How To

Using our Sandbox Portal

 

Changes to DCR 

We have introduced some significant changes to the DCR payload.

The token_endpoint_auth_method in the registration payload should now have one of two values, which will require the inclusion of further claims in the payload:

  1. private_key_jwt - Will expect the inclusion of the id_token_signed_response_alg claim
  2. tls_client_auth - Will expect the inclusion of the tls_client_auth_subject_dn claim

Changes to /token endpoint

As of the end of April the client secret basic authentication is deprecated. This means that you will either need to use tls_client_auth or private_key_jwt mechanisms to authenticate. We briefly supported backward compatibility to support client basic authentication during a transition period but this has now been removed in the Sandbox environment

These claims are mandatory in their respective scenarios, and must not be included in the alternative scenario

Devportal New Swagger UI Changes

With recent UI changes to Devportal, all the API pages has its relevant sub pages. To use our deveportal swagger UI, you need to import certificate into your browser (Please see more information here:https://developer.nationwide.co.uk/importing-network-certificate).

How to use Devportal Swagger UI

Once you have successfully registered your app, you can start using our Sandbox either by using Devportal UI or directly calling from your app/environment . We have created a number of test accounts (See Personas page: https://developer.nationwide.co.uk/personas) for both Current Accounts (AIS, PIS and COF) and Credit Cards (AIS and COF) to allow you to test a wide range of different scenarios that you would experience in live.

Example Steps for Account Information API’s

  1. Click on API drop-down and select any API, example Account Information API’s
  2. Select relevant sub section from left hand side menu
  3. Click on “Try it Out ” button

 

Try it out

 

 

1. Request Client Credentials Token

The interface for the post token endpoint can be found under the Utility API via the “Open Banking API > API Menu drop down > Utility API” at the top. Below is an example of what should be included in your API call. The fields marked in curly brackets are those which you will enter based on the details of the registered app you are using.

 

Access Token

 

2.Request Account Consent

Before retriving any Account Information, you need to have a Account Access Consent.

Once you have received Client Credentials Token (from above step:1) returned from a successful POST /token call, you can use this for either the AIS, PIS or COF consent APIs (listed below) to retrieve a ConsentId.

Please see more information here for AISP Account Consent Access:https://openbankinguk.github.io/read-write-api-site3/v3.1.7/resources-and-data-models/aisp/account-access-consents.html#overview

AIS

 

POST /account-access-consents

The interface for the PostAccountConsent endpoint can be found under the Account API via the API Menu drop down at the top

PIS

 

POST /domestic-payment-consents POST /domestic-scheduled-payment-consents POST /domestic-standing-order-consents

The interface for the PostAccountConsent endpoint can be found under the Paymnets API via the API Menu drop down at the top

COF

 

POST /funds-confirmation-consents

The interface for the PostAccountConsent endpoint can be found under the Funds Confirmation API via the API Menu drop down at the top

 

3.Get Authorize

Our sandbox environment uses a mocked version of the Customer Authorisation journey to replicate the Customer Authorising the Access Request without requiring customer interaction though the UI.

Now we have a valid ConsentId (Retirevd from step:2) from calling either an AIS, PIS or COF consent endpoint, we can use this Id in your next call to the GET /authorize endpoint to allow for the PSU to authorise the payment or account information request. Please note, currently this require you to pass Network Certificate in the request.

 

4.Request Access Token

Access Token can be used to Access the other APIs.

If successful, we will return an Authorization Code, embedded in your redirect URI we return, which can be used to recall the POST /token endpoint, with grant type authorization code. From this second token call, you will receive Access Token (and a refresh token for AIS journeys) to start calling our AIS, PIS or COF APIs, depending on your app scope.

 

Using our Sandbox via your App/Environment

As well as using our Developer Portal UI to access our Sandbox, you can also call our APIs directly from your application/Envirrronment, which is also referred to as a headless journey. You can do this once you have registered your app, by hitting our POST /oauth/token endpoint.

You can follow the same steps as above although your call details will need to be as below for your initial headless POST /token call.

Example tls_client_auth

curl -X POST https://api.obtpp.nationwideinterfaces.io/open-banking/oauth/token -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&scope={App scope}&client_id={client_id}".