Additional TPP registration and authentication

AT

Erstebank/Sparkasse XS2A AT

Required fields: tppClientId and tppClientSecret

TPP receives these parameters in the response on the call to https://webapi.developers.erstegroup.com/api/v1/initiation/bank.eba endpoint. TPP must provide a valid QWAC when calling this endpoint.

Payload example:

{
  "redirect_uris": [
    "https://client.example.org/callback",
    "https://client.example.org/callback2"
  ],
  "client_name": "My Example Client",
  "response_types": [
    "code"
  ],
  "extension_parameters": {
    "apis": [
      {
        "name": "bank.eba.v1/psd2-accounts-api",
        "scopes": [
          {
            "name": "aisp",
            "grant": "required"
          }
        ]
      },
      {
        "name": "bank.eba.v1/psd2-consent-api",
        "scopes": [
          {
            "name": "aisp",
            "grant": "required"
          }
        ]
      }
    ],
    "traits": [],
    "applicationType": "web",
    "email": "youremail@test.eu",
    "web": "www.tpp.com",
    "refreshTokenTimeoutSeconds": 3153600000,
    "accessTokenTimeoutSeconds": 3600
  }
}

AT

Hypo XS2A AT

Required fields: tppClientId

TPP receives it after uploading a valid QWAC to https://psd2.hypo.at/api/psd2-xs2a/first-contact

QWAC is checked on the transport layer during the SSL Handshake.

See request and response details at https://api-dashboard.hypo.at/web/#!/psd2-oauth-flow

AT

Posojilnica Bank XS2A

Required fields: tppClientId

TPP receives it after uploading a valid QWAC to https://psd2.poso.at/api/psd2-xs2a/first-contact/. QWAC is checked on the transport layer during the SSL Handshake.

See request and response details at https://api-dashboard.poso.at/web/#!/psd2-oauth-flow

AT

Raiffeisen XS2A AT

Required fields: tppClientId

TPP receives it after uploading a valid QWAC to https://psd2.raiffeisen.at/api/psd2-xs2a/first-contact

QWAC is checked on the transport layer during the SSL Handshake.

See request and response details at https://api-dashboard.raiffeisen.at/web/#!/psd2-oauth-flow

AT

Raiffeisen XS2A Sandbox AT

Required fields: tppClientId and tppClientSecret

TPP receives these parameters after completing the registration on the developer portal - see https://api-dashboard.raiffeisen.at/web/#!/register. Credentials are displayed in the TPP application profile.

AT

VKB XS2A AT

Required fields: tppClientId

TPP receives it after uploading a valid QWAC to https://developer.vkb-bank.at/live-psd2-oauth-flow

QWAC is checked on the transport layer during the SSL Handshake.

CZ

AirBank XS2A CZ

Required fields: tppClientId, tppClientSecret and tppName

TPP receives all the above mentioned parameters in the response to the call to the https://api.airbank.cz/oauth2/register endpoint. TPP must provide a valid QWAC when calling this endpoint.

Payload example:

{
  "client_name": "finAPI Live",
  "redirect_uris": [
    "http://httpbin.org/get",
    "https://finapi.io/webForm/redirect"
  ],
  "scopes": [
    "PISP",
    "AISP"
  ]
}

CZ

CSOB XS2A CZ

Required fields: tppClientId, tppClientSecret, tppApiKey and tppName

TPP receives the APIKey after completing the registration on the developer portal. Please, see https://developers.csob.cz/how-to/dev-register.

TPP receives client_id and client_secret in the response on the call to https://api.csob.cz/api/csob/oauth2/v1/register endpoint.

TPP must provide QWAC and APIKey when calling this endpoint.

Request example:

curl -X POST \
  https://api.csob.cz/api/csob/oauth2/v1/register \
  -H 'APIKEY: l7xxca45406f0e934f7eb5df07d150a38e7b' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/json' \
  -d '{
    "application_type": "web",
    "client_name": "TPP Name",
    "client_name#en-US": "TPP Name",
    "contact": "contact@domain.com",
    "logo": "... Base64 encoded image ...",
    "redirect_uris": [
      "https://tpp.domain.com/auth-redirect"
    ],
    "scopes": [
      "AISP",
      "PISP"
    ]
}'

CZ

Erstebank XS2A CZ

Required fields: tppClientId, tppClientSecret and tppApiKey

TPP receives the above-mentioned parameters after completing the registration on the developer portal - see https://developers.erstegroup.com/register for further info.

CZ

KB XS2A CZ

Required fields: tppClientId, tppClientSecret and tppName

CZ

Moneta XS2A CZ

Required fields: tppClientId, tppClientSecret

CZ

Raiffeisen XS2A CZ

Required fields: tppClientId and tppClientSecret

TPP receives these parameters after completing the registration on the developer portal - see https://api.rbinternational.com/home. Credentials are displayed in the TPP application profile.

DE

Barclaycard XS2A DE

Required fields: tppClientId and tppClientSecret

TPP receives these parameters after completing the registration on the developer portal - see https://developer.barclays.com/register for further info.

DE

Comdirect XS2A DE

Required fields: tppClientId with the value of the organizationIdentifier from the QWAC.

TPP can extract organizationIdentifier from the public part of the QWAC.

DE

Commerzbank XS2A DE

Required fields: tppClientId with the value of the organizationIdentifier from the QWAC.

TPP can extract organizationIdentifier from the public part of the QWAC.

DE

Fidor XS2A DE

Required fields: tppClientId with the value of the organizationIdentifier from the QWAC

TPP is required to onboard via GET /hello as described here http://docs.fidorsolutions.cloud/#tag/TPP-Onboarding. The call must be made with a valid QWAC.

DE

Finom/Swan XS2A

No TPP Credentials required.

Registration as TPP is required though. To register as a TPP, follow the guide at:

https://priora.saltedge.com/docs/berlingroup/finom/certificates#tpp

DE

Holvi XS2A

Required fields: tppClientId and tppClientSecret

To register as a TPP, a call to the endpoint https://psd2.holvi.com/v1/onboarding/signup/ is required. For more details, go to the documentation page and then go to section “Onboarding API”.

DE

N26 XS2A

Required fields: tppClientId with the value of the organizationIdentifier from the QWAC

TPP can extract the organizationIdentifier from the public part of the QWAC.

DE

M.M. Warburg XS2A DE

Required fields: tppClientId with the value of the serialNumber from the QSEAL certificate

The format of the value: SN=$extracted_serialNumber

TPP can extract the serialNumber from the public part of the QSEAL certificate.

Example:

{  
   "tppAuthenticationGroupId": <Id of TPP Authentication group called 'M.M. Warburg XS2A DE'>, 
   "label": "M.M. Warburg XS2A", 
   "tppClientId": "SN=00123456", 
   "tppClientSecret": null, 
   "tppApiKey": null
}

DE

Santander XS2A DE

Required fields: tppClientId with the value of the organizationIdentifier from the QWAC.

TPP can extract organizationIdentifier from the public part of the QWAC.

TPP-Registration:
After having your application and certificates in place you simply need to call once a dedicated API endpoint. Example:

curl -X POST
--url https://api-cc.santander.de/scb-openapis/client/v1/tpp_registrations/mutual_tls
-H 'Accept: application/json'
-H 'Content-Type: application/json'
--key '$PATH_TO_KEY_PEM'
--cert '$PATH_TO_CERT_PEM:$PASSWORD_OF_CERT'
-d '{"registeredRedirectUris": [“https://tpp-redirect.com/cb”]}'

DE

Sparda XS2A DE

Required fields: tppClientId with the value of the organizationIdentifier from the QWAC

TPP can extract the organizationIdentifier from the public part of the QWAC.

DE

Solarisbank XS2A DE

Penta

Required fields: tppClientId with the value of the organizationIdentifier from the QWAC

TPP can extract the organizationIdentifier from the public part of the QWAC.

DE

VR XS2A DE

Required fields: tppClientId with the value of the serialNumber from the QSEAL certificate

The format of the value: SN=$extracted_serialNumber

TPP can extract the serialNumber from the public part of the QSEAL certificate.

EU

Bunq XS2A

Required fields:

• clientId as tppClientId

• clientSecret as tppClientSecret

• installationToken:apiKey as tppApiKey

TPP receives these parameters after completing the registration process described at - https://doc.bunq.com/ (section “PSD2 service provider”).

EU

Cross-european TPP - global

Required fields: tppClientId, tppClientSecret and tppApiKey

Please define the credentials, you have received from our partner.

• tppClientId = member id

• tppClientSecret = alias

• tppApiKey = API key

This TPP Bank Group will serve all banks that are integrated using our partner’s API and don’t require separate TPP registrations on the banks' side for every environment that your application is running in.

We recommend reaching out to our support (E-Mail: support@finapi.io) to clarify how you can obtain these credentials from our partner.

EU

Cross-european TPP - per-environment

Required fields: tppClientId, tppClientSecret and tppApiKey

Please define the credentials, you have received from our partner.

• tppClientId = member id

• tppClientSecret = alias

• tppApiKey = API key

This TPP Bank Group will serve all banks that are integrated using our partner's API and require separate TPP registrations on the banks' side for every environment that your application is running in.

We recommend reaching out to our support (E-Mail: support@finapi.io) to clarify how you can obtain these credentials from our partner.

EU

ING XS2A

Required fields: tppClientId with the value of the serialNumber from the QSEAL certificate.

Format of the value: SN=$extracted_serialNumber

TPP can extract serialNumber from the public part of its QSEAL.

Example:

{  
   "tppAuthenticationGroupId": <Id of TPP Authentication group called 'ING XS2A'>, 
   "label": "ING XS2A", 
   "tppClientId": "SN=00123456", 
   "tppClientSecret": null, 
   "tppApiKey": null
}

Update: September 2024:

ING has performed a breaking change. Read more about it here: https://developer.ing.com/openbanking/inspiration/news/breaking-change-for-psd2-users?mcing=emai_nwsl_othr_oth_s_dcr-migration

Existing customers who use their own license must run this Shell Script here, to maintain connectivity:

update.sh

Line 9: Fill in the client_id. Please reach out to our support team to get the client_id.

Lines 12-15: put your certificates in the same folder with the given names.

for more Details ING has also released a step by step migration guide here:

https://developer.ing.com/openbanking/resources/get-started/psd2#migration-guide

EU

PayPal XS2A

Required fields: tppClientId and tppClientSecret

TPP receives these parameters after completing the registration on the TPP landing page: https://www.paypal.com/partnerexp/tppLanding

If the TPP’s Certificate is expiring, send the new certificates via email to the Paypal support team (email contact can be provided on-request)

EU

Revolut XS2A

Required fields:

• Client ID as tppClientId

• From the mandator's certificate attribute “org_jwks_endpoint“, the root domain must be set as tppName.
  Example: for the org_jwks_endpoint field defined as https://jwks.test.com/jwks.json, the root domain will be jwks.test.com

• Key ID from the TPP's certificate as tppApiKey

The Key ID can be found as the value of the kid field in the JWKs file created during the registration process required by Revolut. It is described here: https://developer.revolut.com/docs/build-banking-apps/#identification-and-authentication-dynamic-client-registration

EU

Qonto XS2A

Required fields: tppClientId and tppClientSecret
TPP receives these parameters after completing the registration process as decribed in Qonto documentation: https://api-doc.qonto.com/docs/business-api/ed2a209683773-register-your-application

HU

Erstebank XS2A HU

Required fields: tppClientId, tppClientSecret and tppApiKey

TPP receives the above-mentioned parameters after completing the registration on the developer portal - see https://developers.erstegroup.com/register for further info.

HU

OTP XS2A

Required fields: tppClientId and tppClientSecret

TPP receives these parameters after completing the registration on the developer portal - see https://www.otpbank.hu/portal/en/PSD2.

HU

Raiffeisen XS2A HU

Required fields: tppClientId and tppClientSecret

TPP receives these parameters after completing the registration on the developer portal - see https://api.rbinternational.com/home. Credentials are displayed in the TPP application profile.

RO

Alpha Bank XS2A RO

Required fields: tppClientId, tppClientSecret and tppApiKey

TPP receives the above-mentioned parameters after completing the registration on the developer portal - see https://developer.api.alphabank.eu/ for further info.

The bank provides 4 API keys, 2 (primary/secondary) for each flow: AIS and PIS. On finAPI side, please provide the tppApiKey in the format aisPrimaryApiKey:pisPrimaryApiKey.

RO

Banca Comerciala Romana XS2A

Required fields: tppClientId, tppClientSecret and tppApiKey

TPP receives the above-mentioned parameters after completing the registration on the developer portal - see https://developers.erstegroup.com/register for further info.

RO

Banca Transilvania XS2A RO

Required fields: tppClientId and tppClientSecret

TPP receives these parameters after completing the registration. See https://apistorebt.ro/bt/sb/how-it-works on details on how to register for production access.

RO

Raiffeisen XS2A RO

Required fields: tppClientId and tppClientSecret

TPP receives these parameters after completing the registration on the developer portal - see https://api.rbinternational.com/home. Credentials are displayed in the TPP application profile.

SK

CSOB XS2A SK

Required fields: tppClientId and tppClientSecret

TPP receives all the above-mentioned parameters in the response on the call to https://api.csob.sk/enroll/enroll endpoint. TPP must provide a valid QWAC when calling this endpoint.

Payload example:

{
  "redirect_uris": [
    "http://httpbin.org/get",
    "https://finapi.io/webForm/redirect"
  ],
  "client_name": "TPP Name",
  "client_type": "Confidential",
  "contacts": [
    "youremail1@test.eu",
    "youremail2@test.eu"
  ],
  "scopes": [
    "AISP",
    "PISP"
  ],
  "licensenumber": "<serialNumber from your QWAC>"
}

SK

Erstebank XS2A SK

Required fields: tppClientId, tppClientSecret and tppApiKey

TPP receives these parameters after completing the registration on the developer portal - see https://developers.erstegroup.com/register for further info.

SK

KB XS2A SK

Komerční banka

Required fields: tppClientId, tppClientSecret and tppName

TPPs receives these parameters after completing the registration via the developer portal https://api.koba.sk/portal

SK

Primabanka XS2A SK

Required fields: tppClientId and tppClientSecret

SK

Tatra XS2A SK

Required fields: tppClientId and tppClientSecret

TPP receives these parameters after completing the registration on the developer portal - see https://developer.tatrabanka.sk/ for further info.

SK + CZ

VUB XS2A

Required fields: tppClientId with the value of the organizationIdentifier from the QWAC.

• To register as a TPP, a call to the endpoint https://api.vub.sk/psd2/register is required. For more details, go to the documentation page and then go to the section PSD2_OpenIdRegister_swag

• TPP can extract organizationIdentifier from the public part of the QWAC.

SK + CZ

mBank XS2A

Required fields:

• tppClientId

• tppClientSecret

• tppApiKey - it is required and it should be the URL of the QSeal certificate. For staging instances we used this one: https://jwks.finapi.io/finapi-qsealc-ica-2025.crt.