Step 3. Create a business member

Continuing from the previous step, TokenClient defines where your private keys will be stored and accessed. Alias specifies your business web domain, an email address, or your eIDASClosedElectronic Identification, Authentication and Trust Services – an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. See digital-single-market/en/discover-eidas for the rules and regulations. certificate depending on the Alias.Type you choose. A verifiable web domain, email address, or eIDAS certificate becomes your unique alias, one that no other business member can use.

We'll use the SDK's createMember method to accomplish this.

public static Member createMember() {


    // First, create the client (see Step 2), which communicates with the Token cloud.

    try {

         Path keys = Files.createDirectories(Paths.get("./keys"));

         TokenClient tokenClient = TokenClient.builder()

             .withKeyStore(new UnsecuredFileSystemKeyStore(keys.toFile()))




         // Next, build an alias (must be verifiable for production).

         // You can add more than one alias.

         // If the alias you provide is already being used by another member,

         // an exception will be thrown and you will have to provide another alias.

         // Here, we used a random domain, which is fine for test environments like

         // our sandbox. For production, you must provide your verified business domain

         //  -- e.g., "".


         Alias alias = Alias.newBuilder()


             .setValue(randomAlphabetic(10).toLowerCase() + "")



         Member newMember = tokenClient.createMemberBlocking(alias);


         // recover member by verifying email if keys are lost


         return newMember;


         } catch(IOException ioe) {

         throw new RuntimeException(ioe);



To create a member under the realm of a bank with an eIDAS alias, see Digital Identification Using eIDAS in Production below.

If you need to securely store keys elsewhere (in a directory other than ./keys), implement an IKeyStore using the SDK's UnsecuredFileSystemKeyStore class as a guide. See Managing Your Keys for more on key storage and management.

Also, as introduced above, you can set Alias.Type to either EMAIL, DOMAIN or EIDAS.

Important: A verifiable DOMAIN or EIDAS certificate number must be used when deploying to production. However, an email address, notional or real, works fine in the sandbox, as long as it's unique.

Digital Identification Using eIDAS in Production

eIDAS establishes "basic and reasonable standards for digital identification." In other words, an eIDAS certificate issued by a QTSPClosedQualified Trust Service Provider – trust service that creates, verifies and validates electronic signatures, seals or time stamps, electronically-registered delivery services and certificates that are related to those services. For a trust service to be considered a qualified trust service, the trust service must meet the requirements put forth in the eIDAS Regulation. confirms the identity of the bearer to a reasonable legal certainty for purposes of conducting business online using the public network.

The electronic identification methods imposed by the eIDAS regulation ensure that companies do not require the physical presence of their customers in a commercial office or branch to operate or, for example, to open a bank account.

A QWACClosedQualified Web Authentication Certificate – certificate that validates your identity and role as a Payment Service Provider to your customers and other business, while encrypting and authenticating sensitive data. is a type of qualified digital certificate under the trust services defined in the eIDAS Regulation. These trust services are defined as electronic services, normally provided by trust service providers (QTSPs), which consist of electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication. For website authentication, QWACs are issued to assure authentication between a website and a natural or legal person, offering website visitors proof that any business conducted on the site is protected, and there is a legitimate entity behind the website.

Under eIDAS, the QTSP validates your organization's ownership or control of the domain. It typically does this by sharing a random value with you to install on specific locations, or by performing a response challenge to pre-approved email addresses. Above all, the QTSP validates the information you provide in the Certificate Request, confirming most of these elements in independent sources, reaching out if more information is required.

For PSD2ClosedPSD2 stands for Payment Services Directive 2 and is a new EU regulation in effect since September 14, 2019. It governs electronic and other non-cash payments. The main provision of PSD2 is for Strong Customer Authentication (SCA), a process that seeks to make online payments more secure and reduce fraud while increasing authorisation rates. The European Banking Authority (EBA) recently extended the deadline for PSD2 compliance until December 31, 2020. certificates, the QTSP further requires your:

For more about member creation and registration using eIDAS, see Create, Register, Recover and/or Verify a Member with an eIDAS Certificate.