On the production and sandbox environments, the "scaOauth" property of a consent creation (with header tppExplicitAuthorizationPreferred = false) or a POST /authorization endpoint is the following:

{
  …
  "_links": {
    "scaOAuth": {
      "href": "https://api.berlingroup.ebury.io/berlingroup/.well-known/openid-configuration?authorizationId=31f68ab6-1ce6-4131-a324-3f37d2ca4b02"
    },
    …
  }
}

You have to call this URL and retrieve the “authorization_enpoint” property in the response:

{
  "issuer": "https://api.berlingroup.ebury.io",
  "authorization_endpoint": "https://web.berlingroup.ebury.io/public/berlingroup/authorize/31f68ab6-1ce6-4131-a324-3f37d2ca4b02",
  "token_endpoint": "https://api.berlingroup.ebury.io/berlingroup/v1/token",
  "userinfo_endpoint": "https://api.berlingroup.ebury.io/berlingroup/v1/accounts",
  "scopes_supported": [
    "account",
    "payment"
  ],
  "response_types_supported": [
    "code"
  ],
  "grant_types_supported": [
    "client_credentials",
    "authorization_code",
    "refresh_token"
  ],
  "code_challenge_methods_supported": [
    "S256"
  ],
  "subject_types_supported": [
    "public"
  ]
}

With this property, you will be able to build your authorize URL with the following parameters:

Following these instructions your authorize URL should look like this and is now valid to process the authorization of the PSU:

This process to build the authorize URL is the same for a payment initiation.

NB : the "redirect_uri" parameter in the URL has to be the same as the "TPP-Redirect-URI" header of the consent creation

The communication between the TPP and the Bank (Sandbox or Berlin Group APIs) is always secured by using a TLS-connection Mutual authentication using TLS version 1.2 which is initiated by the TPP.

The TLS-connection has to be established always including client (i.e. TPP) authentication.

For this authentication the TPP has to use a qualified certificate for website authentication (QWAC) which has to be issued by a qualified trust service provider according to the eIDAS regulation.

The content of the certificate has to be compliant with the requirements of the EBA-RTS and follow the ETSI TS 119 495 V1.2.1 (2018-11) technical specification.

During the first connection setup, the TPP will be automatically onboarded and registered (enrolled) in the bank database. However, for security purpose, the bank requires the client certificate to be presented within each request.

Following the EBA clarification 07/06/2019, it's now possible to test the Sandbox using a test certificate. The only restriction is that the certificate used to establish the SSL MA must follow the QWAC format for PSD2, according to ETSI TS 119 495 V1.2.1 (2018-11)

For the Berlin Group APIs, the QWAC certificate has to be issued from a production CA.

Make sure that your QWAC configuration is correct by testing the following endpoint on the sandbox (no headers are necessary)

As a TPP if you face any problems using either our Sandbox or Production APIs you can contact us by using the dedicated support email : api.team@ebury.com

Please try to give us the full context of your request  :

• TPP Name,
• TPP Registration Number,
• Date and Time of the issue,
• Service : AIS, PIS, FCS,
• Endpoint,
• Error message, error code, screenshot,
• Information about concerned version by using one of the following URLs.
  A valid QWAC Certificate for PSD2 is required in order to access these URLs. ​
  The certificate is mandatory, otherwise you will get an error :​
  • Sandbox APIs
  • Production APIs

Our support team will answer you as soon as possible.