eIDAS-related Calls

You can use your eIDAS certificate to register with a particular bank. However, keep in mind that each member can be registered with only one bank. This is because each member is created under the realm of a single bank, which means that if you wish to register with several banks without becoming a Token customer, you will need to create a separate member for each bank.

Each member you create under the realm of a bank should own an eIDAS-type alias with a value equal to the tppAuthNumber.

To onboard the member, you'll need to provide your eIDAS certificate and prove you own it by signing the payload with the private key corresponding to the certificate. Once TPP onboarding is successfully completed, each member is granted permissions based on its certificate. The eIDAS alias becomes verified and visible in the list of member aliases. Remember, an alias belongs to a single member only. Consequently, you cannot onboard another member for this tppAuthNumber under the same bank.

We strongly recommend a registerWithEidas() call to create and onboard a member, although if you already have a member under the realm of a bank and wish to onboard it, or if you want to renew your certificate, you can use a VerifyEidas() call instead, as described below.

In all cases, be sure to use the correct format when providing your certificate and the signature.

Certificate Format

The certificate itself must be in single-line PEM format (i.e., a Base64-encoded DERClosedThe DER format is the binary form of the certificate. DER formatted certificates do not contain the "BEGIN CERTIFICATE/END CERTIFICATE" statements. certificate) without a header, a footer or any new lines. If you have your certificate in a .pem file, just copy-paste it, omitting the header, footer, and any new lines.

Payload Signature

The signature must be base64Url-encoded (no padding) and in one line. You can generate a signature with openssl like this:

openssl dgst -sha256 -sign private_key.pem -out /tmp/sign.sha256 payload.txt

openssl base64 -in /tmp/sign.sha256 | tr -d "=" | tr -- '+/' '-_' | tr -d "\n"

where private_key.pem is a file with your private key and payload.txt contains the payload in a normalized JSON format, wherein:

  1. Keys are in alphabetical order
  2. Keys are in double quotes.
  3. No space and no new line.

When you're ready to enter production, use the code samples listed next for the purpose outlined to create, register, recover, and/or verify a TPPClosedThird-Party Provider – an authorised online service provider introduced as part of Open Banking. TPPs exist outside of the account holder’s relationship with their bank but may be involved in transactions carried out by the user. member under realm of a bank with an eIDAS certificate.

The newly created member will have a registered PRIVILEGED-level RSAClosedPublic-key cryptosystem for both encryption and authentication. Under RSA, the encryption key is public and it is always different from the decryption key which is kept secret (private). Anyone can use the public key to encrypt a message, but only someone with the private key can decode the message. The RSA acronym is derived from the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who first publicly described the algorithm in 1977. key from the certificate provided and an EIDAS alias with a value equal to the authNumber from the certificate.