MTLS endpoints
- Nigel Somerfield
For the avoidance of doubt the following table lists the API, authorisation and metadata endpoints for which MTLS is required at the API Provider. Third Party endpoints are not included. In all cases, API Providers must authenticate themselves to the client using a certificate that meets the requirements of the Security Profile.
Endpoints that are denoted as requiring TLS:
MAY accept MTLS at the discretion of the API Provider (that is, API Providers MAY accept and evaluate client certificates),
MUST NOT require MTLS (MUST accept connections that do not include client certificates).
Endpoints that are denoted as requiring MTLS:
MUST require a client to provide a certificate that meets the requirements of the Security Profile in order to authenticate itself
Endpoint list
The following table shows the endpoints to which MTLS and TLS schemes MUST be applied by API Providers. The Scheme column denotes whether the endpoint will follow the MTLS or TLS requirements.
Category / API | Endpoint | Scheme |
|---|---|---|
Account Information API | /account-access-consents | MTLS |
/account-access-consents/{ConsentId} | MTLS | |
/accounts | MTLS | |
/accounts/{AccountId} | MTLS | |
/accounts/{AccountId}/transactions | MTLS | |
/accounts/{AccountId}/beneficiaries | MTLS | |
/accounts/{AccountId}/balances | MTLS | |
/accounts/{AccountId}/direct-debits | MTLS | |
/accounts/{AccountId}/standing-orders | MTLS | |
/accounts/{AccountId}/offers | MTLS | |
/accounts/{AccountId}/party | MTLS | |
/accounts/{AccountId}/scheduled-payments | MTLS | |
/accounts/{AccountId}/statements | MTLS | |
/accounts/{AccountId}/statements/{StatementId} | MTLS | |
/accounts/{AccountId}/statements/{StatementId}/file | MTLS | |
/accounts/{AccountId}/statements/{StatementId}/transactions | MTLS | |
/standing-orders | MTLS | |
/direct-debits | MTLS | |
/beneficiaries | MTLS | |
/transactions | MTLS | |
/balances | MTLS | |
/offers | MTLS | |
/party | MTLS | |
/scheduled-payments | MTLS | |
/statements | MTLS | |
Payment Initiation API | /enduring-payment-consents | MTLS |
/enduring-payment-consents/{ConsentId} | MTLS | |
/domestic-payment-consents | MTLS | |
/domestic-payment-consents/{ConsentId} | MTLS | |
/domestic-payments | MTLS | |
/domestic-payments/{DomesticPaymentId} | MTLS | |
/domestic-payments/{DomesticPaymentId}/debtor-account | MTLS | |
Event Notification API | /event-subscriptions | MTLS |
/event-subscriptions/{EventSubscriptionId} | MTLS | |
Authorisation | /authorize | TLS |
/bc-authorize | MTLS | |
/introspect | MTLS | |
/par | MTLS | |
/revoke | MTLS | |
/token | MTLS | |
/userinfo | MTLS | |
Metadata 1 | /jwks or /keys | TLS |
/.well-known/openid-configuration | TLS |
Note that the
/.well-known/openid-configurationendpoint MUST be served from the Issuer URL as per OIDC Discovery section 4. Additionally, theissclaim in ID tokens MUST match the Issuer URL of the issuer.
For example, using the issuerhttps://example.comthe following would be metadata JSON document locationhttps://example.com/.well-known/openid-configuration