Under the U.S. Drug Supply Chain Security Act (DSCSA), Authorized Trading Partners (ATPs) in the pharmaceutical supply chain are required to exchange product compliance information, including drug verification and tracing data. These exchanges of information often take place between “indirect” trading partners with no prior business relationship and varying levels of sophistication, as well as between trading partners and state and federal authorities. The full set of DSCSA requirements come into effect for all health systems with the end of the phased exemption for large dispensers on November 27, 2025.
XATP by LedgerDomain is a secure identity and messaging platform that drives DSCSA compliance. We’ve partnered with ConsortiEX to make Authorized Trading Partner validation easier for health system pharmacies.
Getting Access to XATP #
To get started, ConsortiEX will provide you with an Order Form to fill out. Generally, you’ll need to identify an internal DSCSA lead to get started on the platform. See the FAQs below for more details.
Getting Your Credential #
Once your XATP Workspace has been set up, you can apply for your XATP Credential. Once the credential is issued, a standard integration allows VRS and tracing solution providers to access your wallet for signing and checking operations – so that when you get a verifiable presentation, you can trust that it came from an actual Authorized Trading Partner (ATP) or Authority.
We partner with Legisym as our credential issuer. They check identity documentation and monitor state and federal licenses, so that the credentials they issue can be trusted.
Start Your Application #
- From the “My Credentials” tab in the dashboard, click the Apply for Credential button.
- Select the preferred corporate entity for the credential. This may be the parent company or a subsidiary. In general, if the company name and address listed in the documentation are the same, it is easier to validate identity.
Identity Credential #
The first thing you’ll need is an Identity Credential, which proves your corporate identity.
- To get your Identity Credential, you will need to enter:
- Organization Name
- Organization Address
- Contact Name
- Contact Email
- Contact Phone
- Company Type (i.e. dispenser)
- DUNS Number (NOTE: The address must match the address provided on the application and other documents submitted.)
- Next, you have the option of proving your identity with a DEA CSOS certificate, or with supporting documentation. We strongly recommend using the DEA CSOS certificate, as it is the “fast track” to completing the application. More information about how OCI Credential Issuers verify identity and DSCSA status may be found on the OCI website.
- Option #1: DEA Certificate (RECOMMENDED). You will need to submit the following information:
- DEA number
- DEA Signing Certificate (a file)
- DEA Signing Certificate password
- Option #2: Supporting Documentation.If you don’t have a DEA CSOS certificate, or don’t wish to use it, you will need to submit the following documentation:
- Articles of Incorporation (PDF format)
- NOTE: The address must match the address provided on the application and other documents submitted (otherwise additional proof will be needed)
- IRS Employer Identification Number (EIN) Assignment Letter (PDF format):
- NOTE: The address must match the address provided on the application and other documents submitted (otherwise additional proof will be needed)
- Notarized Credential Request Letter
- This a basic letter attesting that the documents being submitted for the identity proofing are true and accurate.
- A Notarized Credential Request Letter template to be formatted on company letterhead is available from the form.
- Once notarized, submit a scanned copy along with driver’s license or state-issued ID.
- Articles of Incorporation (PDF format)
- Option #1: DEA Certificate (RECOMMENDED). You will need to submit the following information:
- Once the Identity application is submitted, Legisym will review your submission and follow up with any questions. You will receive an email when your Identity credential is issued.
DSCSA Credential #
Once you get your Identity credential, you can obtain your Authorized Trading Partner (ATP) Credential. Applying for the ATP credential is very simple; just enter the company name and state license number. You will receive an email once the ATP application is approved and the ATP Credential is issued.
Frequently Asked Questions #
Health Systems #
- Who should be the lead on getting our DSCSA credential?
Getting a DSCSA credential is quick and easy with a DEA CSOS certificate. For every deployment we recommend at least two users on your organization’s XATP account: (1) the person most responsible for DSCSA implementation and workflows (often a principal phamacy buyer), and (2) a DEA CSOS certificate holder. If your health system has multiple people who fill these roles across multiple facilities, that’s OK – only one facility needs to participate in the credentialing process to cover your entire health system.
- Does each site need to be credentialed?
DSCSA is an ownership law, so you only need one credential to cover your entire organization. This can be achieved with a single DEA certificate and state license.
- Does it matter which pharmacy license I use?
No, you can point to any licensed pharmacy location as evidence to support your credential. A general rule of thumb is to pick a location where the address is unlikely to change in the near future.
- What happens if the address does change?
Legisym, our credential issuer partner, tracks the DEA certificates and state licenses to ensure that credentials remain current. If the address changes, that means your DEA number and state license number will change. You’ll get an email from Legisym indicating that you have 30 days to upload another CSOS certificate.
- What kind of credential do I get if I fill multiple roles?
You will only need one credential to cover your entire organization, and can choose any supply chain role you fill as your “primary” ATP type for the credential.
- How many named users do we need?
During the credential implementation period, you should only need to add two users: the DSCSA lead at your organization and the CSOS certificate holder.
DEA Certificates #
- Why should I use a CSOS certificate to get a credential?
The DEA CSOS (Controlled Substance Ordering System) digital certificate is issued by the agency to an individual person at a physical site in order to allow that site to transmit controlled substance orders without supporting paper forms. The process to enrol and receive a CSOS certificate owner is enough that it meets the identity assurance requirements for DSCSA credentialing by itself.
- Does it matter which DEA certificate I use?
No, as long as the DEA certificate is tied to a licensed pharmacy location. A general rule of thumb is to pick a location where the address is unlikely to change in the near future.
- Does the DEA allow me to use my CSOS certificate to get a credential?
The DEA reassures registrants that the use of the DEA Signing Certificate is perfectly acceptable for this purpose; it was foreseen and specifically allowed for by the DEA in their policy manual CSOS Certificate Policy, Version 4.1, January 2015, section 1.4.1 Appropriate Certificate Uses.
- Can I use my DEA certificate as its own credential?
While the DEA (Controlled Substance Ordering System) CSOS certificate can be used as evidence for issuing a credential, it cannot be used as an interoperable DSCSA credential by itself. There is no interoperable mechanism for exercising the DEA certificate over networks such as the VRS. In addition, because DEA certificates are issued to allow for controlled substance ordering, few manufacturers have them.
