Mutual TLS Authentication

As of the latest Sandbox update RBA's AIS and PIS APIs are protected with QWAC (Qualified Website Authentication Certificate) which TPPs get from the QTSPs (Qualified Trust Service Providers)

As OAuth API can’t be secured by mTLS, the APIs are now offered and accessible as the separate API Products on the Sandbox.

 Subscriptions are specified on the Subscriptions - IMPORTANT page.


Currently supported QTSP's at the moment:

  • FINA - Financijska agencija (Croatia)
  • Aruba Posta Elettronica Certificata S.p.A. (Italy)
  • Buypass AS (Norway)
  • Bank-Verlag (BV-Trust) (Germany)
  • Bundesdruckerei GmbH (D-TRUST) (Germany)
  • Firmaprofesional, S.A. (Spain)
  • InfoNotary PLC (Bulgaria)
  • A-Trust (Austria)
  • MicroSec (Hungary)
  • First certification authority, a.s. (Czech Republic)
  • certSIGN (Romania)


However, if you are in possession of a test certificate from a different QTSP we will most certainly support you. Please send us the root test certificate to our email address  so that we can implement it into Sandbox, after which we'll send you a confirmation that you're able to access our Sandbox with you specific certificate.