Authentication

Overview

Authentication allows third-party providers to authenticate a user that accesses banking information. Once you receive a client identifier from dynamic registrations, you can obtain application access tokens and make authentication requests to access our Open Banking APIs.

Benefits

Enhanced security

Verify the user's identity who is accessing the data and reduce the risk of fraudulent activities.

Improved trust

Improves trust between NewDay and customers by having secure authentication protocols in place.

Better user experience

Simplifies login processes and provides a better user experience.

Increased innovation

Enables the development of new financial products and services that can benefit customers and banks by allowing third-party providers access to bank data securely.

How it works

To register and get access to Open Banking APIs:

Software Statement Assertions (SSA) and Access Tokens

1
You will receive an SSA as part of the OAuth 2.0 Dynamic Client Registration Protocol. In Open Banking, they describe a piece of software and the permission it has. It is necessary for you to create an SSA to register for access to the NewDay Open Banking APIs.
2
When you register an SSA, an OAuth client ID and secret credentials will be generated for your SSA.
3
When you make a request to our automatic registration endpoint using your SSA, you pass the client credentials to get an access token. Please note the body of the request should contain your SSA as a string. The SSA should be a valid JSON Web Token (JWT).
4
When making a request to our NewDay APIs, you may use two different grant types: Client Credentials grant type or Authorisation Code grant type. The grant type is specific to the API, and the primary difference on how the access token's gained. The simplest method is the Client Credentials grant type, where the client ID and secret are passed to the Authentication server.
5
In exchange for these credentials, NewDay's authorisation server issues access tokens called bearer tokens that you use for authorisation when you make REST API requests. A bearer token enables you to complete actions on behalf of and with the approval of the resource owner.
6
Access tokens have a finite lifetime. Re-use an access token until it expires. When it expires, request a new token via refresh token if available.

Open Banking Issued Certificates

There are three different types of certificates issued by the Open Banking directory:

1
Signing: Signing certificates are used to create JWSs to sign JSON Web Token (JWT) payloads during both the onboarding and authorisation processes.
2
Encryption: Encryption certificates are used to encrypt the JWT payloads and for ID token encryption.
3
Transport: Mutual TLS is used to encrypt requests and responses between third parties and banks using transport certificates issued by the Open Banking Directory.

Mutual Authentication

To access the NewDay Open Banking APIs, you will need to make sure you have set up your transport certificate accordingly. The NewDay Open Banking APIs endpoints use certificates issued by the Open Banking Certificate authority which will need to be trusted by your application. It is strongly recommended not to implement Certificate pinning against these certificates unless you have a mechanism to automatically update the pinned certificates as the certificates expire every 12 months and will be replaced without notice.

The Sandbox API endpoints do not enforce Mutual Authentication TLS (MATLS), neither do the OAuth Server Authorisation URLs. The OAuth endpoint used to issue access tokens is protected by MATLS. You must use the transport certificate issued to you by the Open Banking Directory to exchange an authorisation code for an access token. NewDay will also ensure the TLS certificate being used matches that of the Software Statement used to onboard the authenticating OAuth client.

Still have questions?

Can’t find the answer to your question? Our friendly team are more than happy to help

Was this page helpful?