This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
TPP Onboarding with WSO2 Open Banking
Third-Party Providers (TPPs) can create third-party applications to facilitate banking services exposed via Bank APIs. Before getting TPPs connected with the Banks and onboard, they are subjected to a thorough verification. This verification includes a comprehensive sign-up process at the API Store, the developer portal of WSO2 Open Banking. For a TPP to start providing open banking services, it has to be registered under a Competent Authority, which is a regulatory body that authorizes and supervises the open banking services delivered by the TPP.
This tutorial lets you try out a sample TPP onboarding process by following the steps below:Â
Step 01: Sign Up as a TPP User
Follow the steps below to sign up as a TPP user:Â
Navigate to the API Store.
Click Sign Up and navigate to the sign-up screen. Â
- Provide the requested details as defined below:Â
Generic DetailsÂ
Field Description Sample Value Username/Email This is the username/email
the TPP user uses to sign in to the API Store.tony@fincom.com
Password This is the password
the TPP user uses to sign in to the API Store.Re-type Password This is to prevent the TPP user from accidentally setting an incorrect password
.First Name This is the first name
of the TPP user.Tony
Last Name This is the last name
of the TPP user.Paige
Company detailsÂ
Field Description Sample Value Legal Entity Name This is the official name
of the TPP.FinCom
Country of Registration This is the country
in which the TPP is registered in.United Kingdom
Legal Entity Identifier (LEI) Number This identifies the TPP. 123400WSGIIACXF1P520
Company Register This is the organization
that registered the TPP.Company Registration Number This is the identifier issued at the TPP registration. Address Line 1 This is to provide the address
of the TPP.Address Line 2 This is to provide the address
of the TPP.City This is the city
in which the TPP is located in.Postal Code This is the postal code
of the geographical location of the TPP.Country This is the country
in which TPP is located in.Competent Authority registration detailsÂ
Field Description Sample Value Competent Authority This is the regulatory body that authorizes and supervises the open banking services delivered by the TPP. Financial Conduct Authority
Competent Authority Country This is the country
of the Competent Authority that authorized the TPP to provide open banking services.Competent Authority Registration Number This is the registration number
issued by the Competent Authority to the TPP.URL of the Competent Authority Register Page This is the URL
of the page that has the list of organizations authorized by the given competent authority.Open Banking Roles This captures the open banking roles the TPP is willing to take up:
- Account Information Service Provider:
An Account Information Service Provider (AISP) provides an aggregated view of all the accounts and past transactions that a customer has with different banks. To provide this view to the customer, the AISP should have authorization from the customer to view the corresponding transaction and balance information of all the payment accounts. The AISPs can also provide the facility to analyze the customer's spending patterns, expenses, and financial needs. Unlike a PISP, an AISP cannot transfer funds from a payment account. - Payment Initiation Service Provider: A Payment Initiation Service Provider (PISP) initiates credit transfers on behalf of a bank's customer.
- Payment Instrument Issuer Service Provider:A Payment Instrument Issuer Service Provider (PIISP) is a PSP that verifies the coverage of a given payment amount of the PSU's account. Examples of PIISPs are the banks and credit card issuers that are obligated to verify whether the given payment amount can be covered by the PSU's account through APIs.
After selecting the roles, indicate whether the TPP is authorized by a competent authority to provide the services of the selected roles or not.
If the TPP has not registered yet to provide the services of the selected roles, indicate whether the TPP has applied for registration or not.
- Account Information Service Provider:
Agree to terms and conditions by checking the check box.
Click Sign Up.Â
A request to approve the user sign up is sent to the admin users.Â
Step 02: Approve the TPP User Account
Follow the steps below to approve the newly created TPP user account:
Navigate to the Admin Portal. Â
Locate the approval request and click Assign To Me.  Â
- Click Start to start the approval process.
- Select Approve and click Complete.
The TPP user can now sign in to the API Store.
Step 03: Sign In as a TPP User
Follow the steps below to sign in to the API Store:
- Navigate to the API Store.
- Click Sign In and navigate to the sign in screen.
- Enter the
username
and theÂpassword
you entered at the user sign up. - Click Sign In.
The API Store home screen with the APIs appears. Remain in the API Store to create an application.
Step 04: Create an Application
An application is an intermediary that sits between an API and its consumer. API consumers use applications to subscribe to APIs and consume them. An API consumer can subscribe to multiple APIs using a single Application. Thus, it acts as a logical collection of API subscriptions and decouples the API consumer from the APIs. Each Application can be associated with different Service Level Agreement (SLA) levels. This is enabled by attaching an Application with throttling tiers that determine the maximum number of API calls allowed during a given duration.
Follow the steps below to create an application:
- Click Applications on the API Store.
- Click Add Application.
Enter application details.Â
Field Description Sample Value Name This is the application name. FinComApp
Per Token Quota This determines the maximum number of API requests accepted within a given duration. Unlimited
Description This describes the purpose of the application. - Click Add to create the application. Â
Remain on the same page to generate application access tokens.Â
Step 05: Create the Certificates
Follow the steps below to create a public key certificate and application certificate:
Update the place holders of the following command and run it in a command prompt to create a keystore, which is a repository of security certificates.Â
alias: This is a preferred alias for the keystore.
preferred-filename: This is a preferred name for the keystore. You can even enter the location where you want the keystore to be generated.  Â
keytool -genkey -alias <<alias>> -keyalg RSA -keystore <<filename>>.jks
Example:
keytool -genkey -alias KeyStore -keyalg RSA -keystore tpp.jks
Provide aÂ
password
 for the keystore and setup the hostname by providing the following certificate attributes for the newly created certificate when prompted:Common Name (CN)
- Organizational Unit (OU)
- Organization (O)
- Locality (L)
- StateofProvince Name (S)
Country Name (C)Â
Update the place holders of the following command and run it in a command prompt to extract the certificate from the generated keystore. Â
alias: This is theÂ
alias
 of the keystore.- fileName: This is the name of the certificate.
keyStoreName: This is the name of theÂ
keystore
.Â
keytool -export -alias <<alias>> -file <<fileName>> -keystore <<keyStoreName>>.jks
Example:
keytool -export -alias KeyStore -file cert -keystore tpp.jks
Provide theÂ
password
 you used for the keystore.
The public key certificate is extracted to the same location where you ran the command.  ÂUpdate the placeholders of the following command and run in a command prompt to convert the keystore from theÂ
jks
 formattoÂPKCS12
.ÂkeyStoreName: This is the name of theÂ
keystore
.Â- PKCS12FileName: This is the name of the
keystore
in thePKCS12
format.Â
keytool -importkeystore -srckeystore <keystoreStoreName>.jks -destkeystore <<PKCS12FileName>>.p12 -deststoretype PKCS12
Example:
keytool -importkeystore -srckeystore tpp.jks -destkeystore tpp.p12 -deststoretype PKCS12
Update the place holders of the following commands and run in a command prompt to create the application certificate (
.pem)
 file using the keystore in PKCS12 format, e.g.,tpp.p12
. Â- PKCS12FileName: This is the name of theÂ
keystore
 in theÂPKCS12
 format. PEMFileName: This is the name of the application certificate that is created in the
.pem
format.Â
openssl pkcs12 -in <<PKCS12FileName>>.p12 -nokeys -out <<PEMFileName>>.pem
Example:
openssl pkcs12 -in tpp.p12 -nokeys -out tpp.pem
- PKCS12FileName: This is the name of theÂ
Step 06: Request Access Tokens
Follow the steps below to generate access keys, i.e., consumer key
and consumer secret
:
- Click Production Keys on the application details page.
Provide the requested details as defined below:Â
Field Description Grant Types These determine the credentials that are used to generate the access token. There are six types of grant types available in WSO2 Open Banking:
- Refresh Token: This is to renew an expired access token.
- SAML2: This is to exchange a SAML access token with an OAuth access token.
- Password: This is to obtain an access token by providing the resource owner's
username
andpassword
. - Client Credential: This relates to theÂ
client credentials
 grant type and is applicable when consuming the API as an application. - IWA-NTLM: This is useful to obtain an access token for an API in a WSO2 Open Banking instance running on Windows.
- Code: This relates to theÂ
authorization code
 grant type and is applicable when consuming the API as a user.
For more information on grant types, see Key Concepts.
Callback URL This is the URL used by the AISP/PISP to receive the authorization code sent from the Account Servicing Payment Service Provider (ASPSP), e.g., bank. The authorization code
 can later be used to generate an OAuth2 access token. Sample URL:https://openbanking.wso2.com/authenticationendpoint/authorize_callback.do
Application Certificate This is the content between the -----BEGIN CERTIFICATE-----
 andÂ-----END CERTIFICATE-----
 strings of the Application Certificate (.PEM
) that you created above.- Click Request Access.
A request to approve the token generation is sent to the admin user. Â
Step 07: Approve the Access Key Generation
Follow the steps below to approve the access key generation:
- Navigate to the Admin Portal.
- Click Tasks > Application Registration.
- Locate the approval request and click Assign To Me.
- Click Start to start the approval process.
- Select Approve and click Complete.
- Navigate back to the API Store and click Applications.Â
- Click View of the application that you created in Step 04, e.g., FinComApp to navigate to the application details page.
- Click Production Keys tab.
Observe the generated keys.Â
Next, you can subscribe to APIs available in the API Store and invoke them.Â