Describes the structure of our Open Banking APIs

Our OpenBanking API consists of two distinct modules, the Xs2a module and the OAuth2 module.

The Xs2a module

The Xs2a module implements version 1.3 (including Errata) of the NextGenPSD2 XS2A Framework. Business functions such as account access and payment initiation are located here. All messages sent to the Xs2a module must be signed with an eIDASeIDAS - A set of standards for electronic identification and trust services for electronic transactions in the European Single Market. QSEALCQSEALC - A qualified Electronic Seal Certificate is a qualified digital certificate under the trust services defined in the eIDAS Regulation. A QSEAL certificate makes it possible for the owner of the certificate to create electronic seals on any data. The digital signature technology guarantees the integrity and authenticity of the signed/sealed data. certificate.

The OAuth2 module

The OAuth2 module implements version 1.0 of the OpenID Connection Authorization Code Flow. SCASCA - Strong Customer Authentication. SCA is defined by the RTS as ‘an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent’ and that ‘protect[s] the confidentiality of the authentication data’. is incorporated in this module.

Rest API path structure

Our Rest API base URL is defined as: {server}/{module}/{tenant}/{version}


Depending on which environment is being used a different server URL is required. Refer to Sandbox and Production for more details.


The module is either xs2a-bg or auth where auth represents the OAuthOAuth - The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service. The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients.
module and xs2a-bg represents the Xs2a module.


The tenant is the combined selector for the language and location of the account holder

nl is The Netherlands / Dutch
uk is the United Kingdom / English
be_nl is Belgium / Flemish
be_fr is Belgium / French


The version is the API version indicator

The current version is v1


The URI to obtain an OAuth2 authorisation code for a Dutch account holder is /auth/nl/v1/auth.

The URI to initiate a Sepa payment for a Belgian account holder with French language authorisation screens is /xs2-bg/be_fr/v1/payments/sepa-credit-transfers.

Refer to the API Reference for more examples.