endpoint in this group requires the reports scope and accepts either an API key (x-api-key / Authorization: Bearer …) or a Portal JWT. See Authentication › Choose scopes for the full scope catalogue.

The error envelope, rate limits and pagination conventions are documented once on API overview; only the per-endpoint error codes are listed in full on this page.

The list endpoints (GET /reports/x, /z, /je, /mf) use a limit-only window (newest first by timestamp / reportDate / archiveDate) — they do not use the cursor pagination pattern from Receipts. Use the date-range filters (from, to) to page through history.

X reports

X reports are non-destructive snapshots of the running totals on a device. They do not reset counters and can be issued any number of times during a fiscal day.

GET /api/v1/reports/x

Lists X reports for the organization, newest-first by timestamp.

Auth scope: reports

Query parameters

Parameter	Type	Default	Notes
`deviceId`	string	—	Filter by device.
`from`	string	—	ISO 8601 timestamp; reports with `timestamp >= from`.
`to`	string	—	ISO 8601 timestamp; reports with `timestamp <= to`.
`limit`	integer	`50`	`1`–`100`.

Response (`200 OK`)

{
  "reports": [
    {
      "id": "xrep_abc123",
      "deviceId": "dev_pos_01",
      "totals": { "sales": 1240.5, "refunds": 0, "net": 1240.5 },
      "vatBreakdown": [{ "rate": 9, "base": 1138.07, "amount": 102.43 }],
      "receiptCount": 42,
      "timestamp": "2026-04-09T14:00:00.000Z",
      "orgId": "acme_corp",
      "createdAt": "2026-04-09T14:00:01.123Z"
    }
  ]
}

Example

curl "https://api.e-bon.ro/api/v1/reports/x?deviceId=dev_pos_01&limit=20" \
  -H "x-api-key: ebon_live_acme_corp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"

Error codes

VALIDATION_ERROR (400) — bad query (e.g. limit > 100).
UNAUTHORIZED / FORBIDDEN — see Authentication › Handle auth errors.

GET /api/v1/reports/x/{reportId}

Returns a single X report by ID.

Auth scope: reports

Response (`200 OK`)

{
  "report": {
    "id": "xrep_abc123",
    "deviceId": "dev_pos_01",
    "totals": { "sales": 1240.5, "refunds": 0, "net": 1240.5 },
    "vatBreakdown": [{ "rate": 9, "base": 1138.07, "amount": 102.43 }],
    "receiptCount": 42,
    "timestamp": "2026-04-09T14:00:00.000Z",
    "orgId": "acme_corp",
    "createdAt": "2026-04-09T14:00:01.123Z"
  }
}

Example

curl https://api.e-bon.ro/api/v1/reports/x/xrep_abc123 \
  -H "x-api-key: ebon_live_acme_corp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"

Error codes

NOT_FOUND (404) — no X report with that ID in your organization.
UNAUTHORIZED / FORBIDDEN — see Authentication › Handle auth errors.

POST /api/v1/reports/x

Stores a new X report for a device.

Auth scope: reports

Request body

Field	Type	Required	Notes
`deviceId`	string	yes	Must be a device that exists in your organization.
`totals`	object	yes	`{ sales, refunds, net }` — all numbers.
`vatBreakdown`	array	yes	At least one entry. Each `{ rate, base, amount }`. `rate` ∈ `0`, `9`, `11`, `21`.
`receiptCount`	integer	yes	Number of receipts covered by the report (≥ 0).
`timestamp`	string	yes	ISO 8601 timestamp when the report was produced on the AMEF.

Response (`201 Created`)

Echoes the created report (same shape as GET /reports/x/{reportId}).

Example

curl -X POST https://api.e-bon.ro/api/v1/reports/x \
  -H "x-api-key: ebon_live_acme_corp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6" \
  -H "Content-Type: application/json" \
  -d '{
    "deviceId": "dev_pos_01",
    "totals": { "sales": 1240.5, "refunds": 0, "net": 1240.5 },
    "vatBreakdown": [{ "rate": 9, "base": 1138.07, "amount": 102.43 }],
    "receiptCount": 42,
    "timestamp": "2026-04-09T14:00:00.000Z"
  }'

Error codes

VALIDATION_ERROR (400) — request body failed validation (missing or malformed fields).
NOT_FOUND (404) — deviceId does not exist in your organization.
UNAUTHORIZED / FORBIDDEN — see Authentication › Handle auth errors.

Z reports

Z reports close the fiscal day on the AMEF and reset the running counters. Posting a Z report to e-bon also fires a fire-and-forget email notification to every address listed in your organization's notificationSettings.zReportEmails.

GET /api/v1/reports/z

Lists Z reports for the organization, newest-first by timestamp.

Auth scope: reports

Query parameters

Parameter	Type	Default	Notes
`deviceId`	string	—	Filter by device.
`from`	string	—	ISO 8601 timestamp; reports with `timestamp >= from`.
`to`	string	—	ISO 8601 timestamp; reports with `timestamp <= to`.
`limit`	integer	`50`	`1`–`100`.

Response (`200 OK`)

{
  "reports": [
    {
      "id": "zrep_xyz789",
      "deviceId": "dev_pos_01",
      "totals": { "sales": 5840.25, "refunds": 12.5, "net": 5827.75 },
      "vatBreakdown": [{ "rate": 9, "base": 5347.48, "amount": 480.27 }],
      "receiptCount": 187,
      "timestamp": "2026-04-09T22:00:00.000Z",
      "resetCounter": 134,
      "periodStart": "2026-04-09T05:00:00.000Z",
      "periodEnd": "2026-04-09T22:00:00.000Z",
      "orgId": "acme_corp",
      "createdAt": "2026-04-09T22:00:01.456Z"
    }
  ]
}

Example

curl "https://api.e-bon.ro/api/v1/reports/z?deviceId=dev_pos_01" \
  -H "x-api-key: ebon_live_acme_corp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"

Error codes

VALIDATION_ERROR (400) — bad query.
UNAUTHORIZED / FORBIDDEN — see Authentication › Handle auth errors.

GET /api/v1/reports/z/{reportId}

Returns a single Z report by ID.

Auth scope: reports

Example

curl https://api.e-bon.ro/api/v1/reports/z/zrep_xyz789 \
  -H "x-api-key: ebon_live_acme_corp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"

Error codes

NOT_FOUND (404) — no Z report with that ID in your organization.
UNAUTHORIZED / FORBIDDEN — see Authentication › Handle auth errors.

POST /api/v1/reports/z

Stores a new Z report for a device. Triggers a Z-report email notification (fire-and-forget) to recipients configured on the organization.

Auth scope: reports

Request body

Field	Type	Required	Notes
`deviceId`	string	yes	Must be a device that exists in your organization.
`totals`	object	yes	`{ sales, refunds, net }` — all numbers.
`vatBreakdown`	array	yes	At least one entry. Each `{ rate, base, amount }`. `rate` ∈ `0`, `9`, `11`, `21`.
`receiptCount`	integer	yes	Number of receipts covered by the report (≥ 0).
`timestamp`	string	yes	ISO 8601 timestamp when the Z report was produced on the AMEF.
`resetCounter`	integer	yes	Z-counter value reported by the AMEF (≥ 0).
`periodStart`	string	yes	ISO 8601 timestamp — start of the closed fiscal period.
`periodEnd`	string	yes	ISO 8601 timestamp — end of the closed fiscal period.

Example

curl -X POST https://api.e-bon.ro/api/v1/reports/z \
  -H "x-api-key: ebon_live_acme_corp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6" \
  -H "Content-Type: application/json" \
  -d '{
    "deviceId": "dev_pos_01",
    "totals": { "sales": 5840.25, "refunds": 12.5, "net": 5827.75 },
    "vatBreakdown": [{ "rate": 9, "base": 5347.48, "amount": 480.27 }],
    "receiptCount": 187,
    "timestamp": "2026-04-09T22:00:00.000Z",
    "resetCounter": 134,
    "periodStart": "2026-04-09T05:00:00.000Z",
    "periodEnd": "2026-04-09T22:00:00.000Z"
  }'

Error codes

VALIDATION_ERROR (400) — request body failed validation (missing or malformed fields).
NOT_FOUND (404) — deviceId does not exist in your organization.
UNAUTHORIZED / FORBIDDEN — see Authentication › Handle auth errors.

Email notification failures are logged on the server but do not fail the response. The 201 is returned as soon as the report is persisted.

JE reports — Electronic Journal

JE (Jurnal Electronic) reports are the ANAF-mandated XML export of the fiscal journal. e-bon stores submitted XML alongside its anafStatus, and can also generate a fresh ANAF-compliant XML on demand from the journal entries it holds.

GET /api/v1/reports/je/{deviceId}/xml

Generates an ANAF-compliant Electronic Journal XML from journal entries stored for the given device and date range. The response body is the XML file itself, served as an attachment.

Auth scope: reports
Response content type: application/xml
Filename: JE_{fiscalSeries}_{periodStart}_{periodEnd}.xml

Query parameters

Parameter	Type	Required	Notes
`periodStart`	string	yes	ISO 8601 timestamp.
`periodEnd`	string	yes	ISO 8601 timestamp.

Response (`200 OK`)

Raw XML body, e.g. saved with -o:

curl "https://api.e-bon.ro/api/v1/reports/je/dev_pos_01/xml?periodStart=2026-04-01T00:00:00Z&periodEnd=2026-04-30T23:59:59Z" \
  -H "x-api-key: ebon_live_acme_corp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6" \
  -o JE_dev_pos_01_2026-04.xml

Error codes

VALIDATION_ERROR (400) — periodStart or periodEnd missing or not a valid ISO datetime.
NOT_FOUND (404) — deviceId does not exist in your organization.
UNAUTHORIZED / FORBIDDEN — see Authentication › Handle auth errors.

GET /api/v1/reports/je

Lists stored JE reports, newest-first by reportDate.

Auth scope: reports

Query parameters

Parameter	Type	Default	Notes
`deviceId`	string	—	Filter by device.
`anafStatus`	string	—	One of `pending`, `accepted`, `rejected`, `error`.
`from`	string	—	ISO 8601 timestamp; reports with `reportDate >= from`.
`to`	string	—	ISO 8601 timestamp; reports with `reportDate <= to`.
`limit`	integer	`50`	`1`–`100`.

Response (`200 OK`)

{
  "reports": [
    {
      "id": "jerep_2026_04",
      "deviceId": "dev_pos_01",
      "xmlContent": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>...",
      "reportDate": "2026-04-30T23:59:59.000Z",
      "submittedToAnaf": true,
      "anafStatus": "accepted",
      "p7bSignature": "MIIH...==",
      "orgId": "acme_corp",
      "createdAt": "2026-05-01T08:00:00.000Z"
    }
  ]
}

Example

curl "https://api.e-bon.ro/api/v1/reports/je?anafStatus=accepted&limit=20" \
  -H "x-api-key: ebon_live_acme_corp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"

Error codes

VALIDATION_ERROR (400) — bad query.
UNAUTHORIZED / FORBIDDEN — see Authentication › Handle auth errors.

GET /api/v1/reports/je/{reportId}

Returns a single stored JE report by ID, including its XML payload and ANAF status.

Auth scope: reports

Example

curl https://api.e-bon.ro/api/v1/reports/je/jerep_2026_04 \
  -H "x-api-key: ebon_live_acme_corp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"

Error codes

NOT_FOUND (404) — no JE report with that ID in your organization.
UNAUTHORIZED / FORBIDDEN — see Authentication › Handle auth errors.

POST /api/v1/reports/je

Stores a JE report (XML payload plus ANAF metadata).

Auth scope: reports

Request body

Field	Type	Required	Notes
`deviceId`	string	yes	Must be a device that exists in your organization.
`xmlContent`	string	yes	ANAF-formatted XML content.
`p7bSignature`	string	no	PKCS#7 digital signature (base64), if available.
`reportDate`	string	yes	ISO 8601 timestamp the report covers.
`submittedToAnaf`	boolean	yes	`true` if the XML has already been submitted to ANAF.
`anafStatus`	string	no	One of `pending`, `accepted`, `rejected`, `error`.

Example

curl -X POST https://api.e-bon.ro/api/v1/reports/je \
  -H "x-api-key: ebon_live_acme_corp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6" \
  -H "Content-Type: application/json" \
  -d '{
    "deviceId": "dev_pos_01",
    "xmlContent": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>...",
    "reportDate": "2026-04-30T23:59:59.000Z",
    "submittedToAnaf": true,
    "anafStatus": "pending"
  }'

Error codes

VALIDATION_ERROR (400) — request body failed validation (missing or malformed fields).
NOT_FOUND (404) — deviceId does not exist in your organization.
UNAUTHORIZED / FORBIDDEN — see Authentication › Handle auth errors.

MF reports — Fiscal Memory

MF (Memorie Fiscală) reports are the long-term archive of Z-report closings for a device. The generate endpoint builds a FiscalMemoryDocument on demand from the Z reports e-bon already holds; the list/get/post endpoints manage stored MF dump records and their retention metadata.

GET /api/v1/reports/mf/{deviceId}/generate

Generates a Fiscal Memory document on demand by aggregating Z reports for the given device and date range. Returns structured JSON with all Z-report closings and a running grand total.

Auth scope: reports

Query parameters

Parameter	Type	Required	Notes
`periodStart`	string	yes	ISO 8601 timestamp.
`periodEnd`	string	yes	ISO 8601 timestamp.

Response (`200 OK`)

{
  "document": {
    "deviceId": "dev_pos_01",
    "orgId": "acme_corp",
    "periodStart": "2026-01-01T00:00:00.000Z",
    "periodEnd": "2026-03-31T23:59:59.000Z",
    "entries": [],
    "grandTotal": { "sales": 0, "refunds": 0, "net": 0 },
    "generatedAt": "2026-04-09T08:10:00.000Z"
  }
}

Example

curl "https://api.e-bon.ro/api/v1/reports/mf/dev_pos_01/generate?periodStart=2026-01-01T00:00:00Z&periodEnd=2026-03-31T23:59:59Z" \
  -H "x-api-key: ebon_live_acme_corp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"

Error codes

VALIDATION_ERROR (400) — periodStart / periodEnd missing or not valid ISO datetimes.
NOT_FOUND (404) — device or organization could not be resolved by the generator.
UNAUTHORIZED / FORBIDDEN — see Authentication › Handle auth errors.

GET /api/v1/reports/mf

Lists stored MF archive reports, newest-first by archiveDate.

Auth scope: reports

Query parameters

Parameter	Type	Default	Notes
`deviceId`	string	—	Filter by device.
`from`	string	—	ISO 8601 timestamp; reports with `archiveDate >= from`.
`to`	string	—	ISO 8601 timestamp; reports with `archiveDate <= to`.
`limit`	integer	`50`	`1`–`100`.

Response (`200 OK`)

{
  "reports": [
    {
      "id": "mfrep_q1_2026",
      "deviceId": "dev_pos_01",
      "content": "...fiscal memory dump...",
      "archiveDate": "2026-04-01T00:00:00.000Z",
      "expiresAt": "2036-04-01T00:00:00.000Z",
      "orgId": "acme_corp",
      "createdAt": "2026-04-01T01:00:00.000Z"
    }
  ]
}

Example

curl "https://api.e-bon.ro/api/v1/reports/mf?deviceId=dev_pos_01" \
  -H "x-api-key: ebon_live_acme_corp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"

Error codes

VALIDATION_ERROR (400) — bad query.
UNAUTHORIZED / FORBIDDEN — see Authentication › Handle auth errors.

GET /api/v1/reports/mf/{reportId}

Returns a single stored MF report by ID.

Auth scope: reports

Example

curl https://api.e-bon.ro/api/v1/reports/mf/mfrep_q1_2026 \
  -H "x-api-key: ebon_live_acme_corp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"

Error codes

NOT_FOUND (404) — no MF report with that ID in your organization.
UNAUTHORIZED / FORBIDDEN — see Authentication › Handle auth errors.

POST /api/v1/reports/mf

Stores a Fiscal Memory archive record together with its retention expiry.

Auth scope: reports

Request body

Field	Type	Required	Notes
`deviceId`	string	yes	Must be a device that exists in your organization.
`content`	string	yes	Fiscal memory dump content.
`archiveDate`	string	yes	ISO 8601 timestamp — the date the archive covers.
`expiresAt`	string	yes	ISO 8601 timestamp — retention expiry (when the archive is automatically deleted).

Example

curl -X POST https://api.e-bon.ro/api/v1/reports/mf \
  -H "x-api-key: ebon_live_acme_corp_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6" \
  -H "Content-Type: application/json" \
  -d '{
    "deviceId": "dev_pos_01",
    "content": "...fiscal memory dump...",
    "archiveDate": "2026-04-01T00:00:00.000Z",
    "expiresAt": "2036-04-01T00:00:00.000Z"
  }'

Error codes

VALIDATION_ERROR (400) — request body failed validation (missing or malformed fields).
NOT_FOUND (404) — deviceId does not exist in your organization.
UNAUTHORIZED / FORBIDDEN — see Authentication › Handle auth errors.