What about QWAC Certificates? Do I have to embed them in a request?

In order to access the XS2A API, a TPP needs to have a valid Qualified Website Authentication Certificate (QWAC) which usually gets issued by a registered Trust Service Provider. For the use of this sandbox, this certificate is handled by our backend services to avoid complexity and improve the developer’s user experience

To explain further, once a user retrieves a Client ID from the Developer’s portal that is specific to an application, a QWAC certificate is automatically generated, that will be attached to all upcoming API calls. Once the user subscribes to an API Product, and proceeds to make an API call, the backend service checks the validity of the user’s certificate, as well as what roles are associated with it (PIS, AIS, PIIS), depending on which products the user has subscribed to.

This process, as well as the renewal of the user’s certificate should it expire, is handled automatically for the purposes of this sandbox. The user should only make sure he uses his Client ID & Client Secret correctly for the API calls. See the Developer’s Portal “Getting Started” page for more information on how to issue a Client ID for an application.