Developer Portal
  • Credins Bank S.A. Portal

Getting started

TPP Enrollment

TPPs wishing to use Credins Bank PSD2 APIs have to register using the OAuth2.0 Open ID registration via API [Registration endpoint](REQUIRE ENDPOINT PATH).

The Registration swagger is available for download from Open Banking Portal (REQUIRE DEV PORTAL SECTION LINK).

Software Statement Assertion (SSA)

This specification extends the RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol and the RFC 7592 OAuth 2.0 Dynamic Client Registration Management Protocol by requiring the following mandatory body fields within the Software Statement Assertion (SSA):

Name Type Description
authority_identifier string An identifier of the Competent Authority that issued a licence to the TPP
iss string The organisation identifier as issued by the Competent Authority to the TPP
org_name string The formal organisation name for the TPP
software_name string A software name to be created for this client
software_roles string The roles that the software statement should enable for this client
iat number SSA issued at
exp number Expiry of the SSA

The SSA must be:

  • a signed JWT and provided in the software_statement field of POST and PUT request payloads, and
  • digitally signed using a key that is published on the JWKS identified by the jwks_url specified in the DCR request payload.

Enrollment Checks

Client (TPP) side SSL verification is required to avoid MITM attacks and to also validate the provided eIDAS certificate and licence status of TPP. Enrollment of licensed TPP is fully automatic and does not require additional processing or approval. Each registration request will check the following:

  • the Client Certificate date validity
  • Client Certificate Revocation Status
  • Check of Client Certificate for mandatory PSD2 eIDAS fields (organizationIdentifier and QCStatement)
  • Check of Client Certificate Issuer
  • Check of TPP licence (status, country, scopes)

Successful Enrollment

When the TPP enrollment is successful we will issue a Client ID. This Client ID must be used by the TPP to identify itself for each communication session or every time a payment is initiated.

Production Security Profile

Credins Bank support the following OpenID Provider Metadata:

  • Response Types: code
  • PKCE code challenge methods supported: ["S256"],
  • Request Object Signing Algorithms: PS256
  • Token Endpoint Auth Singing Algorithms: PS256
  • Token Endpoint Auth Methods: private_key_jwt
  • ID Token Signing Algorithm: PS256

Note: Our Sandbox API also offers less strict profiles to assist with integration testing. See below for more details.

Certificate Support

QWAC

We support the use of QWAC certificates, but this is not our recommended approach. TPPs facing issues onboarding with QWACs should contact our support desk. Please attach a pem file of the certificate to your support ticket.

QSeal

We support the use of QSeals that have been attached to your software statement in the OB Directory.

Table of Content
Please wait