Welcome to the Rabobank.be Sand boxing environment for PSD2 API’s

In this portal, you will find the necessary documentation to get started with developments on open API’s for account information, payment initiation & funds confirmation in accordance with the PSD2 legislation.

Getting Access

You can access to two different environments: Sandbox PSD2 API and Live PSD2 API. Please follow the steps below.

Step 1 - Sign up to the portal

To get started sign up to the Rabobank.be API Portal. You will be up and running in a minute.

  • Fill in the form and submit your details. Leave the organization code blank the first time. In step 2 you will receive an organization code that can be used by other developers of your company.
  • Confirm your email address by following up the activation link which is delivered to your email inbox
  • Login with your email address and password

Step 2 - Register as TPP

Go to Onboarding section to register as TPP in order to access Rabobank APIs. Fill up the form with all required information and choose accurately the role you want to test: AIS, PIS or/and CIS. Roles selected will be checked according to roles registered in your eIDAS certificates (QWAC & QSealC).

Once the on-boarding process is complete, you will receive an email confirmation with an Organization code that be used by up to 10 developers.

Step 3 - Explore our API's

Once your registration is validated, sign In with your credentials and go to the tab "APIs" to discover them.

Step 4 - Use the Rabobank.be API's

In order to use our API's, create a new Application via the "Application" tab and generate an API key.

4.1 Create a new Application

  • Give your application a name. Note that the name of the application will be seen by our users when asking for consent.
  • Provide a description.
  • Select API's you want to test in the menu by checking the "selected" check box (see below).

You will be redirected to the tab "Applications".

4.2 Generate an API key

Select the newly created application and click 'API Keys', followed by 'Generate'.

A new API key will be generated for you to make your API calls.

Step 5 - Sandbox to Live promotion

Follow the above steps on the Live Portal. 

Live API's

To access to PSD2 API in live, you need to provide the same information as for the sandbox access but you have also the redirect URLs in the OAuth2.0 flow (see below).

Portal API Marketplace

The design of our API's is in accordance with the international Berlin Group NextGenPSD2 standard, version 1.1 and offers the following functionalities:

  • Account Information Service
  • Payment Initiation Service
  • Funds Confirmation Service

Several approach are described in this standard to make the Strong Customer Authentication (SCA), in our first version, the approach supported is the following: OAuth2 SCA Approach (for Authentication/Authorisation for customer)

Nevertheless, we have some deviances compared to the standards, here they are:

  • An API Key is used in all API calls and must be put in the header "apiKey".
  • The version 1.1 doesn't support the capture of the Funds Confirmation Consent. A specific API has been published to allow it.
  • Consent frequency chosen by a customer via the "Establish Consent Process". The value put is not taken into account.
  • Recurring Consent. The consent is valid during the life of the access_token. No possibility to refresh the access_token.
  • Sessions: Combination of AIS and PIS Services.

Account Information Service - AIS

With our PSD2 API's the TPP will have the possibility to get account information for their customers. Following information will be available:

  • List of authorised accounts
  • Balance information for each authorised account
  • Transaction Information for each authorised account

The customer must give the list of account (in IBAN format) to the TPP and the TPP has to send via the consent API the list of authorized accounts (cfr standard: "Consent Request on Dedicated Accounts").

After authorisation of the customer, the TPP will receive an access_token to retrieve customer account information.

Sending the consent

POST /consents

 

Requirements:

  • eIDAS QWAC certificate to allow to authenticate yourself
  • apiKey linked to the an Application that contains "NextGenPSD2 - Account Information - v1"
  • eiDAS QSealC certificate to allow to sign our requests (see section below to build an HTTP signature)

The TPP must call this API to send the consent of the customer (using eIDAS certificates). Following information is needed to capture a whole consent:

Example of request body below:

  • the list of authorized accounts in IBAN format and permissions associated (transactions, balances, details)
  • the validity date of the consent
  • the recurring indicator of the consent (only "false" is supported)
  • the daily frequency access. This is not supported yet.

Example of request body:

{
	"validUntil":"201901812",
	"frequencyPerDay":1,
	"recurringIndicator":true,
	"combinedServiceIndicator":false,
	"access":{
		"accounts":[
			{
			"iban":"{your Iban}"
			}
		],
		"balances":[		
			{
			"iban":"{your Iban}"
			}
		],
		"transactions":[
			{
			"iban":"{your Iban}"
			}
		]
	}
}

Customer Authorisation/Authentication

Requirements:

  • Your client_id as a TPP. The organization Identifier as requested by ETSI.
  • Your call-back URL.
  • The consent-ID from the previous step.
  • code_challenge_method/code_challenge, see API Documentation for these fields

GET /authorise

 

As reminder, only the redirection is supported for now. The TPP must redirect the customer to our Authorisation server to make a SCA and authorise the consent. After authorisation, the customer is redirected to the TPP with an authorisation code. The TPP can use this code to retrieve an access_token and/or a refresh_token.

Example of redirection URL below:

https://portal.cpsbx.dxp.delivery/psd2/v1/berlingroup-auth/authorise?
response_type=code&
client_id=PSDBE-AIS-123456&
redirect_uri=https://azure.microsoft.com/fr-fr/overview/what-is-azure/&
code_challenge=oFTpT3qj8p4tRalSoYFBCAm_VkYY--XCIP3uh_Kf2ro&
scope=AIS:&
state=test&
code_challenge_method=S256

The response to this URL will be the call-back URL with an authorization_code. You have to exchange this code via a call to the POST /token endpoint.

Requirements:

  • eIDAS QWAC certificate to allow to authenticate yourself
  • Your client_id as a TPP. Same as the previous step
  • Your call-back URL (exactly the same
  • The authorization_code from the previous step.
  • code_verifier, see API Documentation for this field

POST /token

Example of exchange code below:

POST https://portal.cpsbx.dxp.delivery/psd2/v1/berlingroup-auth/token

client_id=PSDBE-AIS-123456&grant_type=authorization_code&code=%24%7B<code>%7D&redirect_uri=https%3A%2F%2Fazure.microsoft.com%2Ffr-fr%2Foverview%2Fwhat-is-azure%2F&code_verifier=cGFzc3dvcmQuLy4

In response, you will receive an access_token.

Providing alias of authorized accounts

Requirements:

  • eIDAS QWAC certificate to allow to authenticate yourself
  • apiKey linked to the an Application that contains "NextGenPSD2 - Account Information - v1"
  • eiDAS QSealC certificate to allow to sign our requests (see section below to build an HTTP signature)
  • Authorization Header with the access_token obtained in the previous step.

GET /accounts

 

The TPP can use the access_token obtained during the customer authorisation step to retrieve the list of alias linked to all authorised accounts.

Asking account information

Requirements:

  • eIDAS QWAC certificate to allow to authenticate yourself
  • apiKey linked to the an Application that contains "NextGenPSD2 - Account Information - v1"
  • eiDAS QSealC certificate to allow to sign our requests (see section below to build an HTTP signature)
  • Authorization Header with the access_token obtained in the previous step.
  • Alias 'account-ID' obtained in the previous step.

GET /accounts/{account-ID}/balances
GET /accounts/{account-ID}/transactions

 

The TPP can use the access_token and aliases to ask balance information or transaction information linked to authorised accounts.

Payment initiation Service - PIS

With our PSD2 API's the TPP will have the possibility to initiate payment : SEPA Credit Transfer and SEPA Inst.

Initiating a payment

POST /payments/{payment-product}

 

The TPP can make two kinds of payments: SEPA CT & SEPA Inst (according to payment-product chosen). The TPP needs his SSL certificate and and the apiKey created in the step before to make this call.

Customer Authorisation

GET /authorise POST /token

 

The TPP must redirect the customer to our Authorisation server to make a Strong Customer Authentication and authorise the payment. After authorisation, the customer is redirected to the TPP with an authorisation code. The TPP can use this code to retrieve an access_token and/or a refresh_token.

Retrieving payment status

The TPP can use the access_token to get the status of the initiated payment.

The TPP can send a payment request.

Funds Confirmation - CIS/PIIS

With our PSD2 API's the TPP will have the possibility to request a confirmation of funds. The TPP needs his SSL certificate and and the apiKey created in the step before to make this call.

Sending the consent

POST /funds-confirmation-consents

The TPP must use this API to send us the consent. Following information is needed to capture a whole consent :

  • the authorized account
  • the validity date of the consent

Customer Authorisation

GET /authorise

POST /token

The TPP must redirect the customer to our Authorisation server to make a Strong Customer Authentication and authorise the consent. After authorisation, the customer is redirected to the TPP with an authorisation code. The TPP can use this code to retrieve an access_token and/or a refresh_token.

Providing alias of authorized accounts

POST /funds-confirmation

The TPP can use the access_token obtained during the customer authorisation step to request the confirmation of funds (with the authorized account and an amount).

Signing Request with QSealC - AIS/PIS/CIS

With our PSD2 API's the TPP needs to sign the request and send the tpp-certifcate in header, which will ensure the data integrity of request.


As part of signature model, TPP need to send 3 specific headers:

Digest
It contains a Hash of the message body. SHA-256 and SHA-512 are the supported hash algorithms that can be used to calculate the Digest.
Digest can be computed by taking the byte array of json body and then creating a message digest of it using SHA-256 or SHA-512 algorithm, then convert in Base64 encoding value.
Note: that for the GET and DELETE endpoints, the digest will be equals to a byte array of 0 size.
Tpp-Signature-Certificate
The certificate used for signing the request, in base64 encoding. Note: Certificate should contain new line('\n') before base64 encryption.
Signature
A signature of the request by the TPP on application level.
Signature can be computed by concatenated key=value of following sub values : keyId, CA, algorithm, headers, signature.
signature = sign(canonical form of headers list (key: value))) with algorithm specified in algorithm header and with TPP private key (e.g. digest: SHA-256=D8XFTnfEij+pTZ0zt088csVDVEvqytJjxkbpOom8RiU=\nx-request-id: 99391c7e-ad88-49ec-a2ad-99ddcb1f7721)
Note: Private key used for signing the request shouldn't contain any new line and it should be used as one single string.

Example of create consent in AIS without signed request:

POST /api/consents HTTP/1.1
Content-Length: 718
x-request-id: 99391c7e-ad88-49ec-a2ad-99ddcb1f7721
psu-ip-address: 172.16.254.1
date: Sun, 06 Aug 2017 15:05:37 GMT
Content-Type: application/json;charset=UTF-8
Host: localhost:8080
{
   "validUntil" : "2019-02-06",
   "frequencyPerDay" : 1,
   "recurringIndicator" : true,
   "combinedServiceIndicator" : false,
   "access" : {
      "accounts" : [ {
         "iban" : "BE86973764000422"
      } ],
      "balances" : [ {
         "iban" : "BE84973772586995"
      } ],
      "transactions" : [ {
         "iban" : "BE53973751652916"
      } ]
   }
}

Example of create consent in AIS with signed request:

 

POST /api/consents HTTP/1.1
Content-Length: 718
x-request-id: 99391c7e-ad88-49ec-a2ad-99ddcb1f7721
psu-ip-address: 172.16.254.1 date: Sun, 06 Aug 2017 15:05:37 GMT digest: SHA-256=D8XFTnfEij+pTZ0zt088csVDVEvqytJjxkbpOom8RiU= signature: keyId="SN=d192c020,CA=EMAILADDRESS=rootCA@root.com, OU=DxP, O=SBS, L=Paris, ST=Paris, C=FR",algorithm="rsa-sha256",headers="digest x-requestid", signature="Daw2LWPIguIkAf8qv1f//3OCfoWvLSDIHXJ2ay1lFkJi9aibu+7RmXw1QLZ9R9V4EwEGxCsX dCQ4wyWLWACITq0GAna5jjLMrUfQCLaNsQIGArF3G8DRPIe9hi7p3Sq8RpFygQYBILDSiN3MsBmOnSm9w44J4vw S4bjAiBfdjO5CUP7kmlXBeqKpR1LabvnGjODjlEwKLtHVycGpdwqALH8tfTiQyFpSF2gVAc9cYGpZCEu3ASbFGH K3XF+b4S0LISrCTEeupbxPVbIeYb6naz+dVpXXU0e2j5dH3jc8UG6pFbyf0x8FSsFt72SYZQsNYGIfFjRTnEJ/b Qa99bajHw==" Content-Type: application/json;charset=UTF-8 tpp-signature-certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVHVENDQXdHZ0F3SUJBZ0lJRVBLMEdOR1N3Q0F3RFFZSkt vWklodmNOQVFFTEJRQXdhVEVMTUFrR0ExVUUKQmhNQ1JsSXhEakFNQmdOVkJBZ1RCVkJoY21sek1RNHdEQVlEVl FRSEV3VlFZWEpwY3pFTU1Bb0dBMVVFQ2hNRApVMEpUTVF3d0NnWURWUVFMRXdORWVGQXhIakFjQmdrcWhraUc5d zBCQ1FFV0QzSnZiM1JEUVVCeWIyOTBMbU52CmJUQWVGdzB4T0RFeU1qRXhNREU0TURCYUZ3MHhPVEV5TWpFeE1E RTRNREJhTUlHQ01Rc3dDUVlEVlFRR0V3SkcKVWpFT01Bd0dBMVVFQ0JNRlVHRnlhWE14RGpBTUJnTlZCQWNUQlZ CaGNtbHpNUXd3Q2dZRFZRUUtFd05UUWxNeApEREFLQmdOVkJBc1RBMFI0VURFY01Cb0dDU3FHU0liM0RRRUpBUl lOUVVsVFFHVnBaR0Z6TG1OdmJURVpNQmNHCkExVUVZUk1RVUZORVFrVXRRVWxUTFRFeU16UTFOakNDQVNJd0RRW UpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBTU1YNTg1OWp3QStwWG1nakpJVno0VkJIbEpaY0U3 L1Nnb2lzdTBMTk02WE0wQmNZOUdCUm9tSgo4S0tsb1dNdFdyL2duM1ZEVFdyV1dRblFFRUNOUW96dGw0NDVxMk1 FNDRYTHM0K0hFZy9HdkdvaGNSUFhMdTR5CnpHdjN3MCtkOXAwak1TSmVLT0p0WG1kM2o2YXBFQjFYenVtTlhRZn FITStxRTFqNUtmdDNPZWt5MnV4Z2FPcisKM2xTdmp4VVdkaDgvUS9rM1cwaTYzaUN2VlpsLythV2xjQUNzMDdTR W5jTzBRL1lVeVBRdUxJQnJIYUVGVkJLZApHOG9JZ2s0blVjRzBQdzN3andybm9wZThlZWRldi94dlhoMkc5ck9R Mzh0WnBGYnROSUxlK054WS96TTl2V0krCmk0bmVEVDB4bEhjckR6VUY4RFJ5aXBETUhPKzdNZ01DQXdFQUFhT0J xakNCcHpBSkJnTlZIUk1FQWpBQU1CMEcKQTFVZERnUVdCQlFHMGYwakU2dG0wQTFoM0VhZzQ2blR6S215TnpBTE JnTlZIUThFQkFNQ0F2d3dPd1lJS3dZQgpCUVVIQVFNRUx6QXRCZ1lFQUlHWUp3SXdJekFUTUJFR0J3UUFnWmduQ VFNTUJsQlRVRjlCU1F3RVFYVjBhQXdHClJuSmhibU5sTUJFR0NXQ0dTQUdHK0VJQkFRUUVBd0lGb0RBZUJnbGdo a2dCaHZoQ0FRMEVFUllQZUdOaElHTmwKY25ScFptbGpZWFJsTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCQ01 Yanl6SERmUmlyc1F6aVlsL3NSbVNyMwphR0EzZllMeEY1THpVc2xVK2pJcXJqbHN6NXBEOCs4dGZLQUhBcFVkcT F6TnByTGxFM09JTndJK2ZTaHRYUkxkCkJGaWJnRDJ0dXVMMXVBSnVudGxXeDJ1bG42MThyT1FJKzUxYmFwMXpzW k9aRXI5VUJSbmRLZy9xdUtkUFVSbncKVmltT0J4UG1lVjFyVmVETUQ4ekY3TWpUMmljZm5wMkx6RHNpMG9HTGE1 ZTJpeDlWUllsR1RQZmZqL05kcytRSAp2Z1Q4UjFLeWthekYvUEM3ZWEzcjJJQlN6aXRBRkg0cWVZRVFVTHZRTXh 4bXo2ZHYvUnZXYzhKbjdKWllrajAvCjhVQU1rSitoR3g0NHh0dVZhVnhWZkZBQ2dGWnFxakxYbDR4YzFjaktjL1 UzWmQ1Zk5BbFQ2NU0wYXBwagotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
Host: localhost:8080
{
   "validUntil" : "2019-02-06",
   "frequencyPerDay" : 1,
   "recurringIndicator" : true,
   "combinedServiceIndicator" : false,
   "access" : {
      "accounts" : [ {
         "iban" : "BE86973764000422"
      } ],
      "balances" : [ {
         "iban" : "BE84973772586995"
      } ],
      "transactions" : [ {
         "iban" : "BE53973751652916"
      } ]
   }
}

KPI's & Service level targets
Jan. 1st - March 31st 2019

Dedicated communication interfaces Online payment and banking platform
Uptime per day of all interfaces
xx%
xx%
Downtime per day of all interfaces
xx%
xx%
Daily average time taken, per request from the payment initiation service provider (PISP)
xxx milliseconds
xxx milliseconds
Daily average time taken, per request from the account information service provider (AISP)
xxx milliseconds
xxx milliseconds
Daily average time taken, per request from the card-based payment instrument issuer (CBPII)
xxx milliseconds
xxx milliseconds
The daily error response rate
xxx milliseconds
xxx milliseconds
Daily statistics on a quarterly basis
Wij staan voor u klaar.
Elke werkdag van 8:30 tot 19:00
Vrijdag tot 18:30
medewerker 1 medewerker 2
Gelieve een geldig telefoonnummer in te vullen. De verbinding is mislukt. Probeer het later nog een keer. Wij bellen u zo snel mogelijk terug.
Geef uw telefoonnummer in en wij bellen u zo snel mogelijk terug.

Opgelet

U bent al een tijdje inactief op de beveiligde site. Uw sessie wordt afgesloten over weinig seconden.

Opgelet

Er staan nog niet-getekende overschrijvingen in uw verzamelmap. Onderteken uw verzamelmap meteen of log nu uit en onderteken de overschrijvingen op een later tijdstip.