Overview
The information on this page is only for authentication with Open Banking APIs. For information on integrating with our other APIs, see the Integration Guide.
Benefits
Enhanced security
Improved trust
Better user experience
Increased innovation
How it works
Software Statement Assertions (SSA) and Access Tokens
- 1You will receive an SSA as part of the OAuth 2.0 Dynamic Client Registration Protocol. In Open Banking, they describe a piece of software and the permission it has. It is necessary for you to create an SSA to register for access to the NewDay Open Banking APIs.
- 2When you register an SSA, an OAuth client ID and secret credentials will be generated for your SSA.
- 3When you make a request to our automatic registration endpoint using your SSA, you pass the client credentials to get an access token. Please note the body of the request should contain your SSA as a string. The SSA should be a valid JSON Web Token (JWT).
- 4When making a request to our NewDay APIs, you may use two different grant types: Client Credentials grant type or Authorisation Code grant type. The grant type is specific to the API, and the primary difference on how the access token's gained. The simplest method is the Client Credentials grant type, where the client ID and secret are passed to the Authentication server.
- 5In exchange for these credentials, NewDay's authorisation server issues access tokens called bearer tokens that you use for authorisation when you make REST API requests. A bearer token enables you to complete actions on behalf of and with the approval of the resource owner.
- 6Access tokens have a finite lifetime. Re-use an access token until it expires. When it expires, request a new token via refresh token if available.
Open Banking Issued Certificates
There are three different types of certificates issued by the Open Banking directory:
- 1Signing: Signing certificates are used to create JWSs to sign JSON Web Token (JWT) payloads during both the onboarding and authorisation processes.
- 2Encryption: Encryption certificates are used to encrypt the JWT payloads and for ID token encryption.
- 3Transport: Mutual TLS is used to encrypt requests and responses between third parties and banks using transport certificates issued by the Open Banking Directory.
Mutual Authentication
To access the NewDay Open Banking APIs, you will need to make sure you have set up your transport certificate accordingly. The NewDay Open Banking APIs endpoints use certificates issued by the Open Banking Certificate authority which will need to be trusted by your application. It is strongly recommended not to implement Certificate pinning against these certificates unless you have a mechanism to automatically update the pinned certificates as the certificates expire every 12 months and will be replaced without notice.
The Sandbox API endpoints do not enforce Mutual Authentication TLS (MATLS), neither do the OAuth Server Authorisation URLs. The OAuth endpoint used to issue access tokens is protected by MATLS. You must use the transport certificate issued to you by the Open Banking Directory to exchange an authorisation code for an access token. NewDay will also ensure the TLS certificate being used matches that of the Software Statement used to onboard the authenticating OAuth client.
Was this page helpful?