Docs

Open Banking Authentication

1.0

Authenticate the client and users for accessing protected resources in NewDay.

Overview

API Reference
Open Banking Authentication enables third-party providers (TPPs) to securely authenticate users accessing banking information. Once you’ve obtained a client identifier through Dynamic Client Registration, you can generate application access tokens and initiate authentication requests to interact with NewDay’s Open Banking APIs.

This guide focuses exclusively on authentication for Open Banking APIs. For details about integrating with other APIs, refer to the Integration Guide.

Benefits

Verify user identities to protect data and minimise the risk of fraudulent activities.
Strengthen trust between NewDay and customers by implementing secure authentication protocols.
Simplify login processes for a smoother, more intuitive experience.
Securely enable third-party access to banking data, empowering the creation of innovative financial products and services.
To register and access Open Banking APIs:

Software Statement Assertions (SSA) and Access Tokens

  1. Receive SSA: As part of the OAuth 2.0 Dynamic Client Registration Protocol, you’ll receive an SSA that describes your software and permissions. Use this SSA to register for access to NewDay Open Banking APIs.
  2. Generate Credentials: Upon registering your SSA, an OAuth client ID and secret credentials will be created.
  3. Request Access Token: Send a registration request to our endpoint using your SSA as a string in the request body (formatted as a valid JSON Web Token).
  4. Choose Grant Type: For API requests, you can use either the Client Credentials grant type (simpler, passing client ID and secret to the Authentication server) or the Authorisation Code grant type.
  5. Access Tokens: The NewDay authorisation server issues bearer tokens in exchange for credentials, allowing you to perform actions on behalf of the resource owner. Tokens are valid for a limited time; you can reuse them until they expire and request new ones via a refresh token if applicable.

Open Banking Issued Certificates

The Open Banking Directory issues three types of certificates:

  1. Signing Certificates: Used to create JWSs for signing JSON Web Token (JWT) payloads during onboarding and authorisation.
  2. Encryption Certificates: Encrypt JWT payloads and ID tokens.
  3. Transport Certificates: Facilitate mutual TLS for encrypting communication between third parties and banks.

Mutual Authentication

To access NewDay Open Banking APIs, ensure proper setup of your transport certificate:

  1. APIs use Open Banking Certificate Authority-issued transport certificates, which must be trusted by your application. Avoid implementing certificate pinning unless you can automate certificate updates, as certificates expire every 12 months.
  2. Sandbox APIs and OAuth Server Authorisation URLs do not enforce Mutual Authentication TLS (MATLS). However, The OAuth endpoint used to issue access tokens is protected by MATLS. You must use the transport certificate issued to you by the Open Banking Directory to exchange an authorisation code for an access token. NewDay will also ensure the TLS certificate being used matches that of the Software Statement used to onboard the authenticating OAuth client.

By following these steps, you can ensure secure and compliant access to NewDay’s Open Banking APIs.

You may also like:

Find out more about Open Banking support Find out more about Access to Sandbox Explore Dynamic Client Registration (DCR) Explore Account Information Service (AIS) Explore Payment Initiation Service (PIS) Explore Confirmation of Funds (CBPII)

Still have questions?

Can’t find the answer to your question? Our friendly team are more than happy to help