Our onboarding supports an automatic registration. In case our TPPs haven’t registered in advance – a registration process will be initiated right after they will request for the consent API.
Once invoked for consent, an email will be sent to the address defined in the certificate, and will include instructions to complete registration.

Please notice to first call the consent API, in order to complete onboarding smoothly.

Click on 'Log in' button and fill in your username and password.

Click on 'Log in', then click on 'Forgot your password? Click here in order to request a new one'.
Fill Username or email address and follow the instructions.

QWAC certificate and QSealC certificate. Both certificates are issued by BOI for TPPs.
The QWAC certificate is used for identification of a TPP; For an authentication by the ASPSP.
The QSealC certificate is used by the TPP in order to sign request messages.
All requests messages sent by a TPP must be signed.

TPP must receive a certificate from BOI, then run the APIs.

This is a secured way to allow a TPP the access to financial information of the bank customer like their accounts, balances and transactions.
After a customer gave their consent for it, the TPP will be able to offer them a varied financial offers.
There is a strict list of APIs that all banks must implement and offer (according to PSD2).

Request headers should contain valid Signature.

Request headers should contain “Signature” parameter.

Request body’s field: “validUntil” should contain a current or future expiry date.

Request body’s field: “validUntil” should contain a valid date format (YYYY-MM-DD).

When consent type is ‘detailed’ and IBAN value is not valid.
If spaces have been inserted to IBAN value, this error will also be returned, but with the following text: "Format of certain request fields are not matching the XS2A requirements."

Request parameter “consentId” was not found or did not match with the “clientId” in the certificate.

Consent is not active – not in status valid.
Please use the [GET] /consents/{consentId}/status API for consents’ statuses.

Token is incorrect. The TPP’s token did not match to that of the ASPSP (bank).

The resource not found. Request-URI did not match to any service’s endpoint.
Example: Next endpoint is not valid since the word 'Balances' contains an upper case ‘B’ (should be written balances):
GET /psd2/v1/accounts/94311060-1bc7-4455-9aa2-1b64fef4aad2_105_97/Balances

Request headers should contain valid Certificate

Only consents with the following statuses can get terminated by a TPP: “valid”, “partiallyApproved”,
“suspendedByASPSP” and “received”. Using the Delete method with a different status will return the
CONSENT_INVALID error.

This error occurs due to one of these reasons:
1. “bookingStatus” parameter is invalid. Valid values are: “booked”, “pending”, ”both”.
2. “entryReferenceFrom” optional parameter is invalid. This parameter should accept numbers only.

“dateFrom” and “bookingStatus” parameters mandatory in this path. When not using them (or not using the exact naming), this error will be returned.

“dateFrom” parameter’s minimum value should be 12 months prior to "now",
Or “dateTo” parameter is earlier than “dateFrom”.

“Consent-ID” parameter is missing in request headers, Or “X-Request-ID” parameter is missing in request headers. The last one should be send for each of a regulatory API.

These are optional parameters; Our bank does not support using them.

“account-id” parameter is invalid. It does not match the pattern. For example, the value is shorter than it should be.

When calling this API with a range of dates that doesn’t have any transactions in, then the response will not return an error, but instead a 200 status with a link (href).
That links for [GET] /accounts/{account-id}.
For getting transactions, expand the dates range.

When a response with a status code 200 contains more than 30 transactions, it will also contain a href link. For example:
Status code: 200 ok
Response body:
{
…
"_links": {
"account": {
"href": "/v1/accounts/94311060-1bc7-4455-9aa2-1b64fef4aad2_105_97/transactions?dateFrom=2020-02-20&bookingStatus=booked&dateTo=2020-12-21&entryReferenceFrom=30"
}
}
…
}
This link contains the “entryReferenceFrom” optional parameter that should retrieve next (30) transactions from the value passed for entryReferenceFrom. By calling for the API in the link, the API will retrieve next (30) transactions, and you can repeat it again as long as there are transactions.

The PSU-ID-Type field accepts one of these values ​​only:
FIBI-OTZAR, FIBI-UBANK, FIBI-BNL, FIBI-PAGI, MASSAD