FAQs
FAQs
Nationwide’s Guidelines on Including PAN in API Reference Fields
Please only supply a PAN in the required field when making a payment to a credit card
- We support Aggregated polling only. You must have created an event-subscription resource to successfully retrieve event notifications (this is a one-off registration).
- We do not support real-time events.
For Current Accounts:
You can request up to 15months worth of Current Account transactions data within the first hour of the authorisation. After this, only 90 days' worth of data is available in line with SCA guidelines enforced in September 2019.
For Credit Cards:
We support 90 days' worth of Credit Card transaction data. If needed, Credit Card statements are available if you are looking for more data.
Once an app is registered with us, it's not possible for a TPP to add an additional redirect URI. If you need support with this, please log a ticket via the 'Contact Us' section.
Please ensure that when generating random string for the required x-idempotency-key header it must not contain any malicious keywords as that request will be rejected by NBS security policies enforced on our APIs.
Examples of keyword include (case insensitive): “exec”, “vbs”, “insert”, “update” “select”, etc.
After you have submitted the Domestic Immediate Payment (DIP), You need to make a GET payment status call to get the status of the DIP payment.
API : GET /domestic-payments/{DomesticPaymentId}”
On 1st February 2023 our sandbox environment moved domains.
The domain names that were impacted are as follows.
Wellknown
Previous Domain: apionline.obtpp.nationwideinterfaces.io
Replacement Domain: obonline.developer.nationwide.co.uk
Sandbox
Previous Domain: api.obtpp.nationwideinterfaces.io
Replacement Domain: obapi.developer.nationwide.co.uk
There is no redirection from the deprecated to the replacement domains.
All requests to *.nationwideinterface.io domains will fail.
For more details on our implementation, please see here
Please note that space " # & ' ( ) - / { } are the only special characters allowed on all Payments (PISP) request payload
We do not support International Payments. For Domestic and Standing Orders the minimum payment limit is 0.01 and the maximum is 14 digit amount value including dot and 2 decimals. For DSO and DSP, the maximum is 25,000 GBP.
Since 31st October 2023, Nationwide has been returning two additional payment statuses in responses to payment status requests from TPPs.
The full list of statuses returned by Nationwide is below, with the new additions in bold.
- Pending
- AcceptedSettlementInProcess
- AcceptedSettlementCompleted
- Rejected
- AcceptedWithoutPosting
- AcceptedCreditSettlementCompleted
In response to some queries that we have had from TPPs, we would like to confirm that the following statuses can be treated as a final status
- Rejected
- AcceptedWithoutPosting
- AcceptedCreditSettlementCompleted
Account Balance will be returned in the following format:
For Current Account
- CurrentBalance will be translated to InterimBooked
- AvailableBalance will be translated to InterimAvailable
For Credit Cards
- CurrentBalance will be translated to ClosingAvailable
- AvailableBalance will be translated to InterimAvailable
Make sure you first register with the FCA or National Competent Authority of your host country and enrol with the Open Banking Directory. We can’t register any unenrolled organisation.
Next, you will need to register your application with us. Details on how to do this can be found on the Open Banking Directory Developer site. We only support application registration (onboarding) through APIs – there’s no manual process for this. You’ll need to use the POST /register API.
We’ll then send you some client information once your registration’s complete, you can then use this to identify your application in all future Open Banking service requests. This information is important and must be held securely and not be shared with anyone.
Here are some common onboarding tips to help you register first time
redirect_uris
Should match your TPP software statement, issued by the OBIE. Your redirect_uri parameter can be 2,000 characters, or fewer
software_id
Should be the software_client_id value taken from the SSA
scope
This should match what is on your SSA and should be written as "openid" and then followed by "accounts", "payments" or "fundsconfirmations" depending on your app. These can also be grouped to support multiple scopes for your app e.g. "openid accounts payments fundsconfirmations"
exp
The expiry date should be in a Unix time stamp format and not wrapped in speech marks
iss value
The value in the outer JWT should match the software_id found in your SSA
aud value
This value should be taken from the well known endpoint
iat
This value should be the time at which the request is issued by you. This should be provided in the Unix time stamp format and not wrapped in speech mark
token_endpoint_auth_method
Your token_endpoint_auth_method should be "tls_client_auth" or "private_key_jwt"
content-type
Should be "application/JWT" only
response-types
Must be "code id_token" only
jti
A unique identifier for the JWT. The value must be a UUIDv4GUID
Yes we do.
If the Third Party is requesting to re-authorise the same list of accounts from the initial authorisation, the PSU (NBS Member) will skip the ‘account selection’ step of the Digital journey and be directed back to the Third Party once they have authenticated in our channel.
We currently do not offer this functionality, but are looking to include it in the future.
We support the authentication exemption, which means that you will be able to set up enduring access to 90 days worth of balances and transactions data via a single authentication of the customer (PSD2 RTS Article 10)
- When authentication is completed, you will be able to access all account information the customer has agreed to share during the initial session (1 hour duration), including up to 15 months of transactions data for Personal Current Accounts, and up to 90 days of transactions data for Credit Cards.
- Subsequent requests for Balance and Transaction data no more than 90 days old will not need to be reauthenticated until the authorisation has expired
- Where requests are made for account information other than Balances or Transactions, or for data more than 90 days old, a reauthentication is required. We will return a 401(Unauthenticated/Unauthorised) HTTP code to inform you where this scenario occurs
As well as using our Developer Portal UI to access our Sandbox, you can also call our APIs direct from your application by using the below URL followed by the endpoint information that you wish to call.
https://obapi.developer.nationwide.co.uk
The only exception to this is if you are calling our GET /.well-known endpoint where you will need to use the below URL.
https://obonline.developer.nationwide.co.uk/open-banking/.well-known/openid-configuration
If you want to take a look at our Member authorisation journeys, you can find these on our Implementation Guide.
If we receive more than four requests for data where the Member is not present from a third party within a 24hr period, we will process requests on the understanding that the third party (AISP) has obtained consent from our Member to request data more frequently.
- Open Data APIs are available to everyone in our production environment hence they are not part of our Sandbox.
- Here in our Sandbox environment, we have provided a number of test accounts covering a multitude of scenarios that can be used to fully test your application. In live, you will be using Member's real data.
- We are providing a simulated Customer Auth UI where authorisations will be consented to, by default, as there is no Member present in this journey.
- To test out expiration of a consent, you will need to wait for the test account’s authorisation to expire.
- To test revocation of a consent, you will need to create an authorisation on a test account and then delete it by calling the DELETE endpoint for that consent. You can then come back and call your chosen test account to cover this scenario.
If you double URL encode, your calls to both OAuth and GET/ authorize endpoints will fail.
From 13 March, we will only accept requests signed with the PS256 signing algorithm in both the live and Sandbox services.
Our payloads and ID Tokens will be signed using PS256.
You can deregister an app, or your entire account, by getting in touch with our team through our Support page. We'll let you know once we've done it.
APIs for version 3 now return granular error codes. All previous APIs return standard HTTP codes. The HTTP codes used within Nationwide Open Banking APIs are:
- 400 (Bad Request)
- 401 (Unauthenticated/Unauthorised)
- 404 (Not Found)
- 403 (Forbidden)
- 429 (Too Many Requests)
- 500 (Internal Server Error)
- 503 (Services unavailable or too busy)
For more details, refer to the detailed API specifications available on the central industry Open Banking website.
A summary of our technical documentation can be found on our Implementation Guide.
Below is a list of the APIs and versions available in live and the Sandbox
Accounts, Payments, Transactions and Funds Confirmation APIs |
|||
Endpoint Name |
API Type |
Live |
Sandbox |
POST /account-access-consents | AIS | v3.1 | v3.1 |
GET /account-access-consents/{ConsentId} | AIS | v3.1 | v3.1 |
DELETE /account-access-consents/{ConsentId} | AIS | v3.1 | v3.1 |
GET /accounts | AIS | v3.1 | v3.1 |
GET /accounts/{AccountId} | AIS | v3.1 | v3.1 |
GET /accounts/{AccountId}/balances | AIS | v3.1 | v3.1 |
GET /accounts/{AccountId}/transactions | AIS | v3.1 | v3.1 |
GET /accounts/{AccountId}/beneficiaries | AIS | v3.1 | v3.1 |
GET /accounts/{AccountId}/direct-debits | AIS | v3.1 | v3.1 |
GET /accounts/{AccountId}/standing-orders | AIS | v3.1 | v3.1 |
GET /accounts/{AccountId}/product | AIS | v3.1 | v3.1 |
GET /accounts/{AccountId}/offers | AIS | v3.1 | v3.1 |
GET /accounts/{AccountId}/scheduled-payments | AIS | v3.1 | v3.1 |
GET /accounts/{AccountId}/statements | AIS | v3.1 | v3.1 |
GET /accounts/{AccountId}/statements/{StatementId}/file | AIS | v3.1 | v3.1 |
POST /domestic-payment-consents | PIS | v3.1 | v3.1 |
GET /domestic-payment-consents/{ConsentId} | PIS | v3.1 | v3.1 |
POST /domestic-payments | PIS | v3.1 | v3.1 |
GET /domestic-payments/{DomesticPaymentId} | PIS | v3.1 | v3.1 |
POST /domestic-scheduled-payment-consents | PIS | v3.1 | v3.1 |
GET /domestic-scheduled-payment-consents/{ConsentId} | PIS | v3.1 | v3.1 |
POST /domestic-scheduled-payments | PIS | v3.1 | v3.1 |
GET /domestic-scheduled-payments/{DomesticScheduledPaymentId} | PIS | v3.1 | v3.1 |
POST /domestic-standing-order-consents | PIS | v3.1 | v3.1 |
GET /domestic-standing-order-consents/{ConsentId} | PIS | v3.1 | v3.1 |
POST /domestic-standing-orders | PIS | v3.1 | v3.1 |
GET /domestic-standing-orders/{DomesticStandingOrderId} | PIS | v3.1 | v3.1 |
POST /funds-confirmation-consents | CoF | v3.1 | v3.1 |
GET /funds-confirmation-consents/{ConsentId} | CoF | v3.1 | v3.1 |
DELETE /funds-confirmation-consents/{ConsentId} | CoF | v3.1 | v3.1 |
POST /funds-confirmations | CoF | v3.1 | v3.1 |
GET /domestic-payment-consents/{ConsentId}/funds-confirmation | CoF | v3.1 | v3.1 |
GET /accounts/{AccountId}/parties | AIS | v3.1 | v3.1 |
POST /event-subscriptions | Events | v3.1 | v3.1 |
POST /events | Events | v3.1 | v3.1 |
POST /domestic-vrp-consents | PIS | v3.1 | v3.1 |
GET /domestic-vrp-consents/{ConsentId} | PIS | v3.1 | v3.1 |
DELETE /domestic-vrp-consents/{ConsentId} | PIS | v3.1 | v3.1 |
POST /domestic-vrp-consents/{ConsentId}/funds-confirmation | PIS | v3.1 | v3.1 |
POST /domestic-vrps | PIS | v3.1 | v3.1 |
GET /domestic-vrps/{DomesticVRPId} | PIS | v3.1 | v3.1 |
Open Data APIs |
|||
ATM | Open Data | v2.2 | N/A |
Branch | Open Data | v2.2 | N/A |
Personal Current Accounts | Open Data | v2.2 | N/A |
FCA Service Metrics | Open Data | v1 | N/A |
Utility APIs |
|||
GET /.well-known | Utility API | Versionless | Versionless |
GET /authorize | Utility API | Versionless | Versionless |
POST /register | Utility API | Versionless | Versionless |
POST /token | Utility API | Versionless | Versionless |