Try it Out (Sandbox)
A guide for developers to try code examples and test Rabobank’s Business Direct Debit APIs.
The Rabobank Sandbox uses stubs.
- End‑to‑end flows cannot be tested—only simulated responses.
- Certificates are not validated against requirements.
Authentication in Sandbox
We provide a key and certificate for mTLS authentication and request signing:
mTLS
Signing
Base URL
All sandbox API endpoints start with:
https://api-sandbox.rabobank.nl/openapi/payments/bulk/direct-debits
Available Endpoints
Direct Debit Initiation
- Bulk direct debit order creation:
POST /payments/bulk/direct-debits - STP bulk direct debit order creation:
POST /payments/bulk-stp/direct-debits
Direct Debit Status
- Bulk direct debit order status retrieval:
GET /payments/bulk/direct-debits/{paymentId}/status - STP bulk direct debit order status retrieval:
GET /v3/payments/cross-border-transfer/{paymentId}/status
Example request and responses
Create a bulk direct debit order
Endpoints:
POST https://api.rabobank.nl/openapi/payments/bulk/direct-debits
POST https://api.rabobank.nl/openapi/payments/bulk-stp/direct-debits
Request
X-Request-ID: d65d4172-03fe-41f7-afd5-6f4ae50f73c4
PSU-IP-Address: 102.81.214.149
Digest: sha-512=06EL+s99pvPWCCPY1KsCdqSpOHrPbjWh5mDC3zk2I+F4v20cPlY+04rgkWB5waE11tZv1uYVGFnCagJEgwqyuA==
Signature: keyId="474941545142452678797059264714336600071935444114",algorithm="rsa-sha512",headers="date digest x-request-id",signature="R/8ZLvdDS3SVHVi1gV9x77uGphoFi4MuN9PC/SXIqPYltdVLxLC5bN68jfAPpB+2RSYbv6FNZ53P/sOEssbQX6VMBhATxX/jb87lCjOab/R9UHe7oa0x40/wf7bnTxfv45TwCMpPVdB08TvgVI1xWS/UjMRHMie85zrRwKzzGoalhOnGTf4NTilOuZsW8244QH9D5uhIG5z0Ojj+Ix7+J12aUGPGMyShAmMFWAvZdLtSOf0SQ8YlK7lw4uvjdgty2vllXOK84qVIEffj27s16CectDcdcP5OJvD88PDE6gtd0gKUCepIjJ7h4MOzS4ch9dhmyOYTSVIxumrqE+GYsw=="
Signature-Certificate: MIID9DCCAtygAwIBAgIUUzEdjjbjLOePU7NeZfai6bv9RJIwDQYJKoZIhvcNAQELBQAweDEyMDAGA1UEAwwpUmFib2JhbmsgZGV2ZWxvcGVyIHBvcnRhbCBTYW5kYm94IHRlc3RpbmcxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazAgFw0yNTExMTIxNTQ3MzRaGA8yMTAwMTAyNTE1NDczNFoweDEyMDAGA1UEAwwpUmFib2JhbmsgZGV2ZWxvcGVyIHBvcnRhbCBTYW5kYm94IHRlc3RpbmcxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGoQqBxfADuEAHs/k1UoKkqn1XrK3ocV/rItsnCU3ynW9gahC8Ggj4UtcjNcXh8fBieV+6oeFcMRXofY6PiS6IM3YxofwMUM0JqTC/JZcoVhnEButAbg+DVJJfR7jxEDFUR2LL2RTLHYugtJdbg92kuUy7bXjayj6/Ef2R3s+cI7rHiI7oAftce61k4sVmQxGtxAVt+jrSB8eX/hVqdzfNb1MSzRbfII56rLgeaSbWm7gkYcJimyWjPuabqxY0cIvwkum5BRJ87x+QRdxzJuXYuwZsUMaY4ETYiiwUv7Q2vOZ066a6zBs++JSdgCUypvqm9YvRn3vCxB3+me+jvhdUCAwEAAaN0MHIwHQYDVR0OBBYEFHr3mI71/GxAJ/nDhNTZL+XEX6cZMB8GA1UdIwQYMBaAFHr3mI71/GxAJ/nDhNTZL+XEX6cZMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEZod53U0IhIQZSVo4mVSn/bWT53uaeAcSwtRi+hyb8K2nDmT8wWdb6xewghd6EXIpWwetG8+odqvCaatdwPa4XjxE9XEecZC+EAYucY7joEk+maDjgJdgNNCwmWGQvOi9Fav9o2bbSGC3Y615K34aMmSNfuCGJHTw88RciLhPUdLMQF3gUTcQjlRcmE0oBZilZ0BF8Q1BIaJiFZZ7nNb4FGYB3ouySsmz/aPTz+VENZp2geCGjxW+SUIVpKiWA6NN2iJkp4Zywe39FxCca0Fw+QHl0vuMhh5fxyFA3eJLZREsZdgqwXnvIwNIM6/Yd1lxUIEyHL1J/m/vcJv/X0ZY4=
Date: Fri, 30 Jul 2021 10:30:00 GMT
Content-Type: multipart/form-data; boundary=WebKitFormBoundaryOEFsgWLJCyxInJHO
X-IBM-Client-Id: <YOUR CLIENT ID>
Authorization: Bearer ******Response
<?xml version="1.0" encoding="UTF-8"?>
<InitiatedTransactionResponse>
<_links>
<status>
<href>/payments/bulk-stp/direct-debits/123e4567-e89b-42d3-a456-556642444321/status</href>
</status>
</_links>
<paymentId>123e4567-e89b-42d3-a456-556642444321</paymentId>
<transactionStatus>RCVD</transactionStatus>
</InitiatedTransactionResponse>Retrieve status of a bulk direct debit order
Endpoint:
GET https://api.rabobank.nl/openapi/payments/bulk/direct-debits/123e4567-e89b-42d3-a456-556642444321/status
GET https://api.rabobank.nl/openapi/payments/bulk-stp/direct-debits/123e4567-e89b-42d3-a456-556642444321/status
Request
X-Request-ID: d65d4172-03fe-41f7-afd5-6f4ae50f73c4
PSU-IP-Address: <IP-address>
Digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
Signature: keyId="474941545142452678797059264714336600071935444114",algorithm="rsa-sha512",headers="date digest x-request-id",signature="jMwa3CLiFNLurpmODUIsEIlNNNzzufPuFiL1QZx5attDRASwu7fEljPvCVHAL/8ANVoogCK0xCG3pAsU99b+ZlcimHhtHHVcGMJ3yTunOBJMp/5HTmFu7o4/C3S9zThkbPCgJXvoOxerQBRsY+LdZElbOkipwFljglHqUN/hfJTh+PZBum/7bBiJm+WeOlwT5wfMda0jB/VWsTkHqmA1lcYMQzWhIeI5hz6AFT1BY1ONNgGBUVX5JyQLbM40rVb1FDB/DAY+9w8yGEOxLl3lqXtM7sBP+xtvRECk7jm8u6iUPkk1pTHbHHI2Jjq3SRb/B2GDqUb+tgSfPndLUsXzcg=="
Signature-Certificate: MIID9DCCAtygAwIBAgIUUzEdjjbjLOePU7NeZfai6bv9RJIwDQYJKoZIhvcNAQELBQAweDEyMDAGA1UEAwwpUmFib2JhbmsgZGV2ZWxvcGVyIHBvcnRhbCBTYW5kYm94IHRlc3RpbmcxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazAgFw0yNTExMTIxNTQ3MzRaGA8yMTAwMTAyNTE1NDczNFoweDEyMDAGA1UEAwwpUmFib2JhbmsgZGV2ZWxvcGVyIHBvcnRhbCBTYW5kYm94IHRlc3RpbmcxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGoQqBxfADuEAHs/k1UoKkqn1XrK3ocV/rItsnCU3ynW9gahC8Ggj4UtcjNcXh8fBieV+6oeFcMRXofY6PiS6IM3YxofwMUM0JqTC/JZcoVhnEButAbg+DVJJfR7jxEDFUR2LL2RTLHYugtJdbg92kuUy7bXjayj6/Ef2R3s+cI7rHiI7oAftce61k4sVmQxGtxAVt+jrSB8eX/hVqdzfNb1MSzRbfII56rLgeaSbWm7gkYcJimyWjPuabqxY0cIvwkum5BRJ87x+QRdxzJuXYuwZsUMaY4ETYiiwUv7Q2vOZ066a6zBs++JSdgCUypvqm9YvRn3vCxB3+me+jvhdUCAwEAAaN0MHIwHQYDVR0OBBYEFHr3mI71/GxAJ/nDhNTZL+XEX6cZMB8GA1UdIwQYMBaAFHr3mI71/GxAJ/nDhNTZL+XEX6cZMA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEZod53U0IhIQZSVo4mVSn/bWT53uaeAcSwtRi+hyb8K2nDmT8wWdb6xewghd6EXIpWwetG8+odqvCaatdwPa4XjxE9XEecZC+EAYucY7joEk+maDjgJdgNNCwmWGQvOi9Fav9o2bbSGC3Y615K34aMmSNfuCGJHTw88RciLhPUdLMQF3gUTcQjlRcmE0oBZilZ0BF8Q1BIaJiFZZ7nNb4FGYB3ouySsmz/aPTz+VENZp2geCGjxW+SUIVpKiWA6NN2iJkp4Zywe39FxCca0Fw+QHl0vuMhh5fxyFA3eJLZREsZdgqwXnvIwNIM6/Yd1lxUIEyHL1J/m/vcJv/X0ZY4=
Date: Fri, 30 Jul 2021 10:30:00 GMT
X-IBM-Client-Id: <your client-id>
Content-Type: application/xml
Authorization: Bearer *****Response
<?xml version="1.0" encoding="UTF-8"?>
<transactionStatus>RCVD</transactionStatus>Test scenarios
We offer predefined scenarios to test happy flows, errors, and edge cases.
| Request scenario | Response | Remark |
|---|---|---|
| Valid Request with valid PAIN008 xml file | 201 CREATED | multipart/form-data with payload variable name as xml_dd |
| Send Request with required header missing | 400 BAD REQUEST | Make a request without a header such as PSU-IP-Address |
| Create payment with invalid multiform | 400 BAD REQUEST | Only for Sandbox |
| Send Request with incorrect header format | 400 BAD REQUEST | Only for Sandbox |
| Large PAIN008 xml file | 400 BAD REQUEST | Make a request with PAIN008 xml file larger than 64MB and valid digest |
| PAIN008 xml file is missing * | 400 BAD REQUEST | Make a request without the PAIN008 xml file |
| PAIN008 xml file is empty * | 400 BAD REQUEST | Make a request with and empty PAIN008 xml file |
| Send Request with invalid signature | 401 Unauthorised - Invalid Signature | Make a request with an invalid signature |
| Send Request with invalid certificate | 401 Unauthorised - Invalid Certificate | Make a request with an invalid certificate |
| Send Request with invalid digest | 401 Unauthorised - Invalid digest | Make a request with an invalid digest |
| If there is no consent for the used accounts | 401 Unauthorised - No permissions found | Make a request with an account that has no permissions for this product type |
| Server issue with the account consent | 500 Internal server error | Internal Server Error, Permissions for this product type cannot be accessed |
| Use PUT instead of POST method | 405 Method Not Allowed | Use an incorrect HTTP method when making the request |
Note: These codes are for Sandbox only.
For test scenarios marked with * use the following values for the Digest and Signature header:
| Scenario | Digest + Signature |
|---|---|
| 400 Bad Request, PAIN001 missing |
|
| 400 Bad Request, PAIN001 empty |
|
Some scenarios, as mentioned below, require specific paymentId(s) in the URL, example: (/payments/bulk/direct-debits/paymentId/status or (/payments/bulk-stp/direct-debits/paymentId/status) to get the mentioned responses.
| Response | Scenario | Payment-id | Remark |
|---|---|---|---|
| PAIN002 file | 200 OK | 123e4567-e89b-42d3-a456-556642440000 | All statuses are returned as a part of a PAIN002 file after the payment is processed. |
| RCVD | 200 OK | 123e4567-e89b-42d3-a456-556642440007 | This is an initial status indicating that a payment initiation is received but not yet processed by Rabobank's order manager. |
| RJCT | 200 OK | 123e4567-e89b-42d3-a456-556642440008 | The payment initiation is rejected. |
| 500 Internal Server Error | 123e4567-e89b-42d3-a456-556642444324 | Resource Unknown. An error occurred during the processing of the request. | |
| 500 Internal Server Error | 123e4567-e89b-42d3-a456-556642440005 | Payment Id not found | |
| 400 BAD REQUEST | any paymentId | The request contains invalid or missing data. For example the PSU-IP-Address is missing in the header | |
| 401 Unauthorised | any paymentId | Make a request with an invalid digest or signature or certificate. |
