Version	Sandbox Status	Production Status
V3.2.1	Live	Live

Dynamic Client Registration

Dynamic Client Registration (DCR)

Third Party Registration

Third Parties, also referred to as Third Party Service Providers (TSPs) or Third Party Providers (TPPs) need to register their client with HSBC's Open Banking platform. In order to achieve this, Third Parties need to get their software statement issued as per RFC 7591. HSBC supports v3.2 of Dynamic Client Registration in line with OBIE specifications.

Please note in version 3.2 of Dynamic Client Registration content-type should be application/jose.
Please note the audience (aud) value for the DCR request should be the ‘issuer’ value taken from each brands well-known configuration
Please note the JWT expiry parameter (exp) in the request body should be set to a maximum of 30 mins.

Market Specific Variations

Hong Kong

For APIs in Hong Kong to request access to Production APIs, Third Parties need to submit a request using the Help, Contact Us form in the portal.

Select 'Open Banking APIs - HK - HSBC Business' or 'Open Banking APIs - HK - HSBC Personal' from the dropdown menu 'Which API does your query relate to?'
Select 'Production Access' from the dropdown menu 'What does your query relate to?'

On receipt of this information the HSBC support team will review the Third Parties request and begin the process to on-board the Third Party to the Open Banking eco-system. The Software Statement Assertion (SSA) will be securely mailed to the Third Parties registered email address.

UK/Europe

Third Parties need to register with their National Competent Authority (NCA) and to obtain the appropriate certificate based on jurisdiction. Third Parties need to check the address of HSBC's registration endpoint using our well-known endpoints;

Banking Area	Production Well-known Endpoint
HSBC Personal	https://api.ob.hsbc.co.uk/.well-known/openid-configuration
HSBC Business	https://api.ob.business.hsbc.co.uk/.well-known/openid-configuration
Marks and Spencer	https://api.ob.mandsbank.com/.well-known/openid-configuration
first direct	https://api.ob.firstdirect.com/.well-known/openid-configuration
HSBC Kinetic	https://api.ob.hsbckinetic.co.uk/.well-known/openid-configuration
HSBC Corporate (HSBCnet - UK)	https://api.ob.hsbcnet.com/.well-known/openid-configuration
HSBC Corporate (HSBCnet - CE)	https://eu.api.ob.hsbcnet.com/.well-known/openid-configuration

Bahrain

Third Parties need to check the address of HSBC's registration endpoint using our well-known endpoints:

Banking Area	Production Well-known Endpoint
HSBC Personal Banking	https://openbanking.hsbc.com.bh/.well-known/openid-configuration

Third Parties need to register their client in HSBC's Open Banking platform. In order to achieve this, Third Parties need to get their software statement issued first – as per RFC 7591. More information can be found here.

HSBC will perform pre-requisite configuration changes as a part of the registration process.
Third Parties should get CSR and CERT files generated. To generate this, Third Parties can use a configuration file which is made available by HSBC.
Third Parties are required to issue self-signed OBWAC-style AND OBSEAL-style certificates once a client has generated a valid CSR to be onboarded. Both OBWAC-style and OBSEAL-style certificates must contain the below fields:
- qcStatement of type in DER format as described in the below sample obwac.cnf and obseal.cnf. At least one qcStatement MUST be in the certificate
- qcStatement of type qcType. MUST be either qcType Web or qcType Seal
- Organisational Identifier MUST be in subject name
For more information on Bahrain QBWAC and QBSEAL certificates please review the Bahrain Digital Signatures section below
Third Parties need to trigger POST/register endpoint and with the relevant roles, TPP should select which roles they need to register for - (PIS, AIS, CBPII, ASPSP), and which country they would operate in.

Software Statements

A software statement can be issued by any actor that’s trusted by its authorisation server. For holders of OBWAC / OBSEAL certificates, TPPs will be issued with a software statement from the OBIE Directory - see here for more information. TPPs using eIDAS certificates can generate a self-signed software statement (self-signed SSA) - see here for further information. A complete list of all fields required for a self-signed SSA is provided below in the tables

Metadata	Description	Optional/ Mandatory (O or M)	Source Specification
`software_id`	Unique Identifier for TPP Client Software	M	[RFC7591] ^[0-9a-zA-Z]{1,22}$
`iss`	SSA Issuer	M	[RFC7519] ^[0-9a-zA-Z]{1,22}$ Identifier for the TPP. This value must be unique for each TPP registered by the issuer of the SSA For SSAs issued by the OB Directory, this must be the software_id
`iat`	Time SSA issued	M	[RFC7519]
`jti`	JWT ID	M	[RFC7519] ^[0-9A-F]{8}-[0-9A-F]{4}-4[0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$` Max-36 length

Metadata	Description	Optional/ Mandatory (O or M)	Field Size
`software_client_id`	The Client ID Registered at OB used to access OB resources	M	Base62 GUID (22 chars) HSBC Implementaiton support Max 36
`software_client_description`	Human-readable detailed description of the client	O	Max256Text
`software_client_name`	Human-readable Software Name	O	Max40Text
`software_client_uri`	The website or resource root uri	O	Max256Text
`software_version`	The version number of the software should a TPP choose to register and / or maintain it	O	decimal
`software_environment`	Requested additional field to avoid certificate check	O	Max256Text
`software_jwks_endpoint`	Contains all active signing and network certs for the software	M	Max256Text
`software_jwks_revoked_endpoint`	Contains all revoked signing and network certs for the software	O	Max256Text
`software_logo_uri`	Link to the TPP logo. Note, ASPSPs are not obliged to display images hosted by third parties	O	Max256Text
`software_mode`	ASPSP Requested additional field to indicate that this software is `Test` or `Live` the default is `Live`. Impact and support for `Test` software is up to the ASPSP.	O	Max40Text
`software_on_behalf_of_org`	A reference to fourth party organsiation resource on the OB Directory if the registering TPP is acting on behalf of another.	O	Max40Text
`software_policy_uri`	A link to the software's policy page	O	Max256Text
`software_redirect_uris`	Registered client callback endpoints as registered with Open Banking	M	A string array of Max256Text items Pattern applied (?:\\[([0-9a-fA-F:]+)\\]\|(?:(?:[a-zA-Z0-9%-._~!$&'()+,;=]+(?::[a-zA-Z0-9%-._~!$&'()+,;=])?@)?([\\p{Alnum}\\-\\.])))(?::(\\d))?(.)?
`software_roles`	A multi value list of PSD2 roles that this software is authorized to perform.	M	A string array of Max256Text items
`software_tos_uri`	A link to the software's terms of service page	O	Max256Text
---------	------------		-----------
`organisation_competent_authority _claims`	Authorisations granted to the organsiation by an NCA		CodeList {`AISP`, `PISP`, `CBPII`, `ASPSP`}
`org_status`	Included to cater for voluntary withdrawal from OB scenarios		`Active`, `Revoked`, or `Withdrawn`
`org_id`	The Unique TPP or ASPSP ID held by OpenBanking.	M	HSBC Implementaion support Max 18 char
`org_name`	Legal Entity Identifier or other known organisation name	O	Max140Text
`org_contacts`	JSON array of objects containing a triplet of name, email, and phone number	O	Each item Max256Text
`org_jwks_endpoint`	Contains all active signing and network certs for the organisation	O	Max256Text
`org_jwks_revoked_endpoint`	Contains all revoked signing and network certs for the organisation	O	Max256Text
---------	------------		---------
`typ`	MUST be set to `JWT`	M
`alg`	MUST be set to `PS256`	M
`kid`	The kid will be kept the same as the `x5t` parameter. (X.509 Certificate SHA-1 Thumbprint) of the signing certificate.	M

Software statements are checked by the ASPSP on TPP registration / request for access.

Third Parties performs dynamic registration:

Software Statement Sample (Full)	{ "software_mode": "Live", "software_environment": "TODO", "software_client_uri": "https://TODO.com", "software_logo_uri": "https://TODO.com", "software_policy_uri": "https://TODO.com", "software_tos_uri": "https://TODO.com", "software_on_behalf_of_org": "https://www.tsp.com", "software_client_description": "software statement for testing purposes", "software_jwks_revoked_endpoint": "https://TODO.com", "software_roles": ["AISP"], "org_jwks_endpoint": "https://TODO.com", "org_status": "Active", "org_contacts": [], "organisation_competent_authority_claims": [], "org_id": "5cb8572403f0df001d", "org_name": "ABC Merchant Ltd.", "org_jwks_revoked_endpoint": "https://TODO.com", "software_client_name": "ABC Merchant Ltd.", "iss": "2fNwVYePN8WqqDFvVf7XMN", "iat": 1556445993, "jti": "45903DAE-3174-4E9E-9047-BBAE9C1A723F", "software_client_id": "2qY9COoAhfMrsH7mCyh86T", "software_redirect_uris": ["https://www.tsp.com/", "https://www.tsp.com/ack"], "software_id": "2qY9COoAhfMrsH7mCyh86T", "software_jwks_endpoint": "https://www.tsp.com/jwks/public.jwks" }
Software Statement Sample (Minimal)	{ "software_on_behalf_of_org": "https://www.tsp.com", "software_roles": ["AISP"], "org_id": "5cb8572403f0df001d", "org_name": "ABC Merchant Ltd.", "software_client_name": "ABC Merchant Ltd.", "iss": "2fNwVYePN8WqqDFvVf7XMN", "iat": 1556445993, "jti": "45903DAE-3174-4E9E-9047-BBAE9C1A723F", "software_client_id": "2qY9COoAhfMrsH7mCyh86T", "software_redirect_uris": ["https://www.tsp.com/", "https://www.tsp.com/ack"], "software_id": "2qY9COoAhfMrsH7mCyh86T", "software_jwks_endpoint": "https://www.tsp.com/jwks/public.jwks" }
Register payload sample	{ iss="", "aud": "https://api.ob.hangseng.com", "scope": "openid accounts", "redirect_uris": ["https://www.tsp.com/", "https://www.tsp.com/ack"], "response_types": ["code id_token"], "grant_types": ["authorization_code", "refresh_token", "client_credentials"], "application_type": "mobile", "id_token_signed_response_alg": "PS256", "request_object_signing_alg": "PS256", "token_endpoint_auth_method": "private_key_jwt", "token_endpoint_auth_signing_alg": "PS256", "software_id": "2qY9COoAhfMrsH7mCyh86T", "software_statement": "{Software Statement signed JWT token}", "exp": 1674206304, "iat": 1555506046, "jti": "45903DAE-3174-4E9E-9047-BBAE9C1A723F" }

Digital Signatures

Market Variations

UK/Europe

QSEALs or OBSEALS will also be required by TPPs to enable a digital signature feature. Use of a digital signature to sign payloads is mandatory.

Onward Provisioning – TPP / Agent name display options

Please note that TPPs must ensure that they have registered using the appropriate fields so that the correct information is displayed to customers.

Options	Display	Display Rule	Client Name	Org Name	'On Behalf Of' Name	What will display
When <org name> & <Client Name> are available & both are same & <Software on behalf name> not available	All (single name and key point)	Use <Client Name> as TPP name	ABC Company Ltd	ABC Company Ltd	N/A	ABC Company Ltd
When <org name> & <Client Name> are available & both are different & <Software on behalf name> not available	All (single name and key point)	Use <Client Name> as TPP name	ABC Trades	ABC Company Ltd	N/A	ABC Trades
When <org name> & <Client Name> are available & both are same & <Software on behalf name> is available & is same as well	All (single name and key point)	Use <Client Name> as TPP name	ABC Company Ltd	ABC Company Ltd	ABC Company Ltd	ABC Company Ltd
When <org name> & <Client Name> are available & both are different & <Software on behalf name> is available & is same as the <org name>	Both names to be displayed(1)	<Agent>on behalf of <TPP> Use<softwareOneBehalf> as Agent Use<Client Name> as TPP	ABC Trades	ABC Company Ltd	ABC Company Ltd	ABC Company Ltd on behalf of ABC Trades
When <org name> & <Client Name> are available & both are different & <Software on behalf name> is available & is same as the <Client Name>	All (single name and key point)	Use <Client Name> as TPP name	ABC Trades	ABC Company Ltd	ABC Trades	ABC Trades
When <org name> & <Client Name> are available & both are same & <Software on behalf name> is available & is different from both	Both names to be displayed(1)	<Agent>on behalf of <TPP> Use<softwareOneBehalf> as Agent Use<Client Name> as TPP	ABC Company Ltd	ABC Company Ltd	OBO Ltd	OBO Ltd on behalf of ABC Company Ltd
When <org name> & <Client Name> are available & both are different & <Software on behalf name> is available & is different from both	Both names to be displayed(1)	<Agent>on behalf of <TPP> Use<softwareOneBehalf> as Agent Use<Client Name> as TPP	ABC Trades	ABC Company Ltd	OBO Ltd	OBO Ltd on behalf of ABC Trades

(1) Both names will always be displayed at the consent set-up step, however, for simplicity, single name may be displayed in some non-key steps within the journey.

Bahrain OBWAC-style

OBWAC-style CSR cab be generated following below steps;

Update the obwac.cnf file

This file is used to generate OBWAC-style CSR using openssl.

Sample obwac.cnf is shown below:

####################################obwac.cnf###########################################

oid_section = new_oids

[ new_oids ]

organizationIdentifier = 2.5.4.97 # OpenSSL may not recognize this OID so need to add.

[ req ]

default_bits = 2048 # RSA key size

encrypt_key = yes # Protect private key: yes or no. yes recommended

default_md = sha256 # MD to use. sha256 recommended

utf8 =yes # Input is UTF-8.

string_mask =utf8only # Emit UTF-8 strings

prompt =no # Prompt for DN. yes or no.

distinguished_name =client_dn # DN template. Mandatory to include organizationIdentifier

req_extensions =client_reqext # Desired extensions. Mandatory to include DER qcStatements

[ client_dn ]

countryName = "BH" # Country code - see doc above

organizationName = "HSBC UK Bank Plc" # Organizational name

organizationIdentifier = "PSDBH-CBB-765112" # Must be in format as shown above

commonName = "00158000016i44JAAQ" # Subject common name

[ client_reqext ]

keyUsage = critical,digitalSignature # Must be critical

extendedKeyUsage = clientAuth, serverAuth # Must be defined as shown above

subjectKeyIdentifier = hash # Hash value to calculate SKI

qcStatements = DER:30793013060604008e4601063009060704008e46010603306206060400819827023058303530330607040081982701020c065053505f50490607040081982701030c065053505f41490607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

#########################################################################################

The items highlighted in RED needs to be modified by TPP.

organizationIdentifier - The organizationIdentifier "PSDBH-CBB-765112" means a certificate issued to a PSP where the authorization number is 765112, authorization was granted by CBB. Other examples can include use of non-alphanumeric characters such as "PSDBE-NBB-1234.567.890" and "PSDFI-FINFSA-1234567-8" and "PSDMT-MFSA-A 12345" (note space character after "A")

create qcStatement for OBWAC-style certificate:

Below are sample qcStatements in DER format based on various TPP roles -

PSP_AS qcStatements=DER:30573013060604008e4601063009060704008e46010603304006060400819827023036301330110607040081982701010c065053505f41530c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_PI qcStatements=DER:30573013060604008e4601063009060704008e46010603304006060400819827023036301330110607040081982701020c065053505f50490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AI qcStatements=DER:30573013060604008e4601063009060704008e46010603304006060400819827023036301330110607040081982701030c065053505f41490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_IC qcStatements=DER:30573013060604008e4601063009060704008e46010603304006060400819827023036301330110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AS PSP_PI qcStatements=DER:306a3013060604008e4601063009060704008e46010603305306060400819827023049302630110607040081982701010c065053505f415330110607040081982701020c065053505f50490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AS PSP_AI qcStatements=DER:306a3013060604008e4601063009060704008e46010603305306060400819827023049302630110607040081982701010c065053505f415330110607040081982701030c065053505f41490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AS PSP_IC qcStatements=DER:306a3013060604008e4601063009060704008e46010603305306060400819827023049302630110607040081982701010c065053505f415330110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_PI PSP_IC qcStatements=DER:306a3013060604008e4601063009060704008e46010603305306060400819827023049302630110607040081982701020c065053505f504930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AI PSP_IC qcStatements=DER:306a3013060604008e4601063009060704008e46010603305306060400819827023049302630110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AS PSP_PI PSP_AI qcStatements=DER:307d3013060604008e4601063009060704008e4601060330660606040081982702305c303930110607040081982701010c065053505f415330110607040081982701020c065053505f504930110607040081982701030c065053505f41490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AS PSP_PI PSP_IC qcStatements=DER:307d3013060604008e4601063009060704008e4601060330660606040081982702305c303930110607040081982701010c065053505f415330110607040081982701020c065053505f504930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AS PSP_AI PSP_IC qcStatements=DER:307d3013060604008e4601063009060704008e4601060330660606040081982702305c303930110607040081982701010c065053505f415330110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_PI PSP_AI PSP_IC qcStatements=DER:307d3013060604008e4601063009060704008e4601060330660606040081982702305c303930110607040081982701020c065053505f504930110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AS PSP_PI PSP_AI PSP_IC qcStatements=DER:3081903013060604008e4601063009060704008e4601060330790606040081982702306f304c30110607040081982701010c065053505f415330110607040081982701020c065053505f504930110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

The above values can be modified using ASN.1 editor and parser as shown in below screenshots –

Open the sample qcStatement(listed above based on roles) and then edit the details as per your need

qcStatement example 1

After changing the details create the hexadecimal encoding using the “Open data converter” option as shown below;

qcStatement example 2

Copy the generated HEX value in the conf file;

qcStatement example 3

The above screenshots are from ASN.1 tool available at below location –

https://www.sysadmins.lv/projects/asn1editor/default.aspx

Once generated the qcStatement HEX value can also be validated using below tool –

https://lapo.it/asn1js/

qcStatement example 4

Once the obwac.cnf file is ready, run below command to generate the obwac.csr –

openssl req -new -config obwac.cnf -out obwac.csr -keyout obwac.key

Once the certificate is generated, TPPs must share it with HSBC so that it can be added to the trust store.

Bahrain OBSEAL-style

Similar steps as described above for OBWAC-style needs to be done to generate obseal.csr.

Create the obseal.cnf file:

#########################################obseal.cnf#######################################

oid_section = new_oids

[ new_oids ]

organizationIdentifier = 2.5.4.97 # OpenSSL may not recognize this OID so need to add.

[ req ]

default_bits = 2048 # RSA key size

encrypt_key = yes # Protect private key: yes or no. yes recommended

default_md = sha256 # MD to use. sha256 recommended

utf8 = yes # Input is UTF-8.

string_mask = utf8only # Emit UTF-8 strings

prompt = no # Prompt for DN. yes or no.

distinguished_name = client_dn # DN template. Mandatory to include organizationIdentifier

req_extensions = client_reqext # Desired extensions. Mandatory to include DER qcStatements

[ client_dn ]

countryName = "BH" # Country code - see doc above

organizationName = "HSBC UK Bank Plc" # Organizational name

organizationIdentifier = "PSDBH-CBB-765112" # Must be in format as shown above

commonName = "00158000016i44JAAQ" # Subject common name

[ client_reqext ]

keyUsage = critical,digitalSignature,nonRepudiation # Must be critical

subjectKeyIdentifier = hash # Hash value to calculate SKI

qcStatements =DER:30793013060604008e4601063009060704008e46010602306206060400819827023058303530330607040081982701020c065053505f50490607040081982701030c065053505f41490607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

#########################################################################################

The fields highlighted in RED needs to be updated as per TPP details.

Sample qcStatement values for OBSEAL-style certificate, based on TPP role, are shown below :

PSP_AS qcStatements=DER:30573013060604008e4601063009060704008e46010602304006060400819827023036301330110607040081982701010c065053505f41530c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_PI qcStatements=DER:30573013060604008e4601063009060704008e46010602304006060400819827023036301330110607040081982701020c065053505f50490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AI qcStatements=DER:30573013060604008e4601063009060704008e46010602304006060400819827023036301330110607040081982701030c065053505f41490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_IC qcStatements=DER:30573013060604008e4601063009060704008e46010602304006060400819827023036301330110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AS PSP_PI qcStatements=DER:306a3013060604008e4601063009060704008e46010602305306060400819827023049302630110607040081982701010c065053505f415330110607040081982701020c065053505f50490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AS PSP_AI qcStatements=DER:306a3013060604008e4601063009060704008e46010602305306060400819827023049302630110607040081982701010c065053505f415330110607040081982701030c065053505f41490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AS PSP_IC qcStatements=DER:306a3013060604008e4601063009060704008e46010602305306060400819827023049302630110607040081982701010c065053505f415330110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_PI PSP_AI qcStatements=DER:306a3013060604008e4601063009060704008e46010602305306060400819827023049302630110607040081982701020c065053505f504930110607040081982701030c065053505f41490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_PI PSP_IC qcStatements=DER:306a3013060604008e4601063009060704008e46010602305306060400819827023049302630110607040081982701020c065053505f504930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AI PSP_IC qcStatements=DER:306a3013060604008e4601063009060704008e46010602305306060400819827023049302630110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AS PSP_PI PSP_AI qcStatements=DER:307d3013060604008e4601063009060704008e4601060230660606040081982702305c303930110607040081982701010c065053505f415330110607040081982701020c065053505f504930110607040081982701030c065053505f41490c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AS PSP_PI PSP_IC qcStatements=DER:307d3013060604008e4601063009060704008e4601060230660606040081982702305c303930110607040081982701010c065053505f415330110607040081982701020c065053505f504930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AS PSP_AI PSP_IC qcStatements=DER:307d3013060604008e4601063009060704008e4601060230660606040081982702305c303930110607040081982701010c065053505f415330110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_PI PSP_AI PSP_IC qcStatements=DER:307d3013060604008e4601063009060704008e4601060230660606040081982702305c303930110607040081982701020c065053505f504930110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

PSP_AS PSP_PI PSP_AI PSP_IC qcStatements=DER:3081903013060604008e4601063009060704008e4601060230790606040081982702306f304c30110607040081982701010c065053505f415330110607040081982701020c065053505f504930110607040081982701030c065053505f414930110607040081982701040c065053505f49430c1743656e7472616c2042616e6b206f66204261687261696e0c0642482d434242

Use the same steps as described for obwac-style to generate the HEX value for obseal.cnf qcStatement.

Once generated,update the obseal.cnf file and run below command to generate the obseal.csr

openssl req -new -config obseal.cnf -out obseal.csr -keyout obseal.key

Implemented Endpoints

Endpoints	Markets Implemented	Mandatory
POST /register	All	Conditional
GET/register/{ClientId}	UK/Europe & Bahrain	Optional
PUT/register/{ClientId}	UK/Europe & Bahrain	Optional
DELETE/register/{ClientId}	None	Optional

POST /register:

TPPs must include a complete ClientName and OrganisationName during the registration process. Both names should be:
- Semantically and syntactically correct
- Adhere to data integrity rules including correct capitalisation, consistent use of abbreviations and spacing
If an agent is acting on behalf of the TPP, the agent name (Trading name of the Agent Company) must be provided within “software_on_behalf_of_org”.
The audience 'aud' value should be the issuer from the well known endpoint

GET /register:

This endpoint should be used only to request existing registration details for a client id. The request’s Authorization header should have Bearer token as access_token retrieved from /token with client_credentials grant_type

PUT /register:

TPPs may use this endpoint to update existing registration details. Relevant checks will be performed to ensure the updates are valid/allowed. An error message will be returned in instance of failures
The request should contain the response received from the GET /register as a jwt and the request’s Authorization header should have Bearer token as access_token retrieved from /token with client_credentials grant_type
It is important to note that the entire GET /register payload is expected in PUT /register payload as well. Any value that does not need an update during registration is still expected to be sent in the request.
Also with respect to scope update, it is expected that all scope for which registration is required is sent. For example, even if TPP is registered with accounts scope, and expects payments to be updated as part of PUT /register, the value in the payload expected is accounts payments. This scope in PUT /register will be considered as a complete replace instead of append to the existing value.
The following fields can be updated via PUT/register:

Fields which can be updated using PUT/register
exp
grant_types
iat
id_token_signed_response_alg
iss
jti
redirect_uris
response_types
scope
software_id
software_statement
request_object_signing_alg
token_endpoint_auth_method
token_endpoint_auth_signing_alg

Supported Authentication Methods

Method	Supported
private_key_jwt	Y (All Markets)
client_secret_jwt	N
client_secret_basic	N
client_secret_post	N
tls_client_auth	Y (UK/Europe & Bahrain)

Clarification on Scope parameter

Endpoint	Journey	Scopes	Notes
/register	PIS	"scope": "openid payments"	A Journey needs to be chosen based on TPP specialization
	AIS	"scope": "openid accounts"
	CoF	"scope": "openid fundsconfirmations"
	PIS, AIS, CoF	"scope": "openid payments accounts "fundsconfirmations"
/token with "client_credentials" grant type	PIS	"scope": "payments"	OpenID should not be included in client credentials
	AIS	"scope": "accounts"
	CoF	"scope": " fundsconfirmations "
/authorize	PIS	"scope":"openid payments"	A Journey needs to be chosen based on TPP specialization
	AIS	"scope":"openid accounts"
	CoF	"scope":"openid fundsconfirmations"
	Please note that when calling the “token” endpoint with grant_type: “authorization_code” or “refresh_token” you must not send “scope” parameter. If you do, this will result in the error code “invalid_request”

Please note that the audience, “aud” value in JWT for the /token endpoint should be https://<banking area>/obie/open-banking/v1.1/oauth2/token.

For example: https://api.ob.hsbc.co.uk/obie/open-banking/v1.1/oauth2/token for HSBC Personal.

private_key_jwt

@private_key_jwt

tls_client_auth

If MTLS tls_client_auth is used the tls_client_auth_subject_dn claim in the registration JWT must contain the full DN (Distinguished Name) of the transport certificate that the TPP will present to the ASPSP token endpoint to establish mutual TLS connection. The order of the attributes must also be the same as in the certificate subject value. Please note that this should not include the word ‘Subject’, but only the DN value inside the ‘Subject’ object field.

For example, a valid value would be:

CN=00158000016i44JAAQ,2.5.4.97=#131050534447422D4643412D373635313132,O=HSBC UK Bank Plc,C=GB

Expected format of tls_client_auth_subject_dn follows a string representation -- as defined in [RFC4514] -- of the DN. Please refer to https://tools.ietf.org/html/rfc4512#section-2 for formal definition of DN, RDN and attribute value assertion (AVA).

Currently supported short names for attribute types (descriptor - https://tools.ietf.org/html/rfc4514#section-2)

CN (2.5.4.3)

C (2.5.4.6)

L (2.5.4.7)

S (2.5.4.8)

ST (2.5.4.8)

O (2.5.4.10)

OU (2.5.4.11)

T (2.5.4.12)

IP (1.3.6.1.4.1.42.2.11.2.1)

STREET (2.5.4.9)

DC (0.9.2342.19200300.100.1.25)

DNQUALIFIER (2.5.4.46)

DNQ (2.5.4.46)

SURNAME (2.5.4.4)

GIVENNAME (2.5.4.42)

INITIALS (2.5.4.43)

GENERATION (2.5.4.44)

EMAIL (1.2.840.113549.1.9.1)

EMAILADDRESS (1.2.840.113549.1.9.1)

UID (0.9.2342.19200300.100.1.1)

SERIALNUMBER (2.5.4.5)

Multiple keywords are available for one OID.

Attribute types not present on above list should be encoded as the dotted-decimal encoding, a “numericoid”, of its OBJECT IDENTIFIER. The “numericoid” is defined in [RFC4512].

Example:

1.3.6.1.4.1.311.60.2.1.3=PL

Full Example:

CN=[value],serialNumber=[value],OU=[value],O=[value],C=[value],ST=[value],2.5.4.97=[value],2.5.4.15=[value],1.3.6.1.4.1.311.60.2.1.3=[value]

*[value] represents any value – it is a placeholder for real value.

Message signing

x-jws-signature

The iss value from x-jws-signature must match with full DN of the certificate.

Return to top

DCR UK and CE

Dynamic Client Registration (DCR)

Third Party Registration

The Open Banking Read/Write API standard is relying on FAPI Read-Write specification as means for authenticating TPPs (Third Party Providers) and PSUs (Payment Service Users). In order to enable this capability the TPP must register their OAuth API Clients with HSBC's Open Banking Platform. The HSBC Open Banking Platform supports v3.2 of Dynamic Client Registration Protocol [RFC 7591] in line with OBIE specifications.

TPPs to register with their National Competent Authority (NCA) and obtain an appropriate TLS certificate based on jurisdiction. TPPs need to check the address of HSBC's Open Banking registration endpoint using our well-known endpoints:

Brand	Production well-known endpoint
HSBC UK Personal	https://api.ob.hsbc.co.uk/.well-known/openid-configuration
first direct	https://api.ob.firstdirect.com/.well-known/openid-configuration
M&S Bank	https://api.ob.mandsbank.com/.well-known/openid-configuration
HSBC UK Business	https://api.ob.business.hsbc.co.uk/.well-known/openid-configuration
Kinetic	https://api.ob.hsbckinetic.co.uk/.well-known/openid-configuration
HSBCnet UK	https://api.ob.hsbcnet.com/.well-known/openid-configuration
HSBCnet CE	https://eu.api.ob.hsbcnet.com/.well-known/openid-configuration
MiVision UK	https://ob.mivision.hsbc.co.uk/uk/.well-known/openid-configuration
MiVision CE	https://ob.mivision.hsbc.co.uk/eu/.well-known/openid-configuration
HSBC Bahrain Personal	https://openbanking.hsbc.com.bh/.well-known/openid-configuration
HSBC Malta Personal	https://ob.hsbc.com.mt/.well-known/openid-configuration
Brand	Sandbox well-known endpoint
HSBC UK Personal	https://api.ob.hsbc.co.uk/.well-known/openid-configuration
first direct	https://api.ob.firstdirect.com/.well-known/openid-configuration
M&S Bank	https://api.ob.mandsbank.com/.well-known/openid-configuration
HSBC UK Business	https://api.ob.business.hsbc.co.uk/.well-known/openid-configuration
Kinetic	https://api.ob.hsbckinetic.co.uk/.well-known/openid-configuration
HSBCnet UK	https://api.ob.hsbcnet.com/.well-known/openid-configuration
HSBCnet CE	https://eu.api.ob.hsbcnet.com/.well-known/openid-configuration
MiVision UK	https://ob.mivision.hsbc.co.uk/uk/.well-known/openid-configuration
MiVision CE	https://ob.mivision.hsbc.co.uk/eu/.well-known/openid-configuration
HSBC Bahrain Personal	https://openbanking.hsbc.com.bh/.well-known/openid-configuration
HSBC Malta Personal	https://ob.hsbc.com.mt/.well-known/openid-configuration

DCR Endpoints

The following API endpoints for Dynamic Client Registration are supported.

Endpoint	Description
POST /register	Register new client
GET /register/{ClientId}	Get existing client details

Register new client

The client registration endpoint is designed to allow a API client to be registered with HSBC's Open Banking authorization server.

Please note the following related to DCR v3.2:

The `Content-Type` request header should be set to `application/jose`.
The JWT claim 'aud' should be set to same value as the ‘issuer’ from well-known configuration endpoint.
The JWT claim 'exp' should be set to a maximum of 30 min.

Here is an example of a CURL command for client registration endpoint in Sandbox:

@POST/register_curl

Notice, the request body represents a Compact Serialization of the JSON Web Signature (JWS)[RFC 7515]. Decoding this JWS will result in the following:

TODO (replace below)

Header { "alg": "PS256", "kid": "0dbca0ac-624b-4e47-8e44-8a807dd40d84" } Payload { "iss": "ForgeRock", "aud": "https://secure.sandbox.ob.hsbcnet.com", "scope": "openid accounts payments fundsconfirmations", "redirect_uris": [ "https://sg-dummy-acc-18-uk-jwt-dcr.com/callback" ], "response_types": [ "code id_token" ], "grant_types": [ "authorization_code", "refresh_token", "client_credentials" ], "application_type": "web", "id_token_signed_response_alg": "PS256", "request_object_signing_alg": "PS256", "token_endpoint_auth_method": "private_key_jwt", "token_endpoint_auth_signing_alg": "PS256", "software_id": "0dcacfc25b3343569298d", "software_statement": "eyJraWQiOiJmNTkxZDA3Ni0yZmExLTQ0MDAtOGM4My1hYzNiNjU5MzdlMDAiLCJ0eXAiOiJKV1QiLCJhbGciOiJQUzI1NiJ9.eyJzdWIiOiIwZGNhY2ZjMjViMzM0MzU2OTI5OGQiLCJzb2Z0d2FyZV9tb2RlIjoiVEVTVCIsIm9yZ19qd2tzX2VuZHBvaW50IjoiaHR0cHM6XC9cL3NlY3VyZS5zYW5kYm94Lm9iLmhzYmMuY28udWtcL29wZW4tYmFua2luZ1wvand0XC92MVwvb3JnXC9oc2JjXzI4NzRcL2p3a3MiLCJzb2Z0d2FyZV9yZWRpcmVjdF91cmlzIjpbImh0dHBzOlwvXC9zZy1kdW1teS1hY2MtMTgtdWstand0LWRjci5jb21cL2NhbGxiYWNrIl0sIm9yZ19zdGF0dXMiOiJBY3RpdmUiLCJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6IlNHIER1bW15IEFjYyAxOCBVSyBKV1QgRENSIiwiaXNzIjoib3Blbi1iYW5raW5nLXNhbmRib3giLCJzb2Z0d2FyZV90b3NfdXJpIjoiaHR0cHM6XC9cL3NnLWR1bW15LWFjYy0xOC11ay1qd3QtZGNyLmNvbVwvdG9zIiwic29mdHdhcmVfcG9saWN5X3VyaSI6Imh0dHBzOlwvXC9zZy1kdW1teS1hY2MtMTgtdWstand0LWRjci5jb21cL3BvbGljeSIsInNvZnR3YXJlX2lkIjoiMGRjYWNmYzI1YjMzNDM1NjkyOThkIiwic29mdHdhcmVfZW52aXJvbm1lbnQiOiJTYW5kYm94Iiwic29mdHdhcmVfdmVyc2lvbiI6MSwib3JnX25hbWUiOiJIU0JDIiwiZXhwIjoxNzI1OTY2Njc0LCJpYXQiOjE3MjU5NjQ4NzQsImp0aSI6Ijk2MWE0N2E5LTNjNjUtNDJiNS1iMGM3LTg1MWQyMzgyNmM2MSIsInNvZnR3YXJlX2NsaWVudF9pZCI6IjBkY2FjZmMyNWIzMzQzNTY5Mjk4ZCIsInNvZnR3YXJlX2NsaWVudF9kZXNjcmlwdGlvbiI6IkRlc2NyaXB0aW9uIGZvciBTRyBEdW1teSBBY2MgMTggVUsgSldUIERDUiIsInNvZnR3YXJlX2p3a3NfZW5kcG9pbnQiOiJodHRwczpcL1wvc2VjdXJlLnNhbmRib3gub2IuaHNiYy5jby51a1wvb3Blbi1iYW5raW5nXC9qd3RcL3YxXC9vcmdcL2hzYmNcL2p3a3MiLCJzb2Z0d2FyZV9jbGllbnRfdXJpIjoiaHR0cHM6XC9cL3NnLWR1bW15LWFjYy0xOC11ay1qd3QtZGNyLmNvbSIsIm9yZ19jb250YWN0cyI6W3sicGhvbmUiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlNlcmdlIEciLCJ0eXBlIjoiVGVjaG5pY2FsIiwiZW1haWwiOiJzZy5kZXZwb3J0YWwuaHNiYy51a0BnbWFpbC5jb20ifSx7InBob25lIjoiMTIzNDU2Nzg5MCIsIm5hbWUiOiJTZXJnZSBHIiwidHlwZSI6IkJ1c2luZXNzIiwiZW1haWwiOiJzZy5kZXZwb3J0YWwuaHNiYy51a0BnbWFpbC5jb20ifV0sInNvZnR3YXJlX29uX2JlaGFsZl9vZl9vcmciOiIiLCJvYl9yZWdpc3RyeV90b3MiOiJodHRwczpcL1wvZGV2ZWxvcC5oc2JjLmNvbVwvdGVybXMtYW5kLWNvbmRpdGlvbnMiLCJvcmdfaWQiOiJoc2JjXzI4NzQiLCJzb2Z0d2FyZV9sb2dvX3VyaSI6Imh0dHBzOlwvXC9zZy1kdW1teS1hY2MtMTgtdWstand0LWRjci5jb21cL2xvZ28iLCJzb2Z0d2FyZV9qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczpcL1wvc2VjdXJlLnNhbmRib3gub2IuaHNiYy5jby51a1wvb3Blbi1iYW5raW5nXC9qd3RcL3YxXC9vcmdcL2hzYmNcL2p3a3NcL3Jldm9rZWQiLCJzb2Z0d2FyZV9yb2xlcyI6WyJBSVNQIiwiUElTUCIsIkNCUElJIl0sIm9yZ19qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczpcL1wvc2VjdXJlLnNhbmRib3gub2IuaHNiYy5jby51a1wvb3Blbi1iYW5raW5nXC9qd3RcL3YxXC9vcmdcL2hzYmNfMjg3NFwvandrc1wvcmV2b2tlZCIsIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0IiLCJyb2xlcyI6WyJBSVNQIiwiUElTUCIsIkNCUElJIl19XSwicmVnaXN0cmF0aW9uX2lkIjoiNTEyOTU2IiwiYXV0aG9yaXR5X2lkIjoiR0ItSFNCQyIsInN0YXR1cyI6IkFjdGl2ZSJ9fQ.EsGdgr-vI-rfOeUOKH6Mp2n8WzDpgMsFO7292HaNBW14qYl_1nTeW3iwMb64QM23XdL-LM62DDANBgCVnVPMSzxT00xFYfuc17mPRjww_ZLOLHCRkhxvSJEW5tvfek8A-R8amvZ_7WnfEuuXMc43dMCZM_k2SNVBpKpYU0gFkwCHDTGc9i5BbBdjDWUXxasGNF4QPA_vmeRwHcF8rvy6s3a2lHuQ4PJ6dPwIuL5IyBd-EfGqqZmJ7IKGQy7HQ0BQdsWG7kLox_SMzpZtZonVuBg2l5n4zINRTP9ootHBv5yjrpZsgKjVkUdOIbNzELe5-a38EgMu3mPk0BfocmvpACRjdMM3yHxxWrlID-C-GgKpXPHS_kelZwdB6TUPaKwQiqlYb69Ja_OF7jjBwrrqQOUHMlkTFe2Su-WhPnJ_5AnU6Eq-eT9Dp4v40FGfgUKLOVu9DyEcWElXkVWjqwBeymMa9ZqdS_4tFwkMvgHn9aCPXVyhX3bOIh_nwMpieFLdtvC9c1I-0A8_GrgRsppz60dZjR-mdXm11_H8p8IjvYzdVHObi0KCdOfRJ39pc61Ogrie0ImCfLts0ODe1nVrnSzgMzhdudvrlMhlP-vVV_cnMAo5Wf_SZq1s6KXO-DU9vcJv1UxQjpWnfO05rsSsX5cjDRA3sjbfnBg50Ebgukc", "exp": 1737364938, "iat": 1555506046, "jti": "45903DAE-3174-4E9E-9047-BBAE9C1A723F" }

Where:

The `iss` is a claim parameter defined by [RFC 7519].
The `aud` is a claim parameter defined by [RFC 7519]. Must be set to `issuer` value from the well-known configuration endpoint.
The `scope` is a set of space-separated list of scope values that the client can use when requesting access tokens. For supported scopes see `scopes_supported` in the well-known configuration endpoint. See also Scope Value section on this page.
The `redirect_uris` is the list of callback URLs supported by TPP's server. Typically this is where the bank customer (resource owner) is going to be redirected back to TPP's realm after consenting or rejecting the 'allow access request' to owner's resource using `GET /authorize` endpoint (OpenID Connect Core)[RFC 6749].
The `response_types` should always be set to `code id_token`.
The `grant_types` is the grant types that the client can use at the token endpoint.
The `application_type` is a free string that represents the type of TPP's application.
The `id_token_signed_response_alg` is the signing algorithm to be used by authorization server when signing `id_token` value. Supported value is `PS256`.
The `request_object_signing_alg` is the signing algorithm used by TPP when signing the request parameter passed in `GET /authorize` request. Supported value is `PS256`.
The `token_endpoint_auth_method` is the client authentication method to be used at token endpoint. See Client Authentication section for supported values.
The `token_endpoint_auth_signing_alg` is to instruct the token endpoint which signing algorithm to use in order to check client assertion signature. This claim is used in conjuction with `token_endpoint_auth_method` when is set to `private_key_jwt`. Supported value is `PS256`.
The `software_id` is the id of the registered client. This claim must have same value as `software_id` from the Software Statement.
The `software_statement` is the Software Statement as defined by [RFC 7591]. For supported claims see section Software Statement defined on this page.
The `exp` is a claim parameter defined by [RFC 7519].
The `iat` is a claim parameter defined by [RFC 7519].
The `jti` is a claim parameter defined by [RFC 7519].

Here is an example of client registration response:

TODO (replace below)

Response 201 CREATED { "client_id": "iIDlAHG.....rF7G5tsS6AwrGY", "client_id_issued_at": "1725965905370", "redirect_uris": [ "https://sg-dummy-acc-18-uk-jwt-dcr.com/callback" ], "grant_types": [ "authorization_code", "refresh_token", "client_credentials" ], "token_endpoint_auth_method": "private_key_jwt", "scope": "openid accounts payments fundsconfirmations", "application_type": "web", "id_token_signed_response_alg": "PS256", "request_object_signing_alg": "PS256", "software_statement": "eyJraWQiOiJmNTkxZDA3Ni0yZmExLTQ0MDAtOGM4My1hYzNiNjU5MzdlMDAiLCJ0eXAiOiJKV1QiLCJhbGciOiJQUzI1NiJ9.eyJzdWIiOiIwZGNhY2ZjMjViMzM0MzU2OTI5OGQiLCJzb2Z0d2FyZV9tb2RlIjoiVEVTVCIsIm9yZ19qd2tzX2VuZHBvaW50IjoiaHR0cHM6XC9cL3NlY3VyZS5zYW5kYm94Lm9iLmhzYmMuY28udWtcL29wZW4tYmFua2luZ1wvand0XC92MVwvb3JnXC9oc2JjXzI4NzRcL2p3a3MiLCJzb2Z0d2FyZV9yZWRpcmVjdF91cmlzIjpbImh0dHBzOlwvXC9zZy1kdW1teS1hY2MtMTgtdWstand0LWRjci5jb21cL2NhbGxiYWNrIl0sIm9yZ19zdGF0dXMiOiJBY3RpdmUiLCJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6IlNHIER1bW15IEFjYyAxOCBVSyBKV1QgRENSIiwiaXNzIjoib3Blbi1iYW5raW5nLXNhbmRib3giLCJzb2Z0d2FyZV90b3NfdXJpIjoiaHR0cHM6XC9cL3NnLWR1bW15LWFjYy0xOC11ay1qd3QtZGNyLmNvbVwvdG9zIiwic29mdHdhcmVfcG9saWN5X3VyaSI6Imh0dHBzOlwvXC9zZy1kdW1teS1hY2MtMTgtdWstand0LWRjci5jb21cL3BvbGljeSIsInNvZnR3YXJlX2lkIjoiMGRjYWNmYzI1YjMzNDM1NjkyOThkIiwic29mdHdhcmVfZW52aXJvbm1lbnQiOiJTYW5kYm94Iiwic29mdHdhcmVfdmVyc2lvbiI6MSwib3JnX25hbWUiOiJIU0JDIiwiZXhwIjoxNzI1OTY2Njc0LCJpYXQiOjE3MjU5NjQ4NzQsImp0aSI6Ijk2MWE0N2E5LTNjNjUtNDJiNS1iMGM3LTg1MWQyMzgyNmM2MSIsInNvZnR3YXJlX2NsaWVudF9pZCI6IjBkY2FjZmMyNWIzMzQzNTY5Mjk4ZCIsInNvZnR3YXJlX2NsaWVudF9kZXNjcmlwdGlvbiI6IkRlc2NyaXB0aW9uIGZvciBTRyBEdW1teSBBY2MgMTggVUsgSldUIERDUiIsInNvZnR3YXJlX2p3a3NfZW5kcG9pbnQiOiJodHRwczpcL1wvc2VjdXJlLnNhbmRib3gub2IuaHNiYy5jby51a1wvb3Blbi1iYW5raW5nXC9qd3RcL3YxXC9vcmdcL2hzYmNcL2p3a3MiLCJzb2Z0d2FyZV9jbGllbnRfdXJpIjoiaHR0cHM6XC9cL3NnLWR1bW15LWFjYy0xOC11ay1qd3QtZGNyLmNvbSIsIm9yZ19jb250YWN0cyI6W3sicGhvbmUiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlNlcmdlIEciLCJ0eXBlIjoiVGVjaG5pY2FsIiwiZW1haWwiOiJzZy5kZXZwb3J0YWwuaHNiYy51a0BnbWFpbC5jb20ifSx7InBob25lIjoiMTIzNDU2Nzg5MCIsIm5hbWUiOiJTZXJnZSBHIiwidHlwZSI6IkJ1c2luZXNzIiwiZW1haWwiOiJzZy5kZXZwb3J0YWwuaHNiYy51a0BnbWFpbC5jb20ifV0sInNvZnR3YXJlX29uX2JlaGFsZl9vZl9vcmciOiIiLCJvYl9yZWdpc3RyeV90b3MiOiJodHRwczpcL1wvZGV2ZWxvcC5oc2JjLmNvbVwvdGVybXMtYW5kLWNvbmRpdGlvbnMiLCJvcmdfaWQiOiJoc2JjXzI4NzQiLCJzb2Z0d2FyZV9sb2dvX3VyaSI6Imh0dHBzOlwvXC9zZy1kdW1teS1hY2MtMTgtdWstand0LWRjci5jb21cL2xvZ28iLCJzb2Z0d2FyZV9qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczpcL1wvc2VjdXJlLnNhbmRib3gub2IuaHNiYy5jby51a1wvb3Blbi1iYW5raW5nXC9qd3RcL3YxXC9vcmdcL2hzYmNcL2p3a3NcL3Jldm9rZWQiLCJzb2Z0d2FyZV9yb2xlcyI6WyJBSVNQIiwiUElTUCIsIkNCUElJIl0sIm9yZ19qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczpcL1wvc2VjdXJlLnNhbmRib3gub2IuaHNiYy5jby51a1wvb3Blbi1iYW5raW5nXC9qd3RcL3YxXC9vcmdcL2hzYmNfMjg3NFwvandrc1wvcmV2b2tlZCIsIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0IiLCJyb2xlcyI6WyJBSVNQIiwiUElTUCIsIkNCUElJIl19XSwicmVnaXN0cmF0aW9uX2lkIjoiNTEyOTU2IiwiYXV0aG9yaXR5X2lkIjoiR0ItSFNCQyIsInN0YXR1cyI6IkFjdGl2ZSJ9fQ.EsGdgr-vI-rfOeUOKH6Mp2n8WzDpgMsFO7292HaNBW14qYl_1nTeW3iwMb64QM23XdL-LM62DDANBgCVnVPMSzxT00xFYfuc17mPRjww_ZLOLHCRkhxvSJEW5tvfek8A-R8amvZ_7WnfEuuXMc43dMCZM_k2SNVBpKpYU0gFkwCHDTGc9i5BbBdjDWUXxasGNF4QPA_vmeRwHcF8rvy6s3a2lHuQ4PJ6dPwIuL5IyBd-EfGqqZmJ7IKGQy7HQ0BQdsWG7kLox_SMzpZtZonVuBg2l5n4zINRTP9ootHBv5yjrpZsgKjVkUdOIbNzELe5-a38EgMu3mPk0BfocmvpACRjdMM3yHxxWrlID-C-GgKpXPHS_kelZwdB6TUPaKwQiqlYb69Ja_OF7jjBwrrqQOUHMlkTFe2Su-WhPnJ_5AnU6Eq-eT9Dp4v40FGfgUKLOVu9DyEcWElXkVWjqwBeymMa9ZqdS_4tFwkMvgHn9aCPXVyhX3bOIh_nwMpieFLdtvC9c1I-0A8_GrgRsppz60dZjR-mdXm11_H8p8IjvYzdVHObi0KCdOfRJ39pc61Ogrie0ImCfLts0ODe1nVrnSzgMzhdudvrlMhlP-vVV_cnMAo5Wf_SZq1s6KXO-DU9vcJv1UxQjpWnfO05rsSsX5cjDRA3sjbfnBg50Ebgukc", "response_types": [ "code id_token" ], "token_endpoint_auth_signing_alg": "PS256" }

Get client details

This endpoint can be used only to request registration details for an existing client id. The Authorization header should contain Bearer token issued with grant type `client_credentials`.

Here is a CURL example how to retrieve existing client details:

TODO : WORK IN PROGRESS

Software Statement

The [RFC 7591] defines a Software Statement as

  A digitally signed or MACed JSON Web Token (JWT)[RFC7519] that 
  asserts metadata values about the client software.  In some cases,
  a software statement will be issued directly by the client
  developer.  In other cases, a software statement will be issued by
  a third-party organization for use by the client developer.  In
  both cases, the trust relationship the authorization server has
  with the issuer of the software statement is intended to be used
  as an input to the evaluation of whether the registration request
  is accepted.  A software statement can be presented to an
  authorization server as part of a client registration request.

Currently, HSBC's Open Banking authorization server is supporting software statements issued by OBIE Directory. A complete list of supported SSA fields is provided below:

Metadata	Description	Optional or Mandatory
software_id	Unique Identifier for TPP Client Software [RFC7591]. ^[0-9a-zA-Z]{1,22}$	M
iss	SSA Issuer [RFC7519]. ^[0-9a-zA-Z]{1,22}$ Identifier for the TPP. This value must be unique for each TPP registered by the issuer of the SSA. For SSAs issued by the OB Directory, this must be same as `software_id` claim.	M
iat	Time SSA issued [RFC7519].	M
jti	JWT ID [RFC7519]. ^[0-9A-F]{8}-[0-9A-F]{4}-4[0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$ Max 36 characters	M
software_client_id	The Client ID Registered at OB used to access OB resources. Base62 GUID (22 chars) HSBC Implementaion supports max 36 chars	M
software_client_description	Human-readable detailed description of the client. Max256Text	O
software_client_name	Human readable Software Name. Max40Text	O
software_client_uri	The website or resource root URI. Max256Text	O
software_version	The version number of the software should a TPP choose to register and / or maintain it. Decimal Example: `1.0`	O
software_environment	Requested additional field to avoid certificate check. Max256Text	O
software_jwks_endpoint	Contains all active signing and network certs for the software. Max256Text	M
software_jwks_revoked_endpoint	Contains all revoked signing and network certs for the software. Max256Text	O
software_logo_uri	Link to the TPP logo. Note, ASPSPs are not obliged to display images hosted by third parties. Max256Text	O
software_mode	ASPSP Requested additional field to indicate that this software is `Test` or `Live` (default is `Live`). Impact and support for `Test` software is up to the ASPSP. Max40Text	O
software_on_behalf_of_org	A reference to fourth party organsiation resource on the OB Directory if the registering TPP is acting on behalf of another. Max40Text	O
software_policy_uri	A link to the software's policy page. Max256Text	O
software_redirect_uris	Registered client callback endpoints as registered with Open Banking. Array of strings Max256Text (?:\\[([0-9a-fA-F:]+)\\]\|(?:(?:[a-zA-Z0-9%-._~!$&'()+,;=]+(?::[a-zA-Z0-9%-._~!$&'()+,;=])?@)?([\\p{Alnum}\\-\\.])))(?::(\\d))?(.)?	M
software_roles	A multi value list of PSD2 roles that this software is authorized to perform. Array of strings Max256Text	M
software_tos_uri	A link to the software's terms of service page. Max256Text	O
organisation_competent_authority_claims	Authorizations granted to the organsiation by an NCA.	M
org_status	Included to cater for voluntary withdrawal from OB scenarios. Active \| Revoked \| Withdrawn	M
org_id	The Unique TPP or ASPSP ID held by OpenBanking. HSBC Implementaion supports max 18 chars	M
org_name	Legal Entity Identifier or other known organisation name. Max140Text	O
org_contacts	JSON array of objects containing a triplet of `name`, `email`, `phone`. Each item Max256Text	O
org_jwks_endpoint	Contains all active signing and network certs for the organisation. Max256Text	O
org_jwks_revoked_endpoint	Contains all revoked signing and network certs for the organisation. Max256Text	O
typ	MUST be set to `JWT`	M
alg	MUST be set to `PS256`	M
kid	The kid will be kept the same as the `x5t` parameter. (X.509 Certificate SHA-1 Thumbprint) of the signing certificate.	M

Here is an example of a Software Statement issued by Open Banking Directory Sandbox (decoded JWT Header and Payload):

TODO (replace below)

``` HEADER { "alg": "PS256", "kid": "hs91Jg7shbakDG4xpE2k3kkZopnW6ZUFHoETppbixzY=", "typ": "JWT" } PAYLOAD { "iss": "OpenBanking Ltd", "iat": 1739191288, "jti": "122b7a87-15f1-458d-8577-efb1ae80aeb7", "software_environment": "sandbox", "software_mode": "Test", "software_id": "bxKo6wgKz8e9sBRMWMhTHG", "software_client_id": "bxKo6wgKz8e9sBRMWMhTHG", "software_client_name": "Dummy Accounts", "software_client_description": "Dummy Accounts Wallet", "software_version": "1.0", "software_client_uri": "https://developer.hsbc.com", "software_redirect_uris": [ "https://dummy-accounts-wallet.com/callback" ], "software_roles": [ "AISP", "PISP", "CBPII" ], "organisation_competent_authority_claims": { "authority_id": "FCAGBR", "registration_id": "517261", "status": "Active", "authorizations": [ { "member_state": "GB", "roles": [ "PISP", "CBPII", "AISP", "ASPSP" ] }, { "member_state": "IE", "roles": [ "ASPSP", "PISP", "AISP", "CBPII" ] }, { "member_state": "NL", "roles": [ "CBPII", "ASPSP", "PISP", "AISP" ] } ] }, "software_logo_uri": "https://dummy-accounts-wallet.com/logo.png", "org_status": "Active", "org_id": "00102000013i44KQAK", "org_name": "Dummy Accounts LTD", "org_contacts": [ { "name": "Technical", "email": "support@dummy-accounts.com", "phone": "222SeeEmail", "type": "Technical" }, { "name": "Business", "email": "support@dummy-accounts.com", "phone": "222SeeEmail", "type": "Business" } ], "org_jwks_endpoint": "https://keystore.openbankingtest.org.uk/00102000013i44KQAK/00102000013i44KQAK.jwks", "org_jwks_revoked_endpoint": "https://keystore.openbankingtest.org.uk/00102000013i44KQAK/revoked/00102000013i44KQAK.jwks", "software_jwks_endpoint": "https://keystore.openbankingtest.org.uk/00102000013i44KQAK/bxKo6wgKz8e9sBRMWMhTHG.jwks", "software_jwks_revoked_endpoint": "https://keystore.openbankingtest.org.uk/00102000013i44KQAK/revoked/bxKo6wgKz8e9sBRMWMhTHG.jwks", "software_policy_uri": "https://dummy-accounts-wallet.com/policy.html", "software_tos_uri": "https://dummy-accounts-wallet.com/tandcs.html" } ```

The Software Statement is validated by HSBC's Open Banking authorization server during TPP's registration request for an API client.

TPPs will use the Software Statement in the Dynamic Client Registration request to register for an API Client:

TPP agent name display

Please note that TPPs must ensure that they have registered using the appropriate fields so that the correct information is displayed to customers during consent authorization step.

Options	Display	Display Rule	Client Name	Org Name	On Behalf Of Org	Display Result
When org_name & software_client_name are available & both are same & software_on_behalf_of_org not available	All (single name and key point)	Use software_client_name as TPP name	ABC Company Ltd	ABC Company Ltd	N/A	ABC Company Ltd
When org_name & software_client_name are available & both are different & software_on_behalf_of_org not available	All (single name and key point)	Use software_client_name as TPP name	ABC Trades	ABC Company Ltd	N/A	ABC Trades
When org_name & software_client_name are available & both are same & software_on_behalf_of_org is available & is same as well	All (single name and key point)	Use software_client_name as TPP name	ABC Company Ltd	ABC Company Ltd	ABC Company Ltd	ABC Company Ltd
When org_name & software_client_name are available & both are different & software_on_behalf_of_org is available & is same as the org_name	Both names to be displayed (1)	<Agent> on behalf of <TPP> Where <Agent> is software_on_behalf_of_org and <TPP> is software_client_name.	ABC Trades	ABC Company Ltd	ABC Company Ltd	ABC Company Ltd on behalf of ABC Trades
When org_name & software_client_name are available & both are different & software_on_behalf_of_org is available & is same as the software_client_name	All (single name and key point)	Use software_client_name as TPP name	ABC Trades	ABC Company Ltd	ABC Trades	ABC Trades
When org_name & software_client_name are available & both are same & software_on_behalf_of_org is available & is different from both	Both names to be displayed (1)	<Agent> on behalf of <TPP> Where <Agent> is software_on_behalf_of_org and <TPP> is software_client_name.	ABC Company Ltd	ABC Company Ltd	OBO Ltd	OBO Ltd on behalf of ABC Company Ltd
When org_name & software_client_name are available & both are different & software_on_behalf_of_org is available & is different from both	Both names to be displayed (1)	<Agent> on behalf of <TPP> Where <Agent> is software_on_behalf_of_org and <TPP> is software_client_name.	ABC Trades	ABC Company Ltd	OBO Ltd	OBO Ltd on behalf of ABC Trades

(1) Both names will always be displayed at the consent set-up step, however, for simplicity, single name may be displayed in some non-key steps within the journey.

Scope Value

The value of the `scope` claim in the registration request does specify what access privileges can be requested for Access Tokens. The scopes associated with Access Tokens determine what resources will be available when they are used to access HSBC's Open Banking protected endpoints.

Endpoint	Journey	Scopes	Notes
POST /register	PIS	"scope": "openid payments"	A Journey needs to be chosen based on TPP specialization
	AIS	"scope": "openid accounts"
	CoF	"scope": "openid fundsconfirmations"
	PIS, AIS, CoF	"scope": "openid payments accounts fundsconfirmations"

Client Authentication

This section defines the client authentication methods supported by HSBC's Open Banking authorization server during DCR. The following values are supported for `token_endpoint_auth_method` claim:

private_key_jwt [https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication]
tls_client_auth [RFC 8705]

private_key_jwt

If `private_key_jwt` is used then claim `token_endpoint_auth_signing_alg` is also required.

tls_client_auth

If `tls_client_auth` is used then claim `tls_client_auth_subject_dn` is also required.

The value of `tls_client_auth_subject_dn` must be set to full DN (Distinguished Name) of the transport certificate that the TPP will present to the token endpoint to establish a mutual TLS connection between the client and authorization server. The order of DN attributes must be the same as in the certificate subject value. Please note that this should not include the word ‘Subject’, but only the DN value of the ‘Subject’ object field.

The expected format of `tls_client_auth_subject_dn` follows a string representation of the DN as defined in [RFC4514]. Please refer to [https://tools.ietf.org/html/rfc4512#section-2] for formal definition of DN, RDN and attribute value assertion (AVA).

Here is an example of a valid DN value:

CN=00158000016i44JAAQ,2.5.4.97=#131050534447422D4643412D373635313132,O=HSBC UK Bank Plc,C=GB

Supported short names for attribute types (https://tools.ietf.org/html/rfc4514#section-2) are:

CN (2.5.4.3)

C (2.5.4.6)

L (2.5.4.7)

S (2.5.4.8)

ST (2.5.4.8)

O (2.5.4.10)

OU (2.5.4.11)

T (2.5.4.12)

IP (1.3.6.1.4.1.42.2.11.2.1)

STREET (2.5.4.9)

DC (0.9.2342.19200300.100.1.25)

DNQUALIFIER (2.5.4.46)

DNQ (2.5.4.46)

SURNAME (2.5.4.4)

GIVENNAME (2.5.4.42)

INITIALS (2.5.4.43)

GENERATION (2.5.4.44)

EMAIL (1.2.840.113549.1.9.1)

EMAILADDRESS (1.2.840.113549.1.9.1)

UID (0.9.2342.19200300.100.1.1)

SERIALNUMBER (2.5.4.5)

Multiple keywords are available for one OID. Attribute types not present on above list should be encoded as the dotted-decimal encoding, a “numericoid”, of its OBJECT IDENTIFIER. The “numericoid” is defined in [RFC4512].

Example: 1.3.6.1.4.1.311.60.2.1.3=PL

Full Example: CN=[value],serialNumber=[value],OU=[value],O=[value],C=[value],ST=[value],2.5.4.97=[value],2.5.4.15=[value],1.3.6.1.4.1.311.60.2.1.3=[value]

Where [value] is a placeholder for any real value.

Digital Signatures

QSEALs or OBSEALS will also be required by TPPs to enable a digital signature feature. Use of a digital signature to sign payloads is mandatory.

Return to top

DCR Bahrain

Dynamic Client Registration (DCR)

Third Party Registration

Third Parties, also referred to as Third Party Service Providers (TSPs) or Third Party Providers (TPPs) need to register their client with HSBC's Open Banking platform. In order to achieve this, Third Parties need to get their software statement issued as per RFC 7591. HSBC supports v3.2 of Dynamic Client Registration in line with OBIE specifications.

Please note in version 3.2 of Dynamic Client Registration content-type should be application/jose.
Please note the audience (aud) value for the DCR request should be the ‘issuer’ value taken from each brands well-known configuration
Please note the JWT expiry parameter (exp) in the request body should be set to a maximum of 30 mins.

Market Specific Variations

Third Parties need to check the address of HSBC's registration endpoint using our well-known endpoints:

Banking Area	Production Well-known Endpoint
HSBC Personal Banking	https://openbanking.hsbc.com.bh/.well-known/openid-configuration

Third Parties need to register their client in HSBC's Open Banking platform. In order to achieve this, Third Parties need to get their software statement issued first – as per RFC 7591. More information can be found here.

HSBC will perform pre-requisite configuration changes as a part of the registration process.
Third Parties should get CSR and CERT files generated. To generate this, Third Parties can use a configuration file which is made available by HSBC.
Third Parties are required to issue self-signed OBWAC-style AND OBSEAL-style certificates once a client has generated a valid CSR to be onboarded. Both OBWAC-style and OBSEAL-style certificates must contain the below fields:
- qcStatement of type in DER format as described in the below sample obwac.cnf and obseal.cnf. At least one qcStatement MUST be in the certificate
- qcStatement of type qcType. MUST be either qcType Web or qcType Seal
- Organisational Identifier MUST be in subject name
For more information on Bahrain QBWAC and QBSEAL certificates please review the Bahrain Digital Signatures section below
Third Parties need to trigger POST/register endpoint and with the relevant roles, TPP should select which roles they need to register for - (PIS, AIS, CBPII, ASPSP), and which country they would operate in.

Software Statements

A software statement can be issued by any actor that’s trusted by its authorisation server. For holders of OBWAC / OBSEAL certificates, TPPs will be issued with a software statement from the OBIE Directory - see here for more information. TPPs using eIDAS certificates can generate a self-signed software statement (self-signed SSA) - see here for further information. A complete list of all fields required for a self-signed SSA is provided below in the tables

Metadata	Description	Optional/ Mandatory (O or M)	Source Specification
`software_id`	Unique Identifier for TPP Client Software	M	[RFC7591] ^[0-9a-zA-Z]{1,22}$
`iss`	SSA Issuer	M	[RFC7519] ^[0-9a-zA-Z]{1,22}$ Identifier for the TPP. This value must be unique for each TPP registered by the issuer of the SSA For SSAs issued by the OB Directory, this must be the software_id
`iat`	Time SSA issued	M	[RFC7519]
`jti`	JWT ID	M	[RFC7519] ^[0-9A-F]{8}-[0-9A-F]{4}-4[0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$` Max-36 length

Metadata	Description	Optional/ Mandatory (O or M)	Field Size
`software_client_id`	The Client ID Registered at OB used to access OB resources	M	Base62 GUID (22 chars) HSBC Implementaiton support Max 36
`software_client_description`	Human-readable detailed description of the client	O	Max256Text
`software_client_name`	Human-readable Software Name	O	Max40Text
`software_client_uri`	The website or resource root uri	O	Max256Text
`software_version`	The version number of the software should a TPP choose to register and / or maintain it	O	decimal
`software_environment`	Requested additional field to avoid certificate check	O	Max256Text
`software_jwks_endpoint`	Contains all active signing and network certs for the software	M	Max256Text
`software_jwks_revoked_endpoint`	Contains all revoked signing and network certs for the software	O	Max256Text
`software_logo_uri`	Link to the TPP logo. Note, ASPSPs are not obliged to display images hosted by third parties	O	Max256Text
`software_mode`	ASPSP Requested additional field to indicate that this software is `Test` or `Live` the default is `Live`. Impact and support for `Test` software is up to the ASPSP.	O	Max40Text
`software_on_behalf_of_org`	A reference to fourth party organsiation resource on the OB Directory if the registering TPP is acting on behalf of another.	O	Max40Text
`software_policy_uri`	A link to the software's policy page	O	Max256Text
`software_redirect_uris`	Registered client callback endpoints as registered with Open Banking	M	A string array of Max256Text items Pattern applied (?:\\[([0-9a-fA-F:]+)\\]\|(?:(?:[a-zA-Z0-9%-._~!$&'()+,;=]+(?::[a-zA-Z0-9%-._~!$&'()+,;=])?@)?([\\p{Alnum}\\-\\.])))(?::(\\d))?(.)?
`software_roles`	A multi value list of PSD2 roles that this software is authorized to perform.	M	A string array of Max256Text items
`software_tos_uri`	A link to the software's terms of service page	O	Max256Text
---------	------------		-----------
`organisation_competent_authority _claims`	Authorisations granted to the organsiation by an NCA		CodeList {`AISP`, `PISP`, `CBPII`, `ASPSP`}
`org_status`	Included to cater for voluntary withdrawal from OB scenarios		`Active`, `Revoked`, or `Withdrawn`
`org_id`	The Unique TPP or ASPSP ID held by OpenBanking.	M	HSBC Implementaion support Max 18 char
`org_name`	Legal Entity Identifier or other known organisation name	O	Max140Text
`org_contacts`	JSON array of objects containing a triplet of name, email, and phone number	O	Each item Max256Text
`org_jwks_endpoint`	Contains all active signing and network certs for the organisation	O	Max256Text
`org_jwks_revoked_endpoint`	Contains all revoked signing and network certs for the organisation	O	Max256Text
---------	------------		---------
`typ`	MUST be set to `JWT`	M
`alg`	MUST be set to `PS256`	M
`kid`	The kid will be kept the same as the `x5t` parameter. (X.509 Certificate SHA-1 Thumbprint) of the signing certificate.	M

Software statements are checked by the ASPSP on TPP registration / request for access.

Third Parties performs dynamic registration:

Software Statement Sample (Full)	{ "software_mode": "Live", "software_environment": "TODO", "software_client_uri": "https://TODO.com", "software_logo_uri": "https://TODO.com", "software_policy_uri": "https://TODO.com", "software_tos_uri": "https://TODO.com", "software_on_behalf_of_org": "https://www.tsp.com", "software_client_description": "software statement for testing purposes", "software_jwks_revoked_endpoint": "https://TODO.com", "software_roles": ["AISP"], "org_jwks_endpoint": "https://TODO.com", "org_status": "Active", "org_contacts": [], "organisation_competent_authority_claims": [], "org_id": "5cb8572403f0df001d", "org_name": "ABC Merchant Ltd.", "org_jwks_revoked_endpoint": "https://TODO.com", "software_client_name": "ABC Merchant Ltd.", "iss": "2fNwVYePN8WqqDFvVf7XMN", "iat": 1556445993, "jti": "45903DAE-3174-4E9E-9047-BBAE9C1A723F", "software_client_id": "2qY9COoAhfMrsH7mCyh86T", "software_redirect_uris": ["https://www.tsp.com/", "https://www.tsp.com/ack"], "software_id": "2qY9COoAhfMrsH7mCyh86T", "software_jwks_endpoint": "https://www.tsp.com/jwks/public.jwks" }
Software Statement Sample (Minimal)	{ "software_on_behalf_of_org": "https://www.tsp.com", "software_roles": ["AISP"], "org_id": "5cb8572403f0df001d", "org_name": "ABC Merchant Ltd.", "software_client_name": "ABC Merchant Ltd.", "iss": "2fNwVYePN8WqqDFvVf7XMN", "iat": 1556445993, "jti": "45903DAE-3174-4E9E-9047-BBAE9C1A723F", "software_client_id": "2qY9COoAhfMrsH7mCyh86T", "software_redirect_uris": ["https://www.tsp.com/", "https://www.tsp.com/ack"], "software_id": "2qY9COoAhfMrsH7mCyh86T", "software_jwks_endpoint": "https://www.tsp.com/jwks/public.jwks" }
Register payload sample	{ iss="", "aud": "https://api.ob.hangseng.com", "scope": "openid accounts", "redirect_uris": ["https://www.tsp.com/", "https://www.tsp.com/ack"], "response_types": ["code id_token"], "grant_types": ["authorization_code", "refresh_token", "client_credentials"], "application_type": "mobile", "id_token_signed_response_alg": "PS256", "request_object_signing_alg": "PS256", "token_endpoint_auth_method": "private_key_jwt", "token_endpoint_auth_signing_alg": "PS256", "software_id": "2qY9COoAhfMrsH7mCyh86T", "software_statement": "{Software Statement signed JWT token}", "exp": 1674206304, "iat": 1555506046, "jti": "45903DAE-3174-4E9E-9047-BBAE9C1A723F" }