Standards, regulations and useful resources

PSD2 and the RTS on SCA and CSC

The EBA has published guidelines for the implementation of the technical standards on strong customer authentication and common and secure communication under the PSD2

The RTS on SCA and CSC are key to achieving the objective of the PSD2 of enhancing consumer protection, promoting innovation and improving the security of payment services across the European Union.

NextGenPSD2 XS2A Framework

The NextGenPSD2 XS2A Framework is a European standard framework for building PSD2 compliant XS2A (Access to account) APIs.

This specification covers payment initiation, account information and confirmation of funds services.

Our APIs implement version 1.3.6 of this specification.

eIDAS QSEAL and QWAC certificates

Access to our APIs requires usage of both an eIDAS QWAC TLS certificate and an eIDAS QSEAL electronic seal certificate.

Use the EU Trust Service Browser to find a local qualified trust service provider that can issue QSEAL and QWAC certificates.

In the Sandbox Environment eIDAS certificates are not required. Refer to the Registration process for more details.

Signing HTTP Messages

Our APIs require usage of the Signing HTTP Messages standard for signing of HTTP requests with your QSEAL certificate. Refer to the Signatures section for more details.

OAuth 2.0

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service

The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients.

OpenID Connect Authorization Code Flow

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol.

The Authorization Code Flow is the OpenID Connect implementation of the OAuth 2.0 authorization code redirect flow. SCA is integrated into our implementation of this flow.

OpenID Connect Dynamic Client Registration

The OpenID Connect Dynamic Client Registration protocol is used to register your redirect URIs. Pre-registration of your redirect URIs is mandated by the Authorization Code Flow.


RFC7636 Proof Key for Code Exchange by OAuth Public Clients (PKCE) is used to mitigate authorization code interception attacks.

HTTP Basic Authentication

RFC2617 describes the Basic HTTP Authentication Method that is prescribed by OAuth.

What’s Next