Try it Out (Sandbox)

A guide for developers to try code examples and test Rabobank’s Business Direct Debit APIs.

📘

The Rabobank Sandbox uses stubs.

  • End‑to‑end flows cannot be tested—only simulated responses.
  • Certificates are not validated against requirements.

Authentication in Sandbox

We provide a key and certificate for mTLS authentication and request signing:

mTLS

Signing

Base URL

All sandbox API endpoints start with:

https://api-sandbox.rabobank.nl/openapi/payments/bulk/direct-debits

Available Endpoints

Direct Debit Initiation

  • Bulk direct debit order creation: POST /payments/bulk/direct-debits
  • STP bulk direct debit order creation: POST /payments/bulk-stp/direct-debits

Direct Debit Status

  • Bulk direct debit order status retrieval: GET /payments/bulk/direct-debits/{paymentId}/status
  • STP bulk direct debit order status retrieval: GET /v3/payments/cross-border-transfer/{paymentId}/status

Example request and responses

Create a bulk direct debit order

Endpoints:

POST https://api.rabobank.nl/openapi/payments/bulk/direct-debits

POST https://api.rabobank.nl/openapi/payments/bulk-stp/direct-debits

Request

X-Request-ID: d65d4172-03fe-41f7-afd5-6f4ae50f73c4
PSU-IP-Address: 102.81.214.149
Digest: sha-512=06EL+s99pvPWCCPY1KsCdqSpOHrPbjWh5mDC3zk2I+F4v20cPlY+04rgkWB5waE11tZv1uYVGFnCagJEgwqyuA==
Signature: keyId="474941545142452678797059264714336600071935444114",algorithm="rsa-sha512",headers="date digest x-request-id",signature="R/8ZLvdDS3SVHVi1gV9x77uGphoFi4MuN9PC/SXIqPYltdVLxLC5bN68jfAPpB+2RSYbv6FNZ53P/sOEssbQX6VMBhATxX/jb87lCjOab/R9UHe7oa0x40/wf7bnTxfv45TwCMpPVdB08TvgVI1xWS/UjMRHMie85zrRwKzzGoalhOnGTf4NTilOuZsW8244QH9D5uhIG5z0Ojj+Ix7+J12aUGPGMyShAmMFWAvZdLtSOf0SQ8YlK7lw4uvjdgty2vllXOK84qVIEffj27s16CectDcdcP5OJvD88PDE6gtd0gKUCepIjJ7h4MOzS4ch9dhmyOYTSVIxumrqE+GYsw=="
Signature-Certificate: MIID9DCCAtygAwIBAgIUUzEdjjbjLOePU7NeZfai6bv9RJIwDQYJKoZIhvcNAQELBQAweDEyMDAGA1UEAwwpUmFib2JhbmsgZGV2ZWxvcGVyIHBvcnRhbCBTYW5kYm94IHRlc3RpbmcxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazAgFw0yNTExMTIxNTQ3MzRaGA8yMTAwMTAyNTE1NDczNFoweDEyMDAGA1UEAwwpUmFib2JhbmsgZGV2ZWxvcGVyIHBvcnRhbCBTYW5kYm94IHRlc3RpbmcxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGoQqBxfADuEAHs/k1UoKkqn1XrK3ocV/rItsnCU3ynW9gahC8Ggj4UtcjNcXh8fBieV+6oeFcMRXofY6PiS6IM3YxofwMUM0JqTC/JZcoVhnEButAbg+DVJJfR7jxEDFUR2LL2RTLHYugtJdbg92kuUy7bXjayj6/Ef2R3s+cI7rHiI7oAftce61k4sVmQxGtxAVt+jrSB8eX/hVqdzfNb1MSzRbfII56rLgeaSbWm7gkYcJimyWjPuabqxY0cIvwkum5BRJ87x+QRdxzJuXYuwZsUMaY4ETYiiwUv7Q2vOZ066a6zBs++JSdgCUypvqm9YvRn3vCxB3+me+jvhdUCAwEAAaN0MHIwHQYDVR0OBBYEFHr3mI71/GxAJ/nDhNTZL+XEX6cZMB8GA1UdIwQYMBaAFHr3mI71/GxAJ/nDhNTZL+XEX6cZMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEZod53U0IhIQZSVo4mVSn/bWT53uaeAcSwtRi+hyb8K2nDmT8wWdb6xewghd6EXIpWwetG8+odqvCaatdwPa4XjxE9XEecZC+EAYucY7joEk+maDjgJdgNNCwmWGQvOi9Fav9o2bbSGC3Y615K34aMmSNfuCGJHTw88RciLhPUdLMQF3gUTcQjlRcmE0oBZilZ0BF8Q1BIaJiFZZ7nNb4FGYB3ouySsmz/aPTz+VENZp2geCGjxW+SUIVpKiWA6NN2iJkp4Zywe39FxCca0Fw+QHl0vuMhh5fxyFA3eJLZREsZdgqwXnvIwNIM6/Yd1lxUIEyHL1J/m/vcJv/X0ZY4=
Date: Fri, 30 Jul 2021 10:30:00 GMT
Content-Type: multipart/form-data; boundary=WebKitFormBoundaryOEFsgWLJCyxInJHO
X-IBM-Client-Id: <YOUR CLIENT ID>
Authorization: Bearer ******

Response

<?xml version="1.0" encoding="UTF-8"?>
<InitiatedTransactionResponse>
    <_links>
        <status>
            <href>/payments/bulk-stp/direct-debits/123e4567-e89b-42d3-a456-556642444321/status</href>
        </status>
    </_links>
    <paymentId>123e4567-e89b-42d3-a456-556642444321</paymentId>
    <transactionStatus>RCVD</transactionStatus>
</InitiatedTransactionResponse>

Retrieve status of a bulk direct debit order

Endpoint:

GET https://api.rabobank.nl/openapi/payments/bulk/direct-debits/123e4567-e89b-42d3-a456-556642444321/status

GET https://api.rabobank.nl/openapi/payments/bulk-stp/direct-debits/123e4567-e89b-42d3-a456-556642444321/status

Request

X-Request-ID: d65d4172-03fe-41f7-afd5-6f4ae50f73c4
PSU-IP-Address: <IP-address>
Digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
Signature: keyId="474941545142452678797059264714336600071935444114",algorithm="rsa-sha512",headers="date digest x-request-id",signature="jMwa3CLiFNLurpmODUIsEIlNNNzzufPuFiL1QZx5attDRASwu7fEljPvCVHAL/8ANVoogCK0xCG3pAsU99b+ZlcimHhtHHVcGMJ3yTunOBJMp/5HTmFu7o4/C3S9zThkbPCgJXvoOxerQBRsY+LdZElbOkipwFljglHqUN/hfJTh+PZBum/7bBiJm+WeOlwT5wfMda0jB/VWsTkHqmA1lcYMQzWhIeI5hz6AFT1BY1ONNgGBUVX5JyQLbM40rVb1FDB/DAY+9w8yGEOxLl3lqXtM7sBP+xtvRECk7jm8u6iUPkk1pTHbHHI2Jjq3SRb/B2GDqUb+tgSfPndLUsXzcg=="
Signature-Certificate: MIID9DCCAtygAwIBAgIUUzEdjjbjLOePU7NeZfai6bv9RJIwDQYJKoZIhvcNAQELBQAweDEyMDAGA1UEAwwpUmFib2JhbmsgZGV2ZWxvcGVyIHBvcnRhbCBTYW5kYm94IHRlc3RpbmcxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazAgFw0yNTExMTIxNTQ3MzRaGA8yMTAwMTAyNTE1NDczNFoweDEyMDAGA1UEAwwpUmFib2JhbmsgZGV2ZWxvcGVyIHBvcnRhbCBTYW5kYm94IHRlc3RpbmcxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGoQqBxfADuEAHs/k1UoKkqn1XrK3ocV/rItsnCU3ynW9gahC8Ggj4UtcjNcXh8fBieV+6oeFcMRXofY6PiS6IM3YxofwMUM0JqTC/JZcoVhnEButAbg+DVJJfR7jxEDFUR2LL2RTLHYugtJdbg92kuUy7bXjayj6/Ef2R3s+cI7rHiI7oAftce61k4sVmQxGtxAVt+jrSB8eX/hVqdzfNb1MSzRbfII56rLgeaSbWm7gkYcJimyWjPuabqxY0cIvwkum5BRJ87x+QRdxzJuXYuwZsUMaY4ETYiiwUv7Q2vOZ066a6zBs++JSdgCUypvqm9YvRn3vCxB3+me+jvhdUCAwEAAaN0MHIwHQYDVR0OBBYEFHr3mI71/GxAJ/nDhNTZL+XEX6cZMB8GA1UdIwQYMBaAFHr3mI71/GxAJ/nDhNTZL+XEX6cZMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEZod53U0IhIQZSVo4mVSn/bWT53uaeAcSwtRi+hyb8K2nDmT8wWdb6xewghd6EXIpWwetG8+odqvCaatdwPa4XjxE9XEecZC+EAYucY7joEk+maDjgJdgNNCwmWGQvOi9Fav9o2bbSGC3Y615K34aMmSNfuCGJHTw88RciLhPUdLMQF3gUTcQjlRcmE0oBZilZ0BF8Q1BIaJiFZZ7nNb4FGYB3ouySsmz/aPTz+VENZp2geCGjxW+SUIVpKiWA6NN2iJkp4Zywe39FxCca0Fw+QHl0vuMhh5fxyFA3eJLZREsZdgqwXnvIwNIM6/Yd1lxUIEyHL1J/m/vcJv/X0ZY4=
Date: Fri, 30 Jul 2021 10:30:00 GMT
X-IBM-Client-Id: <your client-id>
Content-Type: application/xml
Authorization: Bearer *****

Response

<?xml version="1.0" encoding="UTF-8"?>
<transactionStatus>RCVD</transactionStatus>

Test scenarios

We offer predefined scenarios to test happy flows, errors, and edge cases.

Request scenario                            Response                               Remark                                                                      
Valid Request with valid PAIN008 xml file   201 CREATED                            multipart/form-data with payload variable name as xml_dd                   
Send Request with required header missing   400 BAD REQUEST                        Make a request without a header such as PSU-IP-Address                      
Create payment with invalid multiform       400 BAD REQUEST                        Only for Sandbox                                                            
Send Request with incorrect header format   400 BAD REQUEST                        Only for Sandbox                                                            
Large PAIN008 xml file                      400 BAD REQUEST                        Make a request with PAIN008 xml file larger than 64MB and valid digest      
PAIN008 xml file is missing *              400 BAD REQUEST                        Make a request without the PAIN008 xml file                                 
PAIN008 xml file is empty *                400 BAD REQUEST                        Make a request with and empty PAIN008 xml file                              
Send Request with invalid signature         401 Unauthorised - Invalid Signature   Make a request with an invalid signature                                    
Send Request with invalid certificate       401 Unauthorised - Invalid Certificate Make a request with an invalid certificate                                  
Send Request with invalid digest            401 Unauthorised - Invalid digest      Make a request with an invalid digest                                       
If there is no consent for the used accounts401 Unauthorised - No permissions foundMake a request with an account that has no permissions for this product type
Server issue with the account consent       500 Internal server error              Internal Server Error, Permissions for this product type cannot be accessed 
Use PUT instead of POST method              405 Method Not Allowed                 Use an incorrect HTTP method when making the request                        

Note: These codes are for Sandbox only.

For test scenarios marked with * use the following values for the Digest and Signature header:

Scenario      Digest + Signature      
400 Bad Request, PAIN001 missing      
  • digest: sha-512=XQ48ASLpmAaHugPp6xxefYxP7rZSDsT3cDjq8Xe9wAVfIoaufLDAP3zpc7O9Lk2pva1xPTSP/a2/yemgVGwnRw==
  • keyId="474941545142452678797059264714336600071935444114",algorithm="rsa-sha512",headers="date digest x-request-id",signature="fBgopBqjolOjOyr2vgHtoZWXFN789HWUlDhSRDN687k72SiZQyCzrlPWd6zhjTSZgrz0DALAmCumyTkGjRqyDNENh/ZCMy1ogggNKFMywbl09c7j9wfcVezDxUOAWej85FFRA/yKmfvZ5uYVaPq/i5NEFP25H5cghW83vDaZmY3vH4qR8sXlloR4HLWcnv9nnlNhw+FenNTBbmHKHv6nlOMWBgmQ/dt0xgFYf+9d6+1mhAx/vX66QzDnWCJdISumPfsrmM/FG97nTgxXsw7F2I5MtIDYJb0ytfdWLILGLMZFX/YwLWHcZ3pkZAuRzgbvEnT1iDhXGTl9GKJIHzTBLQ=="
 
400 Bad Request, PAIN001 empty      
  • digest: sha-512=Ee51KhNukKes30kaFD9UZkwFR57ybIIfOwch1d/lPX0q5lhpD/aC44kALU4OYNyh+gHbDA/ly2nFnHZjOXN5gA==
  • keyId="474941545142452678797059264714336600071935444114",algorithm="rsa-sha512",headers="date digest x-request-id",signature="Qr6Ymx3ZO+uYRTOsDW7+IZ9BjvQZfejx15EOX8d4HQ6mYskZ1ZSlBPdDWIEMxYTaDhOT4pJolHuIA7pqKsHlstPKj3XZeBEiTd3EjNcj5IjhRI6IGl0nxYoiicvkokZql06voXJbjRDXNXmWeHcDhBWR+pK1BlXef99OI176PIEYb6T4BUNQFDWcZQ3ZGwJeXE9pGUocWg49ZT3EyELu2EfRnRm7x9qEHbgEW9nqTqD7TcVdtAEN73u1isSq6k4TGN1XTkMFaWUOwuf+plI+YqXh2h2QRcJA288Nu7CwVtie9QHR/1s80h08n2K3N7ckVs27eZXbzNr/Gbr/ZTYkLw=="
 

Some scenarios, as mentioned below, require specific paymentId(s) in the URL, example: (/payments/bulk/direct-debits/paymentId/status or (/payments/bulk-stp/direct-debits/paymentId/status) to get the mentioned responses. 

Response    Scenario                 Payment-id                          Remark                                                                                                                       
PAIN002 file200 OK                   123e4567-e89b-42d3-a456-556642440000All statuses are returned as a part of a PAIN002 file after the payment is processed.                                        
RCVD        200 OK                   123e4567-e89b-42d3-a456-556642440007This is an initial status indicating that a payment initiation is received but not yet processed by Rabobank's order manager.
RJCT        200 OK                   123e4567-e89b-42d3-a456-556642440008The payment initiation is rejected.                                                                                          
             500 Internal Server Error123e4567-e89b-42d3-a456-556642444324Resource Unknown. An error occurred during the processing of the request.                                                    
             500 Internal Server Error123e4567-e89b-42d3-a456-556642440005Payment Id not found                                                                                                         
             400 BAD REQUEST          any paymentId                       The request contains invalid or missing data. For example the PSU-IP-Address is missing in the header                        
             401 Unauthorised         any paymentId                       Make a request with an invalid digest or signature or certificate.