API Reference
Start typing to search…

Account information

Your requests contain data and to ensure its authenticity, you are required to sign the requests while using Rabobank APIs.

Reference: Signature draft

Start with sandbox

We recommend that you first develop your application using the Sandbox environment in the Rabobank developer portal. Read Get Started to set up your account.

Get the signing certificate

Use the following certificates based on your API:

  • PSD2 – An eIDAS QSEAL certificate issued by the Qualified Trust Service Provider of your choice.
  • Premium – An EV SSL certificate for transport and an EV SSL signing certificate for signing messages.
    • Rabobank accepts:
      • EV SSL certificates from the certificate issuers listed in the Mozilla CA Certificate report.
      • X.509 format.
      • RSA: key length should be at least 2048-bit.
      • Certificate should be valid for a maximum of one year.

In case you don't yet have an official certificate, you can use an example certificate for Sandbox.

⤓ cert.pem ⤓ key.pem

👍

You can use these certificates to recreate the code example as shown below.

🚧

The signing certificate is sent with a signing request but not stored on the Rabobank developer portal. If you want to change/replace it, you can make changes on your own system. You can also choose to have two valid certificates when allowed by your system.

Create the digest

The digest is a base64 encoded hash of the body, example: Base64(SHA512(body))

  1. Pass the body of your request (or an empty string if there is no body) through a hashing algorithm.
    📘

    We recommend using SHA 512 but you can also choose to use SHA 256.

  2. Make sure the hashed output is in binary format.
  3. Base64 encode the output.
  4. Add the result to your digest header declaring the used hashing algorithm, i.e. (RSA-SHA512/RSA-SHA256).

Example digest header

An example of the digest header for an empty body using SHA-512:

PSD2 - Account Information
sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
Premium - Business Account Insight
sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
Premium - Account Notification Service
{"account":{"iban":"NL52RABO0125618484","currencyCode":"EUR"},"transactionCriteria":{"raboDetailedTransactionType":356,"amount":{"minTransactionAmount":100,"maxTransactionAmount":500},"transactionType":"DEBIT","remittanceInformationStructured":"Ref111*","remittanceInformationUnstructured":"Parking fine*","raboTransactionTypeName":"EI","endToEndId":"R23-972838E*"},"endDate":"2027-12-03T14:07:56.302663Z","pushUri":"https://tpp.com/notify"}
sha-512=YwsbNchoFOeQku7TeKjq/bKCmxEUGaF6m1cuUaG4UvNg9cMJ+hkelyriTgIxC56Yv8zCkWe7VQ2/s6cT+wEZyA==
Premium - Batch Transaction Details
sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
🚧

Due to security regulation, spaces or line breaks between JSON elements cause incorrect digest error.

Create the signing string

The signing string contains several headers separated by line breaks.

👍

The order is not crucial, as long as you define them in the same order in the signature header.

Signing headers per API

ParameterRequiredRemark
dateYes-
digestYes-
x-request-idYes-
tpp-redirect-uriNoMandatory for HTTP POST requests
tpp-nok-redirect-uriNoThis field should be included as a header of the HTTP POST request

Example signing string

Examples of the signing string for various APIs:

PSD2 - Account Information
date: Tue, 13 Sep 2022 09:51:01 GMT  
digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg== 
x-request-id: 95126d8f-ae9d-4ac3-ac9e-c357dcd78811
Premium - Business Account Insight
date: Thu, 18 Mar 2021 15:10:46 GMT  
digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg== 
x-request-id: e9c96b7e-8470-410a-937c-396fe9512fea
Premium – Account Notification Service
date: Tue, 15 May 2024 08:12:31 GMT
digest: sha-512=YwsbNchoFOeQku7TeKjq/bKCmxEUGaF6m1cuUaG4UvNg9cMJ+hkelyriTgIxC56Yv8zCkWe7VQ2/s6cT+wEZyA==
x-request-id: 594d27d0-26d7-47dc-9d62-c307616220b6
Premium - Batch Transaction Details
date: Tue, 15 Nov 2020 08:12:31 GMT
digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
x-request-id: 594d27d0-26d7-47dc-9d62-c307616220b6

Sign using your Private key

The signature is the signing string signed with the private key: Base64(RSA-SHA512(signing_string))

  1. Create the signing string.
  2. Sign it using the hashing algorithm you used (RSA-SHA512/RSA-SHa256) and the private key of the signing certificate.
  3. Base64 encode the output.

Example signature

Examples of the signature for various APIs:

PSD2 - Account Information
t7b3deOMrTmOs+mjuY43mMcgpttrIWrkEGRmdEXaiurqrl0BO9hPOk4k+7OKmPWbxqE8nBFFSVSDU7+t84cUdjB3VTsl94rPuPVj/4XKwrqzKcmPHQHZ87ENPHWSFEDuOnub0FrJ4pUImsZpbenkZX+I80MElJQ337jp904JzyA+WKi7SzPjgGTUGlujhRUu3kU4TDNkcLIaBrcok9mXFlJSZQuNaaKfz4kqeaBpG2p3ZjcICnuE1aYFu5VZoniJd3Bi3n0ygVyb/9BaGHYMYvDvKHHtw6So8YGTTO+LnLZmOTgjXKhDIdBOgtJ4PWxvrp0Iid/YaM+BHqZPu4N1bw==
Premium - Business Account Insight
aS6D/cKMgEnAES6yVpKs2AjkxbPReF760F8hDHXLZ2ic0OFI84eIjRl2DYLJc4EPjNcsYvxaSyPypJvMnOiU3gnj4vrs/PrR5A/x2COA9fe6OwJThfLTPxeXoRxxw6sGEjRCrF06sY/IKmRPdp4AjVzYfBeAeshjzr/icghp/Zzi4DOOBp+39bdWUJDCVHM9m0V/LRM18xdJtBKssP6Wzy5wncCmk7fHm1nLD31N+SARYcPuMutGHgIwQrNB/czR3e6g7o+2C8J0nC0kPM95VBWAyChTOqPsvcBHKcxreZe9aNywclpVOtXJit05q3O3PfLvJHH3QoPTRpzsP38pOw==
Premium - Account Notification Service
FHTbTEpqnJMDXaRoCd2U7e8Cdigm1yuDAdFPBmF5u7y+Gb6rhpzQ0ZXnrrmlz99ZqQfHYf3x0c2QBdyITn/M/8xbN6WZWCT6VJ5mhXqe4B3DEnaYkg3U11Dda1Zyw9p+cptzcMOEFDO6JH/biB3R57Vi28WHTgdishq+BmzFDw9mjxYOs2+LUAD1ExnAvl5ZcpJKZvsHdqLZPyVDq5YedTgAUAIhfPCRj+eF4qQv5pKJxjGANiwCif5BrVhKTcJ/gYo865xeAQBeAXuIWiq1QIjEyJrwZk0aErVhAo75B0fy5xPFEn6VJLRStuxnrE+mEgasp+H7RDYMdmmFvzSW2A==
Premium - Batch Transaction Details
ckfJsOBu3DRPVQzqIpwte8tUMxg6Mb6ThuA7hH3LuvZtjr8DS4OIKCRPTuC0IgyoCsUciD4CIa2hOWTZHf5tdQsXpruyem7GldFUA2zQFErC9wtAFxGSRs4f+sIKiX5knY//snxlq7xrZVtLc/jqBOBvy/X771SE2GIjtODVO3dcjXR5lnFIc+7uQBSXji9q13JhdJrkNJQt+XlbE0Z5FDTWsu1ZfLa+5Ky7S7+RGANyI02nCekHYc3Un8qdv3g46zw1TubL+HtZyao9mUor576jGiI/gBu9in/IXbZ7typ9kaAmN9iNR1Cw/9sbPJUtydTt1TWn0JWifPtr/+FjBQ==

Create the Signature header

The signature header consists of the following components:

Component Example Description

keyId    

$ openssl x509 -in cert.pem -noout -text

The serial number of the certificate as defined in 'TPP-Signing-Certificate' header. The format should be Integer not hex. You can use the openssl command line tool to find the serial number.

algorithm

rsa-sha512

Specify which algorithm was used when generating the signature:

  • rsa-sha512
  • rsa-sha256

headers  

"date digest x-request-id"

The list of headers contained in the signature:

  • lowercase
  • separated by a space
  • in the same order as they have in the signing string

signature

The result created at step Sign using your Private key

Example signature header

The resulting signature header for our example:

PSD2 - Account Information
signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="t7b3deOMrTmOs+mjuY43mMcgpttrIWrkEGRmdEXaiurqrl0BO9hPOk4k+7OKmPWbxqE8nBFFSVSDU7+t84cUdjB3VTsl94rPuPVj/4XKwrqzKcmPHQHZ87ENPHWSFEDuOnub0FrJ4pUImsZpbenkZX+I80MElJQ337jp904JzyA+WKi7SzPjgGTUGlujhRUu3kU4TDNkcLIaBrcok9mXFlJSZQuNaaKfz4kqeaBpG2p3ZjcICnuE1aYFu5VZoniJd3Bi3n0ygVyb/9BaGHYMYvDvKHHtw6So8YGTTO+LnLZmOTgjXKhDIdBOgtJ4PWxvrp0Iid/YaM+BHqZPu4N1bw=="
Premium - Business Account Insight
signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="aS6D/cKMgEnAES6yVpKs2AjkxbPReF760F8hDHXLZ2ic0OFI84eIjRl2DYLJc4EPjNcsYvxaSyPypJvMnOiU3gnj4vrs/PrR5A/x2COA9fe6OwJThfLTPxeXoRxxw6sGEjRCrF06sY/IKmRPdp4AjVzYfBeAeshjzr/icghp/Zzi4DOOBp+39bdWUJDCVHM9m0V/LRM18xdJtBKssP6Wzy5wncCmk7fHm1nLD31N+SARYcPuMutGHgIwQrNB/czR3e6g7o+2C8J0nC0kPM95VBWAyChTOqPsvcBHKcxreZe9aNywclpVOtXJit05q3O3PfLvJHH3QoPTRpzsP38pOw=="
Premium - Account Notification Service
Signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="FHTbTEpqnJMDXaRoCd2U7e8Cdigm1yuDAdFPBmF5u7y+Gb6rhpzQ0ZXnrrmlz99ZqQfHYf3x0c2QBdyITn/M/8xbN6WZWCT6VJ5mhXqe4B3DEnaYkg3U11Dda1Zyw9p+cptzcMOEFDO6JH/biB3R57Vi28WHTgdishq+BmzFDw9mjxYOs2+LUAD1ExnAvl5ZcpJKZvsHdqLZPyVDq5YedTgAUAIhfPCRj+eF4qQv5pKJxjGANiwCif5BrVhKTcJ/gYo865xeAQBeAXuIWiq1QIjEyJrwZk0aErVhAo75B0fy5xPFEn6VJLRStuxnrE+mEgasp+H7RDYMdmmFvzSW2A=="
Premium - Batch Transaction Details
signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="ckfJsOBu3DRPVQzqIpwte8tUMxg6Mb6ThuA7hH3LuvZtjr8DS4OIKCRPTuC0IgyoCsUciD4CIa2hOWTZHf5tdQsXpruyem7GldFUA2zQFErC9wtAFxGSRs4f+sIKiX5knY//snxlq7xrZVtLc/jqBOBvy/X771SE2GIjtODVO3dcjXR5lnFIc+7uQBSXji9q13JhdJrkNJQt+XlbE0Z5FDTWsu1ZfLa+5Ky7S7+RGANyI02nCekHYc3Un8qdv3g46zw1TubL+HtZyao9mUor576jGiI/gBu9in/IXbZ7typ9kaAmN9iNR1Cw/9sbPJUtydTt1TWn0JWifPtr/+FjBQ=="

Create a header containing the certificate

In order to verify your signature, you are required to send us a public certificate in a request Header.

To do so:

  1. Strip the pem certificate from its begin and end tags.
  2. Remove all the line breaks.

Example

The result with our example certificate would be:

PSD2
TPP-Signature-Certificate: MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==
Premium
Signature-Certificate: MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==

More information on signatures

See: https://tools.ietf.org/html/draft-cavage-http-signatures-10 https://tools.ietf.org/html/rfc3230