Cosmetica
Guide

How to Submit Cosmetic Product Listings to FDA via ESG NextGen

A step-by-step walkthrough of submitting MoCRA-compliant facility registrations and product listings through the FDA's Electronic Submissions Gateway (ESG NextGen) — from FEI to acknowledgement.

Cosmetica Editorial Team
May 18, 2026
12 min read
FDAESG NextGenMoCRASPL XMLproduct listingfacility registration

The FDA Electronic Submissions Gateway NextGen (ESG NextGen) is the modern, API-based submission system that replaces FDA's legacy ESG portal for cosmetic facility registrations and product listings under MoCRA. This guide walks through what ESG NextGen is, what you need to submit a cosmetic product listing, and how the four-step OAuth submission flow works in practice.

What is ESG NextGen?

ESG NextGen is FDA's modernized, OAuth-secured, machine-to-machine submission system. Where the legacy ESG used X.509 certificates and AS2/SMTP, NextGen uses standard HTTPS APIs with token authentication. For cosmetic submissions under MoCRA, NextGen is the only supported pathway as of 2024.

FDA also offers a web-based Cosmetics Direct portal for brands that prefer to file individual listings manually. ESG NextGen is the choice for any brand with more than a handful of SKUs because it allows programmatic submission of dozens or hundreds of listings without portal-clicking.

Prerequisites

Before you can submit anything through ESG NextGen, you need:

  • An FDA ESG NextGen account. Apply at esgnextgen.fda.gov. FDA reviews each application; approval typically takes 1-2 weeks.
  • OAuth client credentials. Once approved, FDA issues an OAuth client ID and secret you use to obtain access tokens.
  • An FEI (Facility Establishment Identifier) for every facility. Obtain via FDA's FEI portal or by contacting FURLS@fda.hhs.gov. Each physical manufacturing or processing location needs its own FEI.
  • SPL XML files for each submission. Structured Product Labeling XML is FDA's required submission format. SPL is an HL7-defined XML schema with specific tags for facility registration (SET_ID type), product listing, and content of the labeling.

The four-step submission flow

ESG NextGen submission follows a four-step pattern. Cosmetica automates all four; if you're submitting manually, you'll write or invoke API client code for each.

1. OAuth token request

POST to FDA's OAuth endpoint with your client ID and secret. FDA returns an access token (typically valid for an hour) that authenticates subsequent calls.

2. Credentials request

Use the access token to request submission credentials. FDA returns an upload URL and submission ID specific to this transaction.

3. SPL upload

POST your SPL XML file (and any attachments — typically a product label image) to the upload URL. FDA validates the XML structurally and returns an acknowledgement.

4. Submit + poll for ACKs

Confirm submission and then poll FDA's status endpoint for three acknowledgements:

  • ACK1 (Receipt) — FDA confirms receipt within minutes.
  • ACK2 (Validation) — FDA confirms structural validation of the SPL XML.
  • ACK3 (Disposition) — FDA confirms business-rule validation and assigns final acceptance or rejection. This typically arrives within hours but can take up to 24 hours during high-volume periods.

What goes into the SPL XML

Cosmetic facility registration SPL contains:

  • SET_ID — a UUID identifying the facility
  • Facility name, address, FEI, and contact person
  • Activities performed at the facility (manufacturing, processing, packing, holding)
  • An "owner/operator" reference identifying the responsible person

Cosmetic product listing SPL contains:

  • SET_ID for the product family
  • Product name, category code (e.g. 53 for skin care preparations), responsible person info
  • Listed ingredients in descending order of predominance using INCI nomenclature
  • Reference to the facility(ies) where the product is manufactured
  • Original product labeling content (warnings, directions, ingredient declaration)

Common errors and how to avoid them

From FDA's published error codes and our own implementation experience:

  • ACK2 schema validation failure: Your SPL XML doesn't match the SPL schema. Most common causes: missing required SET_ID, malformed UUID, incorrect category code. Validate against the SPL schema before upload.
  • ACK3 business rule failure: The XML is structurally valid but violates a business rule. Most common causes: FEI doesn't match a registered facility, INCI name is not in FDA's recognized list, category code doesn't match product description.
  • OAuth token expiry: Tokens expire after ~60 minutes. For batch submissions, refresh the token between batches.
  • Duplicate submissions: FDA detects duplicate SET_IDs and rejects subsequent submissions. To update an existing listing, increment the version inside the SPL — don't create a new SET_ID.

How Cosmetica automates this

Cosmetica handles the full ESG NextGen flow programmatically:

  1. You enter facility and product data in the dashboard.
  2. Cosmetica generates compliant SPL XML, including category code lookup, INCI normalization, and label content packaging.
  3. Cosmetica obtains the OAuth token, posts the submission, and polls for ACK1/ACK2/ACK3.
  4. Acknowledgements appear on the registration dashboard with the FDA-assigned IDs and any business-rule findings.
  5. If ACK3 indicates a disposition issue, Cosmetica surfaces the specific FDA error and guides you to a fix without re-doing the entire flow.

Next steps

If you're preparing your first MoCRA submission, the highest-leverage first move is getting your facility FEI. Apply at FDA's FEI portal before you start drafting SPL XML — the FEI is referenced inside every facility registration and product listing.

See Cosmetica's full MoCRA coverage → | What is SPL XML? →

Ready to automate your compliance?

See how Cosmetica replaces manual regulatory work with AI-powered automation.