Additional TPP registration and authentication

Some ASPSPs require a separate TPP registration/authentication in addition to a QWAC/QSEAL certificate. This applies only to TPPs with their own supervisory license. finAPI customers using the finAPI PSD2 License can use the finAPI TPP registration.

For ASPSPs that require registration, the first step is TPP registration in an ASPSP portal. We can provide a list of TPP registration requirements to finAPI customers upon request to support@finapi.io.

After the TPP registration, the respective TPP credentials have to be stored in finAPI Access to allow usage of these credentials to connect to ASPSPs. Here is a list of the required TPP credentials per bank that must be stored in finAPI Access:

Group name	Description
AirBank XS2A CZ	Required fields: `tppClientId`, `tppClientSecret` and `tppName` TPP receives all the above mentioned parameters in the response on the call to the `https://api.airbank.cz/oauth2/register` endpoint. TPP must provide a valid QWAC when calling this endpoint. Payload example: JSON `{ "client_name": "finAPI Live", "redirect_uris": [ "http://httpbin.org/get", "https://finapi.io/webForm/redirect" ], "scopes": [ "PISP", "AISP" ] }`
CSOB XS2A CZ	Required fields: `tppClientId`, `tppClientSecret`, `tppApiKey` and `tppName` TPP receives the APIKey after completing the registration on the developer portal. Please, see https://developers.csob.cz/how-to/dev-register. TPP receives client_id and client_secret in the response on the call to https://api.csob.cz/api/csob/oauth2/v1/register endpoint. TPP must provide QWAC and APIKey when calling this endpoint. Request example: CODE `curl -X POST \ https://api.csob.cz/api/csob/oauth2/v1/register \ -H 'APIKEY: l7xxca45406f0e934f7eb5df07d150a38e7b' \ -H 'Cache-Control: no-cache' \ -H 'Content-Type: application/json' \ -d '{ "application_type": "web", "client_name": "TPP Name", "client_name#en-US": "TPP Name", "contact": "contact@domain.com", "logo": "... Base64 encoded image ...", "redirect_uris": [ "https://tpp.domain.com/auth-redirect" ], "scopes": [ "AISP", "PISP" ] }'`
CSOB XS2A SK	Required fields: `tppClientId` and `tppClientSecret` TPP receives all the above-mentioned parameters in the response on the call to https://api.csob.sk/enroll/enroll endpoint. TPP must provide a valid QWAC when calling this endpoint. Payload example: JSON `{ "redirect_uris": [ "http://httpbin.org/get", "https://finapi.io/webForm/redirect" ], "client_name": "TPP Name", "client_type": "Confidential", "contacts": [ "youremail1@test.eu", "youremail2@test.eu" ], "scopes": [ "AISP", "PISP" ], "licensenumber": "<serialNumber from your QWAC>" }`
Erstebank XS2A CZ	Required fields: `tppClientId`, `tppClientSecret`, `tppApiKey` and `tppName` TPP receives the above-mentioned parameters after completing the registration on the developer portal - see https://developers.erstegroup.com/register for further info.
Commerzbank XS2A DE	Required fields: `tppClientId` with the value of the `organizationIdentifier` from the QWAC. TPP can extract `organizationIdentifier` from the public part of the QWAC.
Comdirect XS2A DE	Required fields: `tppClientId` with the value of the `organizationIdentifier` from the QWAC. TPP can extract `organizationIdentifier` from the public part of the QWAC.
Santander XS2A DE	Required fields: `tppClientId` with the value of the `organizationIdentifier` from the QWAC. TPP can extract `organizationIdentifier` from the public part of the QWAC. TPP-Registration: After having your application and certificates in place you simply need to call once a dedicated API endpoint. Example: NONE `curl -X POST --url https://api-cc.santander.de/scb-openapis/client/v1/tpp_registrations/mutual_tls -H 'Accept: application/json' -H 'Content-Type: application/json' --key '$PATH_TO_KEY_PEM' --cert '$PATH_TO_CERT_PEM:$PASSWORD_OF_CERT' -d '{"registeredRedirectUris": [“https://tpp-redirect.com/cb”]}'`
DKB XS2A DE deprecated	Starting from 24.03.2021 TPP registration via developer portal is no longer needed or possible. TPP credentials are no longer required. Instead, DKB implements automatic registration of the TPP after the first call to the API using QWAC. As described in the document if it is the very first call from a TPP, then this call must be against any Berlin Group API endpoint before calling the Pre-Step Authorization API This call can be made via this example cURL CODE `curl -X GET \ https://api.dkb.de/psd2/v1/accounts` The response should look like JSON `{ "tppMessages": [ { "category": "ERROR", "code": "TOKEN_UNKNOWN", "path": "/v1/accounts", "text": "Login required for API usage. Please use the scaRedirect uri to login." } ], "_links": { "scaRedirect": "https://api.dkb.de/pre-auth/psd2-auth/v1/auth/token" } }` TPP must provide QWAC when calling this endpoint. The call itself will result in an error, but the automatic registration of TPP should be triggered. According to DKB, the TPPs who were registered prior to these changes do not need to execute this call
HCOB XS2A DE deprecated	Required fields: Consumer Key as `tppClientId` (from the “Production Keys” tab in the application settings) Consumer Secret as `tppClientSecret` (same as above) Access Token (same as above) TPP receives the above mentioned parameters after completing its registration on developer portal - https://tpp.hcob-bank.com/store/site/pages/sign-up.jag
ING XS2A	Required fields: `tppClientId` with the value of the `serialNumber` from the QSEAL certificate. Format of the value: `SN=$extracted_serialNumber` TPP can extract `serialNumber` from the public part of its QSEAL. Example: JSON `{ "tppAuthenticationGroupId": <Id of TPP Authentication group called 'ING XS2A'>, "label": "ING XS2A", "tppClientId": "SN=00123456", "tppClientSecret": null, "tppApiKey": null }`
Erstebank/Sparkasse XS2A AT	Required fields: `tppClientId` and `tppClientSecret` TPP receives these parameters in the response on the call to https://webapi.developers.erstegroup.com/api/v1/initiation/bank.eba endpoint. TPP must provide a valid QWAC when calling this endpoint. Payload example: JSON { "redirect_uris": [ "https://client.example.org/callback", "https://client.example.org/callback2" ], "client_name": "My Example Client", "response_types": [ "code" ], "extension_parameters": { "apis": [ { "name": "bank.eba.v1/psd2-accounts-api", "scopes": [ { "name": "aisp", "grant": "required" } ] }, { "name": "bank.eba.v1/psd2-consent-api", "scopes": [ { "name": "aisp", "grant": "required" } ] } ], "traits": [], "applicationType": "web", "email": "youremail@test.eu", "web": "www.tpp.com", "refreshTokenTimeoutSeconds": 3153600000, "accessTokenTimeoutSeconds": 3600 } }
Raiffeisen XS2A AT	Required fields: `tppClientId` TPP receives it after uploading a valid QWAC to `https://psd2.raiffeisen.at/api/psd2-xs2a/first-contact` QWAC is checked on the transport layer during the SSL Handshake. See request and response details at https://api-dashboard.raiffeisen.at/web/#!/psd2-oauth-flow
Hypo XS2A AT	Required fields: `tppClientId` TPP receives it after uploading a valid QWAC to `https://psd2.hypo.at/api/psd2-xs2a/first-contact` QWAC is checked on the transport layer during the SSL Handshake. See request and response details at https://api-dashboard.hypo.at/web/#!/psd2-oauth-flow
Amex XS2A	Required fields: `tppClientId` and `tppClientSecret` TPP receives the these parameters after completing the registration on the developer portal - see https://developer.americanexpress.com/open-banking for further info
Erstebank XS2A SK	Required fields: `tppClientId`, `tppClientSecret` and `tppApiKey` TPP receives these parameters after completing the registration on the developer portal - see https://developers.erstegroup.com/register for further info.
Bank Verlag XS2A DE deprecated	No TPP credentials are needed to access Bank Verlag XS2A API
Barclaycard XS2A DE	Required fields: `tppClientId` and `tppClientSecret` TPP receives these parameters after completing the registration on the developer portal - see https://developer.barclays.com/register for further info.
PayPal XS2A	Required fields: `tppClientId` and `tppClientSecret` TPP receives these parameters after completing the registration on the TPP landing page: https://www.paypal.com/partnerexp/tppLanding If the TPP’s Certificate is expiring, send the new certificates via email to the Paypal support team (email contact can be provided on-request)
Tatra XS2A SK	Required fields: `tppClientId` and `tppClientSecret` TPP receives these parameters after completing the registration on the developer portal - see https://developer.tatrabanka.sk/ for further info.
Raiffeisen XS2A Sandbox AT	Required fields: `tppClientId` and `tppClientSecret` TPP receives these parameters after completing the registration on the developer portal - see https://api-dashboard.raiffeisen.at/web/#!/register. Credentials are displayed in the TPP application profile.
Sparda XS2A DE	Required fields: `tppClientId` with the value of the `organizationIdentifier` from the QWAC TPP can extract the `organizationIdentifier` from the public part of the QWAC.
VR XS2A DE	Required fields: `tppClientId` with the value of the `serialNumber` from the QSEAL certificate The format of the value: `SN=$extracted_serialNumber` TPP can extract the `serialNumber` from the public part of the QSEAL certificate.
Bunq XS2A	Required fields: clientId as `tppClientId` clientSecret as `tppClientSecret` installationToken:apiKey as `tppApiKey` TPP receives these parameters after completing the registration process described at - https://doc.bunq.com/ (section “PSD2 service provider”).
Solarisbank (Penta)	Required fields: `tppClientId` with the value of the `organizationIdentifier` from the QWAC TPP can extract the `organizationIdentifier` from the public part of the QWAC.
Revolut XS2A	Required fields: Client ID as `tppClientId` From the mandator's certificate attribute “org_jwks_endpoint“, the root domain must be set as `tppName`. Example: for the `org_jwks_endpoint` field defined as `https://jwks.test.com/jwks.json`, the root domain will be `jwks.test.com` Key ID from the TPP's certificate as `tppApiKey` The Key ID can be found as the value of the `kid` field in the JWKs file created during the registration process required by Revolut. It is described here: https://developer.revolut.com/docs/build-banking-apps/#identification-and-authentication-dynamic-client-registration
N26 XS2A	Required fields: `tppClientId` with the value of the `organizationIdentifier` from the QWAC TPP can extract the `organizationIdentifier` from the public part of the QWAC.
Qonto XS2A	Required fields: `tppClientId` and `tppClientSecret` TPP receives these parameters after completing the registration process as decribed in Qonto documentation: https://api-doc.qonto.com/docs/business-api/ed2a209683773-register-your-application
Komerční banka XS2A (SK)	Required fields: `tppClientId` and `tppClientSecret` TPPs receives these parameters after completing the registration via the developer portal https://api.koba.sk/portal
Fidor Bank XS2A	Required fields: `tppClientId` with the value of the `organizationIdentifier` from the QWAC TPP is required to onboard via `GET /hello` as described here http://docs.fidorsolutions.cloud/#tag/TPP-Onboarding. The call must be made with a valid QWAC.
M.M. Warburg XS2A DE	Required fields: `tppClientId` with the value of the `serialNumber` from the QSEAL certificate The format of the value: `SN=$extracted_serialNumber` TPP can extract the `serialNumber` from the public part of the QSEAL certificate. Example: JSON `{ "tppAuthenticationGroupId": <Id of TPP Authentication group called 'M.M. Warburg XS2A DE'>, "label": "M.M. Warburg XS2A", "tppClientId": "SN=00123456", "tppClientSecret": null, "tppApiKey": null }`
Posojilnica Bank XS2A	Required fields: `tppClientId` TPP receives it after uploading a valid QWAC to `https://psd2.poso.at/api/psd2-xs2a/first-contact/`. QWAC is checked on the transport layer during the SSL Handshake. See request and response details at https://api-dashboard.poso.at/web/#!/psd2-oauth-flow
VUB XS2A	Required fields: `tppClientId` and `tppClientSecret` To register as a TPP, a call to the endpoint https://api.vub.sk/psd2/register is required. For more details, go to the documentation page and then go to the section PSD2_OpenIdRegister_swagger.yaml. After a successful registration, please use your license number as the `tppClientId` value and the eIDAS Certificate’s serial number as the `tppClientSecret` value.
Holvi Bank XS2A	Required fields: `tppClientId` and `tppClientSecret` To register as a TPP, a call to the endpoint https://psd2.holvi.com/v1/onboarding/signup/ is required. For more details, go to the documentation page and then go to section “Onboarding API”.
Cross-european TPP - global	Required fields: `tppClientId`, `tppClientSecret` and `tppApiKey` Please define the credentials, you have received from our partner. `tppClientId` = member id `tppClientSecret` = alias `tppApiKey` = API key This TPP Bank Group will serve all banks that are integrated using our partner’s API and don’t require separate TPP registrations on the banks' side for every environment that your application is running in. We recommend reaching out to our support (E-Mail: support@finapi.io) to clarify how you can obtain these credentials from our partner.
Cross-european TPP - per-environment	Required fields: `tppClientId`, `tppClientSecret` and `tppApiKey` Please define the credentials, you have received from our partner. `tppClientId` = member id `tppClientSecret` = alias `tppApiKey` = API key This TPP Bank Group will serve all banks that are integrated using our partner's API and require separate TPP registrations on the banks' side for every environment that your application is running in. We recommend reaching out to our support (E-Mail: support@finapi.io) to clarify how you can obtain these credentials from our partner.