Frequently Asked Questions

Your application client secret is stored encrypted so we cannot retrieve the unencrypted version to tell you the value if you forget it.

You can reset it, which will update the stored value and return the new value to you.

To do that click 'Apps' in the main menu, click on the application in question and then you can click the 'Reset' link in the 'Client Secret' section.

Your new secret will be displayed at the top of the page.

A plan is collection of API resources or subsets of resources from one or more API. A plan can contain a mixture of HTTP GET, PUT, POST, and DELETE verbs from different APIs or it can contain all the GET verbs from various APIs. A plan can have a common rate limit for all the resources or each resource can have a different rate limit. Rate limits specify how many requests an application is allowed to make during a specified time interval.

Use this Developer Portal to browse the different plans that are available to you and select a plan that is most suitable for your requirements. Some plans have restricted access that you must request access to use. When you submit your request, the organization is notified, the API administrator assesses your request and they might contact you for more details. Other plans are available to use straight away.

When you add an application you are provided with a client ID and client secret for the application. You must supply the client ID when you call an API that requires you to identify your application by using a client ID, or a client ID and client secret.

To register an application click on Apps in the main menu and then click on the 'Register an application' link. Once you have provided an application name, description, etc you will be shown your application client ID and client secret.

Make a note of your client secret because it is only displayed once. You must supply the client secret when you call an API that requires you to identify your application by using a Client ID and Client secret.

The numbers of requests, for different APIs, that your application has made are shown on your application page.

Click 'Apps' in the main menu and then click on your application. Under 'Subscribed Plans' you will see all plans your application is subscribed to. 

For each API contained in that plan you can see the usage compared to the rate limit of the plan.

It is possible to test an API from this Developer Portal.

When looking at the details of an API you will see a table of the operations contained in the API. This will show what method they are (GET, POST, PUT, DELETE, PATCH, HEAD or OPTIONS) and what path the Resource uses.

If you click on the Resource you will see more information about it, what parameters it might take, what it returns, what possible return codes it might use and what they mean.

There is also a 'Try' button which enables you to try the Resource out direct from the Developer Portal.

If the API requires a client ID or a client secret for identification then you can specify these at the top of the 'Try' section.

In order to access the XS2A API, a TPP needs to have a valid Qualified Website Authentication Certificate (QWAC) which usually gets issued by a registered Trust Service Provider. For the use of this sandbox, this certificate is handled by our backend services to avoid complexity and improve the developer’s user experience

To explain further, once a user retrieves a Client ID from the Developer’s portal that is specific to an application, a QWAC certificate is automatically generated, that will be attached to all upcoming API calls. Once the user subscribes to an API Product, and proceeds to make an API call, the backend service checks the validity of the user’s certificate, as well as what roles are associated with it (PIS, AIS, PIIS), depending on which products the user has subscribed to.

This process, as well as the renewal of the user’s certificate should it expire, is handled automatically for the purposes of this sandbox. The user should only make sure he uses his Client ID & Client Secret correctly for the API calls. See the Developer’s Portal “Getting Started” page for more information on how to issue a Client ID for an application.

If the transaction/consent status is “received”, it can be possible that the PSU-ID does not match IBAN in the payment initiation or consent creation request. The mapping between PSU-ID and IBAN(s) is documented in the developer portal. If the status doesn’t change even though SCA was performed and the IBAN matches the PSU-ID, check the PSU-ID for typos and case sensitivity.

In order to simulate the SCA redirect as explained above, you have to perform a GET request at the following URL :

By default a new created transaction/consent has the status “received”. In order to perform SCA using REDIRECT approach, the sandbox provides a Redirect Server where the status gets updated depending on the PSU. Since SCA for REDIRECT is simplified for this sandbox, it is enough to pass a PSU-ID via Query-Parameter to simulate the whole SCA. An example is provided in the following:


The Query Parameter psu-id is mandatory. If it is not provided, the Redirect Server will display a default error message.

It is possible that the issued consent does not permit this operation. An AIS-Consent defines three levels of access. The first level allows access to “accounts”, the second to “balances” and the third to “transactions”. Combinations are possible and a selection of either “balances” or “transactions” grants access to “accounts” as well. A consent granting access to e.g. accounts and transactions does not allow to call the balance endpoint.

In this case you should receive an error.

Solution: Ask the PSU to create a new consent allowing you access the appropriate endpoints.

Another reason might be that the consent status is not valid. A status will e.g. expire automatically when the “expirationDate” defined within the consent is exceeded. It might also be possible that an error occurred while performing SCA. For more detailed information see FAQs on Strong Customer Authentication.

If you are facing a problem related to the API calls we recommend you to:

  1. Check the documentation included in the APIs page, to make sure you have not missed any parameters in your calls
  2. Take a look at the Developer's Example. You can navigate to this guide by visiting our Documentation Blog. The example contains an extensive guide on how to use the sandbox, as well as 2 common scenarios of TPPs for reference.
  3. Contact us directly by filling in the form in our Contact page.