Some ASPSPs require a separate TPP registration/authentication in addition to a QWAC/QSEAL certificate. This applies only to TPPs with their own supervisory license. finAPI customers using the finAPI PSD2 License can use the finAPI TPP registration.

For ASPSPs that require registration, the first step is TPP registration in an ASPSP portal. We can provide a list of TPP registration requirements to finAPI customers upon request to support@finapi.io.

After the TPP registration, the respective TPP credentials have to be stored in finAPI Access to allow usage of these credentials to connect to ASPSPs. Here is a list of the required TPP credentials per bank that must be stored in finAPI Access:

Group name

Description

AirBank XS2A CZ

Required fields: client_id, client_secret

TPP receives all the above mentioned parameters in the response on the call to https://api.airbank.cz/oauth2/register endpoint.

TPP must provide QWAC when calling this endpoint.

Payload example:

{
"client_name": "finAPI Live",
"redirect_uris" : [
"http://httpbin.org/get", "https://finapi.io/webForm/redirect"
],
"scopes" : [
"PISP",
"AISP"
]
}

CSOB XS2A CZ

Required fields: client_id, client_secret, APIKey

TPP receives the APIKey after completing its registration on developer portal. Please, see https://developers.csob.cz/how-to/dev-register.

TPP receives client_id and client_secret in the response on the call to https://api.csob.cz/api/csob/oauth2/v1/register endpoint.

TPP must provide QWAC and APIKey when calling this endpoint.

Request example:

curl -X POST \
  https://api.csob.cz/api/csob/oauth2/v1/register \
  -H 'APIKEY: l7xxca45406f0e934f7eb5df07d150a38e7b' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/json' \
  -d '{
    "application_type": "web",
    "client_name": "TPP Name",
    "client_name#en-US": "TPP Name",
    "contact": "contact@domain.com",
    "logo": "... Base64 encoded image ...",
    "redirect_uris": [
        "https://tpp.domain.com/auth-redirect"
    ],
    "scopes": [
        "AISP",
        "PISP"
    ]
}'
CODE

CSOB XS2A SK

Required fields: client_id, client_secret

TPP receives all the above mentioned parameters in the response on the call to https://api.csob.sk/enroll/enroll endpoint.

TPP must provide QWAC when calling this endpoint.

Payload example:

{
"redirect_uris": [
"http://httpbin.org/get", "https://finapi.io/webForm/redirect"
],
"client_name": "TPP Name",
"client_type": "Confidential",
"contacts": ["youremail1@test.eu","youremail2@test.eu"],
"scopes": ["AISP", "PISP"],
"licensenumber": "<serialNumber from your QWAC>"
}

Erstebank XS2A CZ

Required fields: client_id, client_secret, APIKey

TPP receives the above mentioned parameters after completing its registration on developer portal - https://developers.erstegroup.com/register

Commerzbank XS2A DE

Required fields: organizationIdentifier from QWAC.

TPP can extract organizationIdentifier from the public part of its QWAC.

Comdirect XS2A DE

Required fields: organizationIdentifier from QWAC.

TPP can extract organizationIdentifier from the public part of its QWAC.

Santander XS2A DE

Required fields: organizationIdentifier from QWAC.

TPP can extract organizationIdentifier from the public part of its QWAC.

TPP-Registration:
After having your application and certificates in place you simply need to call once the dedicated API endpoint.

curl -X POST
--url https://api-cc.santander.de/scb-openapis/client/v1/tpp_registrations/mutual_tls
-H 'Accept: application/json'
-H 'Content-Type: application/json'
--key '$PATH_TO_KEY_PEM'
--cert '$PATH_TO_CERT_PEM:$PASSWORD_OF_CERT'
-d '{"registeredRedirectUris": [“https://tpp-redirect.com/cb”]}'
NONE

DKB XS2A DE

Starting from 24.03.2021 TPP registration via developer portal is no longer needed or possible. TPP credentials are no longer required. Instead, DKB implements automatic registration of the TPP after the first call to the API using QWAC. As described in the document

if it is the very first call from a TPP, then this call must be against any Berlin Group API endpoint before calling the Pre-Step Authorization API

This call can be made via this example cURL

curl -X GET \
 https://api.dkb.de/psd2/v1/accounts
CODE

The response should look like

{
    "tppMessages": [
        {
            "category": "ERROR",
            "code": "TOKEN_UNKNOWN",
            "path": "/v1/accounts",
            "text": "Login required for API usage. Please use the scaRedirect uri to login."
        }
    ],
    "_links": {
        "scaRedirect": "https://api.dkb.de/pre-auth/psd2-auth/v1/auth/token"
    }
}
CODE

TPP must provide QWAC when calling this endpoint. The call itself will result in an error, but the automatic registration of TPP should be triggered. According to DKB, the TPPs who were registered prior to these changes do not need to execute this call

HCOB XS2A DE

Required fields:

  • Consumer Key as clientId (from Production Keys tab in Application settings

  • Consumer Secret as client Secret (same as above)

  • Access Token (same as above)

TPP receives the above mentioned parameters after completing its registration on developer portal - https://tpp.hcob-bank.com/store/site/pages/sign-up.jag

Hauck and Aufhauser XS2A DE

Required fields:

  • Consumer Key as clientId (from Production Keys tab in Application settings

  • Consumer Secret as client Secret (same as above)

  • Access Token (same as above)

TPP receives the above mentioned parameters after completing its registration on developer portal - https://tpp.hauck-aufhaeuser.com/store/site/pages/sign-up.jag

ING XS2A

Required fields: serialNumber from the QSEAL certificate.

TPP can extract serialNumber from the public part of its QSEAL.

value: “SN=$extracted_serialNumber”

example:

{  
   "tppAuthenticationGroupId": <Id of TPP Authentication group called 'ING XS2A'>, 
   "label": "ING XS2A", 
   "tppClientId": "SN=00123456", 
   "tppClientSecret": null, 
   "tppApiKey": null
}
JSON

Erstebank/Sparkasse XS2A AT

Required fields: client_id, client_secret, tppId, applicationId

TPP receives all the above mentioned parameters in the response on the call to https://webapi.developers.erstegroup.com/api/v1/initiation/bank.eba endpoint.

TPP must provide QWAC when calling this endpoint.

Payload example:

{
"redirect_uris": [
"https://client.example.org/callback",
"https://client.example.org/callback2"
],
"client_name": "My Example Client",
"response_types": [
"code"
],
"extension_parameters": {
"apis": [
{
"name": "bank.eba.v1/psd2-accounts-api",
"scopes": [
{
"name": "aisp",
"grant": "required"
}
]
},
{
"name": "bank.eba.v1/psd2-consent-api",
"scopes": [
{
"name": "aisp",
"grant": "required"
}
]
}
],
"traits": [],
"applicationType": "web",
"email": "youremail@test.eu",
"web": "www.tpp.com",
"refreshTokenTimeoutSeconds": 3153600000,
"accessTokenTimeoutSeconds": 3600
}
}

Raiffeisen XS2A AT

Required fields: clientId

TPP receives clientId after uploading its QWAC to https://psd2.raiffeisen.at/api/psd2-xs2a/first-contact

QWAC is checked on the transport layer during the SSL Handshake.

See request and response details at https://api-dashboard.raiffeisen.at/web/#!/psd2-oauth-flow

Hypo XS2A AT

Required fields: clientId

TPP receives clientId after uploading its QWAC to https://psd2.hypo.at/api/psd2-xs2a/first-contact

QWAC is checked on the transport layer during the SSL Handshake.

See request and response details at https://api-dashboard.hypo.at/web/#!/psd2-oauth-flow

Amex XS2A

Required fields: client_id, client_secret.

TPP receives the above mentioned parameters after completing its registration on developer portal - https://developer.americanexpress.com/open-banking

Erstebank XS2A SK

Required fields: client_id, client_secret, APIKey

TPP receives the above mentioned parameters after completing its registration on developer portal - https://developers.erstegroup.com/register

Bank Verlag XS2A DE

No TPP credentials are needed to access Bank Verlag XS2A API

Barclaycard XS2A DE

Required fields: client_id, client_secret.

TPP receives the above mentioned parameters after completing its registration on developer portal - https://developer.barclays.com/register

PayPal XS2A (DRAFT)

Required fields: client_id, client_secret.

TPP receives the above mentioned parameters after completing the registration on the TPP Landing Page;

https://www.paypal.com/partnerexp/tppLanding

If TPP Certificate is expiring, send the new certificates via email to the Paypal support team (email contact can be provided on-request)

TPP receives the above mentioned parameters after completing its registration on developer portal -

https://www.paypal.com/de/signin

See also https://developer.paypal.com/docs/api/overview/

Tatra XS2A SK

TPP receives clientId and clientSecret after completing its registration on developer portal - https://developer.tatrabanka.sk/

Raiffeisen XS2A Sandbox AT

Required fields: clientId, clientSecret

TPP receives clientId and clientSecret after completing its registration on developer portal - https://api-dashboard.raiffeisen.at/web/#!/register. Credentials are displayed in the TPP application profile.

Sparda XS2A DE

Required fields: organizationIdentifier from QWAC.

TPP can extract organizationIdentifier from the public part of its QWAC.

VR XS2A DE

Required fields: serialNumber from the QSEAL certificate.

TPP can extract serialNumber from the public part of its QSEAL.

value: “SN=$extracted_serialNumber”

Bunq XS2A

Required fields:

  • clientId as clientId

  • clientSecret as clientSecret

  • installationToken:apiKey as apiKey

TPP receives the above mentioned parameters after completing the registration process descripbed at - https://doc.bunq.com/ (section PSD2 service provider).

Solarisbank (Penta)

Required fields: organizationIdentifier from QWAC.

TPP can extract organizationIdentifier from the public part of its QWAC.

Revolut XS2A

Required fields:

  • Client ID as Client ID

  • From the mandator's certificate attribute “org_jwks_endpoint“, the root domain must be set as TPP Name. Ex: For a org_jwks_endpoint defined as "https://jwks.test.com/jwks.json", the root domain will be "jwks.test.com"

  • Key ID from the TPP's certificate as Api Key

The Key ID can be found as kid in the JWKs file created during the registration process required by Revolut. It is described here: https://developer.revolut.com/docs/build-banking-apps/#identification-and-authentication-dynamic-client-registration

N26 XS2A

Required fields: organizationIdentifier from QWAC.

TPP can extract organizationIdentifier from the public part of its QWAC.

Qonto XS2A

Required fields: client_id and client_secret
TPP receives these parameters when they complete registration as decribed in Qonto documentation - https://api-doc.qonto.com/2.0/welcome/register-your-application

Komerční banka XS2A (SK)

Required fields:

  • tppClientId

  • tppClientSecret

TPPs receives these parameters when they complete registration via the developer portal Komerční banka (SK) https://api.koba.sk/portal

Fidor Bank XS2A

Required fields: client_id as organizationIdentifier from QWAC.

TPP is required to onboard via GET /hello as described here http://docs.fidorsolutions.cloud/#tag/TPP-Onboarding. The call must be made using QWAC.