Subscription

In order to utilize our APIs, you'll need to visit the "Products" section and subscribe to the INDEXO Open Banking product. The system will generate keys for you, and it is mandatory to pass one of these keys in every request header, specifically the Ocp-Apim-Subscription-Key header.

The usage of consent and payment functionalities is strictly regulated by your subscription key. In the Sandbox in the event that a consent or payment is initiated using the primary key, the subsequent requests for information retrieval must also be executed using the same key. In production environment you can use any key – primary or secondary.

Authentication

INDEXO Open Banking supports decoupled authentication with an implicit authentication start. This process is initiated once consent or payment creation has been performed.

When you create consent or payment, the system responds with a Challenge. This Challenge should be displayed to the user in a confirmation window. It's essential that this Challenge is presented to the user for verification purposes

{

"challengeData": {

"data": [

"123456"

]

}

}

PSU Identification

Given that our system operates with a decoupled authentication method, it's necessary to include the PSU-ID in the consent or payment creation requests. For identification, we use a personal code as the PSU-ID, formatted as XXXXXX-XXXXX

On-boarding

To gain access to our production environment, you need to complete the onboarding process. This involves filling out the onboarding form and providing your Qualified Website Authentication Certificate (QWAC). Once you've submitted the form and your QWAC, we will reach you out to finalize the process.

Your QWAC certificate must contain TPP ID in the extension 2.5.4.97 and TPP role depending on the particular oid presence in the extension 1.3.6.1.5.5.7.1.3:

0.4.0.19495.1.1 = PSP_AS

0.4.0.19495.1.2 = PSP_PI

0.4.0.19495.1.3 = PSP_AI

Production Environment Usage

When transitioning to the production environment from the sandbox, you will continue to use the same URLs as before. However, a key change is that you must employ your certificate in mutual TLS (Transport Layer Security) for secure communication