Dynamic Client Registration PSD2
Summary
The Dynamic Client Registration API allows a TPP to submit a Software Statement Assertion (SSA) to dynamically register with CPB through a secure interface.
The sandbox provides synthetic data to enable a TPP to explore the API and perform preliminary functional testing on a simulated environment. The calls to the API will be validated for correctness and compliance with the API specification to help the TPP uncover issues early when integrating with the API.
Some of the notable differences between the sandbox and market integrated interface are listed below:
- The sandbox implements an OAuth 2.0 based Authentication and Authorization flow. In addition to using the API Playground to invoke the APIs, the API keys retrieved while registering an application can be used for calling the APIs from any REST client, such as curl, Postman, SoapUI, or programmatically through REST calls using access tokens retrieved either through a Client Credential or Authorization Code grant types depending on the API being invoked.
- As the sandbox is open to both TPPs and the general public, the following validations will be deferred to the integration environments: verification of TPP identity, SSA, EIDAS, QSEAL, QWAC certificates, mutual TLS. These validations will be available in the fully functional market integrated interfaces with valid Competent Authority issued certificates.
- This API returns a pair of mock client_id and client_secret tokens in response to the request. The fully functional market integrated interfaces will return tokens that will be valid for subsequent API invocation.
- The /register endpoint is protected by an access token that can be obtained by using the Authorize API.
- GET, PUT, and DELETE operations requires client credentials grant with any of the following scope 'cpb_ob_accounts', 'cpb_ob_payments' or 'cpb_ob_fundsconfirmations'. In the market integrated version, any of the following scopes should be used: 'accounts' or 'payments' or 'fundsconfirmations'.
- The basepath in market integrated version will be '/citi/register' instead of '/open-banking/v3.1/register'.
| post /open-banking/v3.1/register | Create a new client |
| get /open-banking/v3.1/register/{ClientId} | Returns the client details for a given Client ID |
| put /open-banking/v3.1/register/{ClientId} | Modify one or more attributes related to an existing TPP client |
| delete /open-banking/v3.1/register/{ClientId} | Delete an existing TPP client |
Create a new client
Request CPB to create a new client. For this purpose the TPP submits a JWS payload that describes the characteristics of the client to be created. If client creation is successful then CPB responds with a JSON payload that describes the client that was created. The TPP can then use the client credentials to access resources on the CPB resource server. CPB responds with an error payload if the client creation is unsuccessful.
Swagger
{
"allOf": [
{
"type": "object",
"required": [
"iss",
"iat",
"exp",
"aud",
"jti"
],
"properties": {
"iss": {
"description": "Unique identifier for the TPP. Implemented as Base62 encoded GUID",
"type": "string",
"pattern": "^[0-9a-zA-Z]{1,18}$",
"minLength": 1,
"maxLength": 18
},
"iat": {
"description": "The time at which the request was issued by the TPP expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC",
"type": "integer",
"format": "int32"
},
"exp": {
"description": "The time at which the request expires expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC",
"type": "integer",
"format": "int32"
},
"aud": {
"description": "The audience for the request. This should be the unique identifier\nfor the CPB issued by the issuer of the software statement.\nImplemented as Base62 encoded GUID\n",
"type": "string",
"pattern": "^[0-9a-zA-Z]{1,18}$",
"minLength": 1,
"maxLength": 18
},
"jti": {
"description": "Unique identifier for the JWT implemented as UUID v4",
"type": "string",
"pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$",
"minLength": 36,
"maxLength": 36
}
}
},
{
"$ref": "#\/definitions\/OBRegistrationProperties1"
}
]
}- cURL
- Ruby
- Python
- PHP
- Java
- Node
- Go
- Swift
Example Request
Example Request
Example Request
Example Request
Example Request
Example Request
Example Request
Example Request
{
"type": "object",
"required": [
"error"
],
"properties": {
"error": {
"type": "string",
"enum": [
"invalid_redirect_uri",
"invalid_client_metadata",
"invalid_software_statement",
"unapproved_software_statement"
]
},
"error_description": {
"type": "string",
"minLength": 1,
"maxLength": 500
}
}
}Returns the client details for a given Client ID
Used by the TPP to retrieve the details for a client that is already registered. The request consists of one path parameter - the ClientId - that the TPP wants to retrieve details for. If the request is successful then CPB returns an object of type OBClientRegistrationRequest1. If the ClientId is unknown, the CPB responds with an unauthorized status code and immediately revokes the access token.
- cURL
- Ruby
- Python
- PHP
- Java
- Node
- Go
- Swift
Example Request
Example Request
Example Request
Example Request
Example Request
Example Request
Example Request
Example Request
Modify one or more attributes related to an existing TPP client
Request CPB to modify one or more attributes related to an existing client. For this purpose the TPP submits the ClientId path parameter and a JWS payload that describes the characteristics of the client to be modified that must include all the claims - including ones that will not be modified. CPB may reject the request if it does not support the changes to certain claims. If client modification is successful then CPB responds with a JSON payload that describes the client that was modified else CPB responds with an error payload. If the ClientId is unknown then CPB responds with an unauthorized status code and immediately revokes the access token.
{
"allOf": [
{
"type": "object",
"required": [
"iss",
"iat",
"exp",
"aud",
"jti"
],
"properties": {
"iss": {
"description": "Unique identifier for the TPP. Implemented as Base62 encoded GUID",
"type": "string",
"pattern": "^[0-9a-zA-Z]{1,18}$",
"minLength": 1,
"maxLength": 18
},
"iat": {
"description": "The time at which the request was issued by the TPP expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC",
"type": "integer",
"format": "int32"
},
"exp": {
"description": "The time at which the request expires expressed as seconds since 1970-01-01T00:00:00Z as measured in UTC",
"type": "integer",
"format": "int32"
},
"aud": {
"description": "The audience for the request. This should be the unique identifier\nfor the CPB issued by the issuer of the software statement.\nImplemented as Base62 encoded GUID\n",
"type": "string",
"pattern": "^[0-9a-zA-Z]{1,18}$",
"minLength": 1,
"maxLength": 18
},
"jti": {
"description": "Unique identifier for the JWT implemented as UUID v4",
"type": "string",
"pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$",
"minLength": 36,
"maxLength": 36
}
}
},
{
"$ref": "#\/definitions\/OBRegistrationProperties1"
}
]
}- cURL
- Ruby
- Python
- PHP
- Java
- Node
- Go
- Swift
Example Request
Example Request
Example Request
Example Request
Example Request
Example Request
Example Request
Example Request
{
"type": "object",
"required": [
"error"
],
"properties": {
"error": {
"type": "string",
"enum": [
"invalid_redirect_uri",
"invalid_client_metadata",
"invalid_software_statement",
"unapproved_software_statement"
]
},
"error_description": {
"type": "string",
"minLength": 1,
"maxLength": 500
}
}
}Delete an existing TPP client
Request CPB to delete an existing client.The request consists of one path parameter - the ClientId - that the TPP wants to delete the client. If the request is successful and the clientId matches with the client-credentials grant access token was issued then CPB must delete the client and invalidate long lived access tokens that were issued to the client. If the ClientId is unknown then CPB responds with an unauthorized status code and immediately revokes the access token.
- cURL
- Ruby
- Python
- PHP
- Java
- Node
- Go
- Swift
Example Request
Example Request
Example Request
Example Request
Example Request
Example Request
Example Request
Example Request