Personal use of Cl@ve and prevention of unauthorized intermediation practices

The Cl@ve system is an identification, authentication and electronic signature mechanism for personal, direct and non-transferable use by the citizen.

According to the system's terms of use, the codes, keys, authentication factors, devices or any other element used to identify oneself using Cl@ve must be kept by their owner and used exclusively by the citizen himself to carry out procedures on his behalf.

In this regard, it is not permitted for third parties —natural or legal persons, public or private— to request, capture, reproduce or use the citizen's Cl@ve authentication mechanisms to access the electronic services of Public Administrations on their behalf, nor to act as intermediaries in the identification or authentication process. In particular, it constitutes misuse of the system:

• accessing electronic services on behalf of the citizen using their credentials or authentication factors, even with their consent,

• use solutions based on credential capture or reuse, proxying, authentication automation, robotics, scripting or any technical intermediation mechanism,

• reproduce or present to the citizen QR codes, notifications or authentication requests generated by interposed systems,

• or store, process or reuse one-time codes, passwords or any other element intended to authenticate the citizen.

Authentication using Cl@ve must always be done directly by the citizen, from the electronic headquarters or official public service they wish to access.
If you receive an authentication request, QR code, or confirmation request in the context of a website, application, or service from a private company or an unauthorized third party, you should not confirm it.

The Tax Agency may adopt the necessary technical and organizational measures to protect citizens, preserve the security of the system and prevent the misuse of identification and authentication mechanisms.