Here are some explanations about registration / authentication on our XS2A solution:


  • The communication between the TPP and the Bank production API is always secured by using a TLS-connection Mutual authentication using TLS version 1.2.
  • This TLS-connection is initiated by the TPP and has to be established always including client (i.e. TPP) authentication.
  • For this authentication the TPP has to use a qualified certificate for website authentication (QWAC).
  • This qualified certificate has to be issued by a qualified trust service provider (QTSP) according to the eIDAS regulation.
  • The content of the certificate has to be compliant with the requirements of the EBA-RTS.
  • The certificate of the TPP has to indicate all the roles the TPP is authorized to use.
  • During the first connection setup, the TPP will be automatically on-boarded and registered (enrolled) in the bank database.
    However, for security purpose, the bank requires the client certificate to be presented within each request. 
  • The "client-id" in the "authorization header" must be filled with your license number. 


Finally, we remind you that our XS2A solution is compliant with BerlinGroup’s "Implementation Guidelines version 1.3" (see full documentation on this page).