How to Verify a GST Number via API: Stop Vendor Fraud Before It Starts

Here's a scenario that plays out every week at Indian B2B companies:

A new vendor submits an invoice with a GSTIN. Your accounts team processes it, claims Input Tax Credit (ITC). Six months later, the GST department sends a notice - that GSTIN was cancelled before the invoice date. Now you owe the ITC back, plus interest and penalties.

Or worse: the GSTIN was completely fake. It passed a basic format check (15 characters, starts with a state code, looks legit) but doesn't exist in the GSTN database. Someone submitted a fabricated invoice, got paid, and disappeared.

These aren't edge cases. GST fraud through fake or cancelled GSTINs costs Indian businesses thousands of crores annually. The fix is straightforward: use a GST verification API to check every GSTIN against the government database before you process anything.

This guide covers how to automate GST verification in your vendor onboarding, invoice processing, or marketplace seller approval flow.

What GST verification checks

When you verify a GSTIN against the GSTN (Goods and Services Tax Network) database, here's what comes back:

The two fields that catch the most fraud: Registration Status and Filing Status.

The three types of GSTIN fraud

1. Completely fake GSTINs

Someone generates a 15-character string that follows the GSTIN format:

• First 2 digits: valid state code (27 for Maharashtra, 29 for Karnataka, etc.)
• Next 10 characters: valid PAN format
• 13th character: entity number
• 14th character: Z (default)
• 15th character: checksum

A basic regex validation passes. Even the checksum can be calculated correctly. But the GSTIN doesn't exist in the GSTN database.

How API verification catches it: The GSTN lookup returns "not found" - the number was never issued.

2. Cancelled or suspended GSTINs

This is the more common fraud. A vendor had a legitimate GSTIN that was later cancelled - either voluntarily (they closed the business) or by the GST department (for non-filing, tax evasion, or fraudulent registration). They continue using the old GSTIN on invoices.

Any ITC claimed on invoices from a cancelled GSTIN is invalid and will be reversed during GST audit.

How API verification catches it: The registration_status field returns "Cancelled" or "Suspended" with the cancellation date. You can compare this against the invoice date - if the GSTIN was cancelled before the invoice was issued, the invoice is invalid.

3. Shell company GSTINs

The GSTIN is real and active, but the business exists only on paper. It was created specifically to generate fake invoices for ITC fraud. These are harder to catch, but there are signals:

• Very recent registration date (less than 6 months old)
• No return filings despite being active
• Registered address doesn't match the business type (a ₹50 crore turnover company registered in a residential apartment)

How API verification helps: The registration_date and filing_status fields flag new registrations with no filing history. Combined with the business type and address, you can build a risk score.

Integrating GST verification

The API call

cURL:

curl -X POST 
https://api.theverifico.com/api/v1/verify/gst 
 \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: multipart/form-data" \
  -F "document=@gst_certificate.jpg"

You can also send just the GSTIN as text if you already have it:

curl -X POST
https://api.theverifico.com/api/v1/verify/gst
 \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"gstin": "27AABCU9603R1ZM"}'

Python:

import requests

response = requests.post(
    "https://api.theverifico.com/api/v1/verify/gst",
    headers={"Authorization": "Bearer YOUR_API_KEY"},
    files={"document": open("gst_certificate.jpg", "rb")}
)

result = response.json()

if result["success"]:
    data = result["data"]
    print(f"GSTIN: {data['gstin']}")
    print(f"Business: {data['business_name']}")
    print(f"Trade Name: {data['trade_name']}")
    print(f"Status: {data['registration_status']}")
    print(f"Type: {data['business_type']}")
    print(f"Registered: {data['registration_date']}")
    print(f"Last Filing: {data['filing_status']}")
else:
    print(f"Error: {result['message']}")

Node.js:

const FormData = require('form-data');
const fs = require('fs');
const axios = require('axios');

const form = new FormData();
form.append('document', fs.createReadStream('gst_certificate.jpg'));

const response = await axios.post(
  'https://api.theverifico.com/api/v1/verify/gst',
  form,
  {
    headers: {
      'Authorization': 'Bearer YOUR_API_KEY',
      ...form.getHeaders()
    }
  }
);

const { data } = response.data;
console.log(`GSTIN: ${data.gstin}`);
console.log(`Business: ${data.business_name}`);
console.log(`Status: ${data.registration_status}`);

Response time: under 500ms.

Building automated fraud checks

Here's a practical verification flow you can implement in your vendor onboarding or invoice processing system:

def verify_vendor_gst(gstin_or_image):
    """
    Returns a risk assessment for a vendor's GSTIN.
    """
    # Step 1: Verify against GSTN
    result = call_verifico_api(gstin_or_image)

    if not result["success"]:
        return {"risk": "high", "reason": "GSTIN not found in GSTN database"}

    data = result["data"]

    # Step 2: Check registration status
    if data["registration_status"] == "Cancelled":
        return {"risk": "high", "reason": f"GSTIN cancelled on {data['cancellation_date']}"}

    if data["registration_status"] == "Suspended":
        return {"risk": "high", "reason": "GSTIN suspended by GST department"}

    # Step 3: Check filing compliance
    if data["filing_status"] == "Not Filed":
        return {"risk": "medium", "reason": "No recent GST returns filed"}

    # Step 4: Check registration age
    from datetime import datetime, timedelta
    reg_date = datetime.strptime(data["registration_date"], "%Y-%m-%d")
    if reg_date > datetime.now() - timedelta(days=180):
        return {"risk": "medium", "reason": "Recently registered (less than 6 months)"}

    # Step 5: Cross-check business name
    if not name_matches(data["business_name"], expected_vendor_name):
        return {"risk": "medium", "reason": "Business name doesn't match vendor records"}

    return {"risk": "low", "reason": "All checks passed"}

This isn't foolproof - sophisticated fraud requires deeper investigation - but it catches the vast majority of GSTIN-related issues automatically.

Where to add GST verification in your workflow

Vendor onboarding

The most impactful place. When a new vendor registers on your platform or submits their first invoice, verify their GSTIN before they enter your system. This prevents bad data from ever getting into your accounts.

What to check: Registration status, business name match, filing compliance, registration age.

Invoice processing

For ongoing vendor relationships, re-verify the GSTIN periodically or with every invoice. A vendor's GST registration can be cancelled between invoices.

What to check: Registration status (still active?), filing status (still filing returns?).

Marketplace seller approval

E-commerce marketplaces and B2B platforms should verify GSTIN as part of their seller approval process. This is required for B2B marketplaces under GST law - you're liable for enabling transactions with unregistered or non-compliant sellers.

What to check: Everything - registration status, business type, address, trade name, filing compliance.

Procurement and supply chain

Large enterprises processing hundreds of vendor invoices monthly should automate GSTIN verification in their ERP or procurement system. A scheduled batch verification can catch vendors whose registrations were cancelled since the last check.

The ITC problem: why this matters financially

When you claim ITC on purchases from a vendor with a cancelled, suspended, or fake GSTIN, here's what happens:

1. GST department notice: You receive a demand notice to reverse the ITC claimed.
2. Interest: 18% per annum on the reversed ITC amount, from the date of claim to the date of reversal.
3. Penalty: Up to 100% of the tax amount in case of fraud or willful misstatement.
4. Audit escalation: Multiple ITC reversals trigger a detailed GST audit of your entire business.

For a company processing ₹1 crore in monthly purchases, even 2-3% of invoices from non-compliant vendors means ₹2-3 lakh in at-risk ITC every month. Over a year, that's ₹24-36 lakh in potential liability - not counting interest and penalties.

GST verification costs ₹2 per lookup. The math is obvious.

Understanding the GSTIN format

A quick primer on the 15-character GSTIN structure for developers building validation:

27 AABCU9603R 1 Z M
│ │ │ │ │
│ │ │ │ └─ Check digit
│ │ │ └─── Default ('Z')
│ │ └───── Entity number (1-9, A-Z)
│ └──────────────── PAN of the business
└─────────────────── State code (01-37)

State codes follow the Census of India numbering: 01 = Jammu & Kashmir, 27 = Maharashtra, 29 = Karnataka, 33 = Tamil Nadu, etc.

The entity number (13th character) indicates the number of registrations a business has within a state. A business with branches in different locations within the same state can have multiple GSTINs, differentiated by this digit.

You can do basic format validation client-side before hitting the API:

function isValidGSTINFormat(gstin) {
  const pattern = /^[0-9]{2}[A-Z]{5}[0-9]{4}[A-Z]{1}[1-9A-Z]{1}Z[0-9A-Z]{1}$/;
  return pattern.test(gstin);
}

But format validation alone catches almost nothing. The real value is in the GSTN database lookup.

Pricing

If you already have the GSTIN as text (from a form, database, or invoice), you only pay the verification fee - no OCR charge. If you're uploading GST certificate images, both OCR extraction and verification are included.

Getting started

1. Sign up at theverifico.com - 10 free verification credits
2. Get your API key from the dashboard
3. Test with a known GSTIN - try your own company's GSTIN first to see the full response
4. Build your verification flow using the code samples and fraud check patterns above
5. Go to production - same key, same endpoint, just start processing

Most companies start by using the GST verification API for new vendors, then expand to periodic re-verification of existing ones. The first integration takes about 30 minutes.

Frequently asked questions

Is GSTN data always up-to-date? Yes. The API queries the GSTN database in real-time. If a registration was cancelled yesterday, today's verification reflects that. Data is not cached or delayed.

Can I verify multiple GSTINs in bulk? Yes. You can make concurrent API calls for batch verification. For very large batches (10,000+), contact us for a bulk verification endpoint with optimized throughput.

What if the GSTN portal is down? GSTN has occasional maintenance windows (usually late night). During downtime, the API returns a specific error code so you can queue the verification for retry. We also maintain a brief cache for recently verified GSTINs to reduce dependency on GSTN uptime.

Do I need the vendor's consent to verify their GSTIN? GSTIN data on the GSTN portal is publicly searchable - anyone can look up a GSTIN on the GST portal. The API simply automates this public lookup. No consent is required.

What's the difference between OCR and direct verification? OCR: You upload a GST certificate image, we extract the GSTIN and other details, then verify against GSTN. Direct verification: You send us the GSTIN as text, we verify against GSTN. Direct is faster and cheaper (no OCR fee). Use OCR when you need to extract data from physical documents.

Related guides

• PAN Card Verification API: A Developer's Integration Guide
• How to Get FASTag Details Using Just a Vehicle Number
• API Documentation