API Reference
Start typing to search…

Bulk payments

Your requests contain data and to ensure its authenticity, you are required to sign the requests while using some Rabobank APIs.

Reference: Signature draft

Start with sandbox

We recommend that you first develop your application using the Sandbox environment in the Rabobank developer portal. Read Get Started to set up your account.

Get the signing certificate

Use the following certificates based on your API:

  • PSD2 – An eIDAS QSEAL certificate issued by the Qualified Trust Service Provider of your choice.
  • Premium – An EV SSL certificate for transport and an EV SSL signing certificate for signing messages.
    • Rabobank accepts:
      • EV SSL certificates from the certificate issuers listed in the Mozilla CA Certificate report.
      • X.509 format.
      • RSA: key length should be at least 2048-bit.
      • Certificate should be valid for a maximum of one year.

In case you don't yet have an official certificate, you can use an example certificate for Sandbox.

⤓ cert.pem ⤓ key.pem

👍

You can use these certificates to recreate the code example as shown below.

🚧

The signing certificate is sent with a signing request but not stored on the Rabobank developer portal. If you want to change/replace it you can make changes on your own system. You can also choose to have two valid certificates when allowed by your system.

Below we have shown an example of a signature using the above certificate to reproduce the resulting values.

Create the digest

The digest is a base64 encoded hash of the body, example: Base64(SHA512(body))

  1. Take the body of your request and include the metadata of the file.
  2. Pass the body of your request through a hashing algorithm.
    📘

    We recommend using SHA 512 but you can also choose to use SHA 256.

  3. Make sure the hashed output is in binary format.
  4. Base64 encode the output.
  5. Add the result to your digest header declaring the used hashing algorithm, i.e. (RSA-SHA512/RSA-SHA256).
  6. The boundary value is dynamically generated while making an HTTP request. This boundary value is mandatory for the metadata part.

Example metadata

Example of metadata (including SampleFile):

PSD2
--WebKitFormBoundaryOEFsgWLJCyxInJHO\r\n
Content-Disposition: form-data; name="xml_sct"; filename="SampleFile.xml"\r\n
Content-Type: application/xml\r\n
\r\n
<-content of SampleFile.xml->\r\n
--WebKitFormBoundaryOEFsgWLJCyxInJHO--\r\n
Premium - Business Bulk Payment Initiation
--WebKitFormBoundaryOEFsgWLJCyxInJHO\r\n
Content-Disposition: form-data; name="xml_sct"; filename="SampleFile.xml"\r\n
Content-Type: application/xml\r\n
\r\n
<-content of SampleFile.xml->\r\n
--WebKitFormBoundaryOEFsgWLJCyxInJHO--\r\n
Premium - Business Direct Debit
--WebKitFormBoundaryOEFsgWLJCyxInJHO\r\n
Content-Disposition: form-data; name="xml_dd"; filename="SampleFile.xml"\r\n
Content-Type: application/xml\r\n
\r\n
<-content of SampleFile.xml->\r\n
--WebKitFormBoundaryOEFsgWLJCyxInJHO--\r\n

Download and use the sample XML file below to reproduce the example values in this document. Please note: in the example values on this page a static boundary is used.

PSD2 – ⤓ SampleFile.xml

Premium

BBPI - ⤓ SampleFile.xml BDD - ⤓ SampleFile.xml

🚧

Due to security regulation, spaces or line breaks between JSON elements cause an incorrect digest error.

Example digest header

An example of the digest header with the examples above using SHA-512:

PSD2
digest: sha-512=CwpW0kD24czZzJkjcqBTZnADBlOUdDxQpH5dhdCPMHZTd1W+HbmUQPbKYpguvgmvZosvSEUI4taIJeujn3Npig==
Premium - Business Bulk Payment Initiation
digest: sha-512=j36brqM2uQlpXw7CvhiTiefid4MV9hWTJ8iD9L8XF3CoOG6pp5dhZOAybZOdXvildAfX0yzvlcTzeJc/MK3Xhg==
Premium - Business Direct Debit
digest: sha-512=06EL+s99pvPWCCPY1KsCdqSpOHrPbjWh5mDC3zk2I+F4v20cPlY+04rgkWB5waE11tZv1uYVGFnCagJEgwqyuA==

Create the signing string

The signing string contains several headers (depending on the API) separated by line breaks.

👍

The order is not crucial, as long as you define them in the same order in the signature header.

Signing headers per API

ParameterRequiredRemark
dateYes-
digestYes-
x-request-idYes-
psu-idNoThis field should be included as a header of the HTTP request
psu-corporate-idNoThis field should be included as a header of the HTTP request
tpp-redirect-uriNoMandatory for HTTP POST requests
tpp-nok-redirect-uriNoThis field should be included as a header of the HTTP POST request

Example signing string

Examples of the signing string for various APIs:

PSD2
date: Tue, 15 Dec 2020 10:34:45 GMT
digest: sha-512=CwpW0kD24czZzJkjcqBTZnADBlOUdDxQpH5dhdCPMHZTd1W+HbmUQPbKYpguvgmvZosvSEUI4taIJeujn3Npig==
x-request-id: fb88b462-60cc-48f8-b710-bd1620135d52
tpp-redirect-uri: https://www.rabobank.nl
Premium - Business Bulk Payment Initiation
date: Fri, 30 Jul 2021 10:30:00 GMT
digest: sha-512=j36brqM2uQlpXw7CvhiTiefid4MV9hWTJ8iD9L8XF3CoOG6pp5dhZOAybZOdXvildAfX0yzvlcTzeJc/MK3Xhg==
x-request-id: d65d4172-03fe-41f7-afd5-6f4ae50f73c4
Premium - Business Direct Debit
date: Fri, 30 Jul 2021 10:30:00 GMT
digest: sha-512=06EL+s99pvPWCCPY1KsCdqSpOHrPbjWh5mDC3zk2I+F4v20cPlY+04rgkWB5waE11tZv1uYVGFnCagJEgwqyuA==
x-request-id: d65d4172-03fe-41f7-afd5-6f4ae50f73c4

Sign using your Private key

The signature is the signing string signed with the private key: Base64(RSA-SHA512(signing_string))

  1. Create the signing string.
  2. Sign it using the hashing algorithm you used (RSA-SHA512/RSA-SHA256) and the private key of the signing certificate.
  3. Base64 encode the output.

Example signature

Examples of the signature for various APIs:

PSD2
Q+deIM5k+OPvy0+eIdh7ZvRmvB9cu/TW88Ni1C3jfIk2C+y9QkNuKP7olkCNALY5XexTkfYLJlpbcZWkQ0OipT05Mb7LNbbN91bl3bRTjEHIlJ0XCJzORHRlYWpY/HsaKrF8PfuQBM/i6xkbH1eGWaiRxV/lMChsXYRcw9ncVieRMLP1QGfyBKgF/ZbvSuXdjwvcD3BewL7U3O60mL/1BxqJRoXZRlvMPpO34/Tl8XDRccaW7hAA7+X46f57Ath1wqo6PxJZ4CTauAVWeUjJMGaGXcIyviYXWE4wFKZEaTFd28Jq7E5ZhOPrLYRDY+7fajOkQGg7TAeenIKnQ7oT5w==
Premium - Business Bulk Payment Initiation
JDuhqHy+aiJHg06zWkxmlAP4MT7xNpOh3JS2IW6WRk5dMIHB4VS0jyzxoYYwBUiSrl7TAoi4vnFp2O6iL5OjOE6t8vFgF8hW7Xb/2uri1uoPqzB6WvGXi+ji6f3oVPt5QGCwLp7a9Z+yA38DBHUwrwbziQqITWnvYvoxH/Y9VS/L50aBytRm+fyi4TlJFNXK2zcsf1kk8ttY/EgSns9JqRzcNUwj8Cy5Q136d81vg2aiYD+NVj+ae2h8ua/xzqQHIsHZ0HQzwLo3C03tGGG6Io1A2bJUN7xd191+ije63rbyrWsK+5RUZXGwqR9OZEA25V+FYDlr+gCojQ7TXkY4fw==
Premium - Business Direct Debit
Q2BRgXsdG5JML30HiYbIffvW0Id+Wj+XPPh25HlxFIECO52RsGZW4rUyNuUiXpwQn3xozZxeNV9y1BdeHv6WX0Tc0jjabcZkU4ts4SNau9kpGXRwyGoJ1VYlRTw48OEt5J1zqDQhlCX4HxRMksG9AvTxWzPPoLDbJAFD1id9kKRouKKcJhgGYsP6mLep6J9dvwpagS46/0WbbODxpUsRq3tvc7xH4Eq2JBc/3LB3Ree6kwDl0B4dtV+mdk86RYx1So5qYGFbAclDXVeuLjzfUGGHp3uqkpzIKN58FErKyJiRXpEKhfOT7otoESCXbuI45M/1x/c+1eMKj9sZlXYq4g==

Create the Signature header

The signature header consists of the following components:

Component Description

keyId

The serial number of the certificate as defined in the TPP-Signing-Certificate header, the format should be Integer not hex. You can use the openssl command line tool to find the serial number. For example:
$ openssl x509 -in cert.pem -noout -text

algorithm

Specify which algorithm was used when generating the signature: rsa-sha512 or rsa-sha256.

headers

The list of headers contained in the signature:

  • lowercase
  • separated by a space
  • in the same order as they have in the signing string.

signature

The result created at step Sign using your Private key.

Example signature header

The resulting signature header for our example:

PSD2
signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id tpp-redirect-uri",signature="Q+deIM5k+OPvy0+eIdh7ZvRmvB9cu/TW88Ni1C3jfIk2C+y9QkNuKP7olkCNALY5XexTkfYLJlpbcZWkQ0OipT05Mb7LNbbN91bl3bRTjEHIlJ0XCJzORHRlYWpY/HsaKrF8PfuQBM/i6xkbH1eGWaiRxV/lMChsXYRcw9ncVieRMLP1QGfyBKgF/ZbvSuXdjwvcD3BewL7U3O60mL/1BxqJRoXZRlvMPpO34/Tl8XDRccaW7hAA7+X46f57Ath1wqo6PxJZ4CTauAVWeUjJMGaGXcIyviYXWE4wFKZEaTFd28Jq7E5ZhOPrLYRDY+7fajOkQGg7TAeenIKnQ7oT5w=="
Premium - Business Bulk Payment Initiation
signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="JDuhqHy+aiJHg06zWkxmlAP4MT7xNpOh3JS2IW6WRk5dMIHB4VS0jyzxoYYwBUiSrl7TAoi4vnFp2O6iL5OjOE6t8vFgF8hW7Xb/2uri1uoPqzB6WvGXi+ji6f3oVPt5QGCwLp7a9Z+yA38DBHUwrwbziQqITWnvYvoxH/Y9VS/L50aBytRm+fyi4TlJFNXK2zcsf1kk8ttY/EgSns9JqRzcNUwj8Cy5Q136d81vg2aiYD+NVj+ae2h8ua/xzqQHIsHZ0HQzwLo3C03tGGG6Io1A2bJUN7xd191+ije63rbyrWsK+5RUZXGwqR9OZEA25V+FYDlr+gCojQ7TXkY4fw=="
Premium - Business Direct Debit
signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="Q2BRgXsdG5JML30HiYbIffvW0Id+Wj+XPPh25HlxFIECO52RsGZW4rUyNuUiXpwQn3xozZxeNV9y1BdeHv6WX0Tc0jjabcZkU4ts4SNau9kpGXRwyGoJ1VYlRTw48OEt5J1zqDQhlCX4HxRMksG9AvTxWzPPoLDbJAFD1id9kKRouKKcJhgGYsP6mLep6J9dvwpagS46/0WbbODxpUsRq3tvc7xH4Eq2JBc/3LB3Ree6kwDl0B4dtV+mdk86RYx1So5qYGFbAclDXVeuLjzfUGGHp3uqkpzIKN58FErKyJiRXpEKhfOT7otoESCXbuI45M/1x/c+1eMKj9sZlXYq4g=="

Create a header containing the certificate

In order to verify your signature, you are required to send a public certificate in a request header.

To do so:

  1. Strip the PEM certificate from its begin and end tags.
  2. Remove all the line breaks.

Example

The result with our example certificate would be:

PSD2
TPP-Signature-Certificate: MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==
Premium - Business Bulk Payment Initiation
Signature-Certificate: MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==
Premium - Business Direct Debit
Signature-Certificate: MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==

More information on signatures

See: <https://tools.ietf.org/html/draft-cavage-http-signatures-10> <https://tools.ietf.org/html/rfc3230>