The PUI Technical Manual v1.0 (DOF 23 January 2026)
Published in the Diario Oficial de la Federación on 23 January 2026, the Technical Manual v1.0 is the instrument that defines how a lodging must technically connect to the Single Identity Platform: REST/JSON endpoints, JWT token authentication, AES-256-GCM encryption, SHA3-256 hashing, TLS transport and cybersecurity annexes. We analyse what it establishes and what it requires for interconnection, in language useful to both lawyers and systems leads.
The Manual’s role in the regulatory chain
The Technical Manual v1.0, published in the Diario Oficial de la Federación on 23 January 2026, occupies the last regulatory step before operation: it translates the legal interconnection duty —set by Article 12 Bis of the LGMDFP and framed by the November 2025 Guidelines— into concrete technical specifications. It is the document a systems lead needs to build the connection to the PUI, and the one a lawyer must know to size the real compliance burden.
Its legal relevance is twofold. On one hand, it defines the technical standard whose compliance the authority may require. On the other, it makes clear that interconnection to the PUI is not a trivial procedure: it requires software development, credential management and security controls beyond the operational reach of most lodgings. That finding is central to any cost-risk analysis of compliance.
The Manual is labelled v1.0, which anticipates its evolving nature: the technical specifications may be updated in later versions. For a compliance programme, this means interconnection is not a project completed once, but a capability that must be kept current as the standard evolves.
The technical specifications it defines
The Manual establishes the interconnection architecture. These are its essential components, described for a mixed legal and technical audience.
REST/JSON endpoints
Interconnection is carried out through REST-type web services that exchange data in JSON format. The lodging exposes or consumes defined service points.
JWT authentication
Access is authenticated with JWT (JSON Web Token), which prove the signed identity of the system querying or responding.
AES-256-GCM encryption
Sensitive data is encrypted with AES-256-GCM, a robust symmetric encryption algorithm that protects the confidentiality and integrity of the information.
SHA3-256 hashing
The SHA3-256 hash function is used to verify data integrity, so that any alteration is detectable.
TLS transport
All communication travels over TLS, the protocol that encrypts the transport channel and prevents interception in transit.
Cybersecurity annexes
The Manual includes annexes with security requirements, including software audit reports (static, dynamic and dependency analysis).
What it requires in practice to interconnect
Beyond the algorithms, the Manual defines a set of prerequisites a lodging must satisfy to connect formally. Interconnection requires, in general terms: holding the SAT’s e.firma of the representative or holder as an identification mechanism; having a profile on the official portal and an institutional mailbox; accessing through LlaveMX (the government’s digital identity); and registering the URL of the REST query endpoint, protected with JWT and TLS, accompanied by the security reports the Manual requires.
Those security reports deserve special attention. The standard contemplates audits of the SAST type (static analysis of the code), DAST (dynamic analysis of the running application) and SCA (analysis of third-party dependencies or components). Preparing these reports is not an administrative task: it requires specialised software-security knowledge and specific tools, which normally exceed a hotel’s internal capabilities.
The analytical conclusion is clear: the Technical Manual turns interconnection into a software-engineering project with institutional-grade security requirements. For an establishment without a development team, executing it internally implies months of work, hiring technical talent and ongoing maintenance as the standard evolves. It is precisely the gap a specialised connector is designed to cover.
The interconnection prerequisites the framework defines
The technical path the Manual presupposes to connect a lodging to the PUI.
- SAT e.firmaThe electronic signature of the representative or holder, as a recognised identification mechanism for access.
- Profile and institutional mailboxRegistration of the profile on the official portal and enabling of the institutional mailbox for communications.
- Access with LlaveMXUse of the government’s digital identity (LlaveMX) to authenticate on the portal.
- Endpoint URL with JWT and TLSRegistration of the query service URL, protected with JWT tokens and TLS transport.
- SAST/DAST/SCA security reportsDelivery of the software audits the cybersecurity standard requires to authorise the connection.
What the Manual reveals about the compliance burden
Four conclusions to size the real effort.
It is a software project
Building endpoints, managing tokens and applying encryption is engineering, not a counter procedure.
It demands institutional security
AES-256-GCM encryption, SHA3-256 hashing and TLS, plus SAST, DAST and SCA audits: enterprise-grade standards.
It requires maintenance
Being v1.0, the specifications will evolve; the integration must be sustained and updated over time.
It exceeds the typical hotel
Most lodgings lack the development and security team to execute it internally.
Official sources
Technical Manual v1.0 of the Single Identity Platform, published in the Diario Oficial de la Federación on 23 January 2026. It defines the interconnection specifications (REST/JSON endpoints, JWT authentication, AES-256-GCM encryption, SHA3-256 hashing, TLS transport) and the cybersecurity annexes, including the software audit reports.
Superior framework: General Law on the Forced Disappearance of Persons (LGMDFP), Article 12 Bis. Prior secondary instrument: Guidelines published in the Diario Oficial de la Federación on 27 November 2025. Pending instrument: Operating Manual of the National Personal Identification Service (SNIP), not published as of June 2026.
Responsible bodies: Ministry of the Interior (SEGOB), National Population Registry (RENAPO) and National Search Commission (CNB), with technical support from the Digital Transformation and Telecommunications Agency (ATDT). The e.firma used in the procedure corresponds to the Tax Administration Service (SAT).