PUIhoteles
ESEN Get started
PUI compliance
Connection to the PUI LawIdentity captureGuest registry
How it works
Query modelConnected to R2Security & encryption
For your hotel
No technical teamLlaveMX & e.firmaCompliance dashboard
By lodging type
HotelsHostelsMotelsAirbnb & short rentals
By situation
Hotels in Mexico CitySole proprietorSmall lodging
Compare
PUIhoteles vs ConectaPUIPUIhoteles vs PUIMexicovs Build it yourself
Learn
What is the PUI LawThe fine for not complyingBlogHelp center
Company
AboutContact
Pricing Get started
Guide · PUI interconnection

PUI interconnection requirements, explained

To interconnect with the Single Identity Platform, a lodging establishment must meet a concrete technical checklist. Here we break it down for non-technical readers: e.firma, a portal profile with an institutional inbox, LlaveMX access, and a query URL with JWT authentication, TLS encryption and security reports. Honestly: full interconnection is enabled once the government publishes the pending manual.

Get startedCreate your demo

What "interconnecting" with the PUI means

Registering your guests’ identity is one thing; interconnecting is another. Interconnecting means your establishment is plugged into the federal platform so it can respond, securely and automatically, when authorities ask whether a reported person checked in at your lodging.

The model is a query model: the authority asks about a specific person (by CURP or name) and your system responds from your registry whether there is a match or not. It is not mass monitoring of your guests. For that exchange to be secure, the government requires a series of technical requirements to be met before going to production.

Important and honest: the duty to register identity is already in force, but full interconnection is enabled once the SNIP Operations Manual is published, which as of this guide is still pending. When it is published, a window of 45 business days to request access begins. This checklist tells you what you will need ready for that window.

The interconnection checklist, step by step

What an establishment needs to interconnect, in order and in plain language.

  1. 1. A valid SAT e.firmaThe SAT’s advanced electronic signature that identifies you with legal validity. Company: the legal representative’s. Individual: the holder’s. It is the first identity requirement.
  2. 2. A profile on the official portal + institutional inboxYou register your establishment’s profile on the government portal and activate an institutional notifications inbox, where official notices about your interconnection will arrive.
  3. 3. Access with LlaveMXYou log in to the portal with your LlaveMX, the government’s free single digital identity. It is the access key with which you manage the whole process from the portal.
  4. 4. A query URL (REST endpoint)You register a web address (a REST endpoint) where your system will receive the authority’s queries. It is the "door" through which questions arrive and through which your hotel responds.
  5. 5. Endpoint security: JWT and TLSThat URL must be protected with JWT token authentication (to verify who is asking) and TLS encryption in transit (so no one can read the information along the way).
  6. 6. Security reports before productionBefore going to production, software security reports are required: SAST, DAST and SCA. These are analyses that confirm your system has no known vulnerabilities before connecting to sensitive data.

The technical terms, in plain English

If the acronyms make your head spin, here’s the translation for owners and managers.

JWT (authentication)

A signed "token" that accompanies each query to prove the asker has permission. It keeps just anyone from touching your endpoint.

TLS (encryption in transit)

The same padlock as secure web pages: it encrypts the information while it travels, so no one can intercept or read it.

SAST

Analysis of the source code looking for security flaws. It reviews the software "from the inside" before exposing it.

DAST

Tests on the running application, simulating attacks, to detect vulnerabilities "live."

SCA

Analysis of the libraries and dependencies your software uses, to detect components with known vulnerabilities.

REST endpoint

The web address (URL) where your system receives and answers queries automatically. It is the piece that connects your registry to the platform.

Why this checklist is not for improvising

Read straight through, the checklist makes one thing clear: interconnection is not filling out a form. It demands serious technical infrastructure, built and maintained to security standards: an available endpoint, protected with JWT and TLS, and backed by SAST, DAST and SCA reports before touching people’s sensitive data.

For a small or mid-sized lodging, building and sustaining that on its own is unrealistic: it involves development, recurring security testing and continuous operation of the endpoint. That is why the usual approach is to rely on a system that already meets these requirements and interconnects you, rather than building and certifying everything from scratch.

Let’s also be honest about the timing: even with the prerequisites ready, the formal access request opens once the government publishes the pending manual, with a 45-business-day window. Reaching that window with the checklist solved is the difference between connecting on time and racing the clock.

Frequently asked questions about interconnection

Is interconnecting the same as capturing identity?
No. Capturing identity is recording and storing the guest’s data, and it is already mandatory. Interconnecting is plugging your system into the platform to answer queries, with its own technical requirements.
Can I interconnect today?
Full interconnection is enabled once the SNIP Operations Manual is published, which is still pending. What you can do today is get the prerequisites ready: a valid e.firma and a created LlaveMX.
What exactly is the query URL?
It is a REST endpoint, a web address you register where your system receives the authority’s queries and responds from your registry. It must be protected with JWT and TLS.
Do I need security testing like SAST, DAST and SCA?
Yes, software security reports are required before going to production. These are analyses that verify your system exposes no known vulnerabilities before connecting to sensitive data.
Can a small hotel build all this alone?
It’s unrealistic. It requires development, recurring security testing and continuous operation of the endpoint. The usual approach is to rely on a system that already meets these requirements and interconnects you.
Does PUIhoteles cover these technical requirements?
Yes. PUIhoteles registers your query URL with the required security and connects you, and guides you with the e.firma and LlaveMX, all connected to R2 OS in real time. Setup is $4,350 MXN and $930 MXN per month (plus VAT), with no lock-in.

Put PUIhoteles to work for you

Get started