Account Information

Your requests contain data and to ensure its authenticity, you are required to sign the requests while using Rabobank APIs.

Reference: Signature draft

Start with sandbox

We recommend that you first develop your application using the Sandbox environment in the Rabobank developer portal. Read Get Started to set up your account.

Get the signing certificate

Use the following certificates based on your API:

PSD2 – An eIDAS QSEAL certificate issued by the Qualified Trust Service Provider of your choice.
Premium – An EV SSL certificate for transport and an EV SSL signing certificate for signing messages.
- Rabobank accepts:
  - EV SSL certificates from the certificate issuers listed in the Mozilla CA Certificate report.
  - X.509 format.
  - RSA: key length should be at least 2048-bit.
  - Certificate should be valid for a maximum of one year.

In case you don't yet have an official certificate, you can use an example certificate for Sandbox.

⤓ cert.pem ⤓ key.pem

👍
You can use these certificates to recreate the code example as shown below.

🚧
The signing certificate is sent with a signing request but not stored on the Rabobank developer portal. If you want to change/replace it, you can make changes on your own system. You can also choose to have two valid certificates when allowed by your system.

Create the digest

The digest is a base64 encoded hash of the body, example: Base64(SHA512(body))

Pass the body of your request (or an empty string if there is no body) through a hashing algorithm.
📘
We recommend using SHA 512 but you can also choose to use SHA 256.
Make sure the hashed output is in binary format.
Base64 encode the output.
Add the result to your digest header declaring the used hashing algorithm, i.e. (RSA-SHA512/RSA-SHA256).

Example digest header

An example of the digest header for an empty body using SHA-512:

PSD2 - Account Information

sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==

Premium - Business Account Insight

sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==

Premium - Account Notification Service

{"account":{"iban":"NL52RABO0125618484","currencyCode":"EUR"},"transactionCriteria":{"raboDetailedTransactionType":356,"amount":{"minTransactionAmount":100,"maxTransactionAmount":500},"transactionType":"DEBIT","remittanceInformationStructured":"Ref111*","remittanceInformationUnstructured":"Parking fine*","raboTransactionTypeName":"EI","endToEndId":"R23-972838E*"},"endDate":"2027-12-03T14:07:56.302663Z","pushUri":"https://tpp.com/notify"}

sha-512=YwsbNchoFOeQku7TeKjq/bKCmxEUGaF6m1cuUaG4UvNg9cMJ+hkelyriTgIxC56Yv8zCkWe7VQ2/s6cT+wEZyA==

Premium - Batch Transaction Details

sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==

🚧
Due to security regulation, spaces or line breaks between JSON elements cause incorrect digest error.

Create the signing string

The signing string contains several headers separated by line breaks.

👍
The order is not crucial, as long as you define them in the same order in the signature header.

Signing headers per API

Parameter	Required	Remark
`date`	Yes	-
`digest`	Yes	-
`x-request-id`	Yes	-
`tpp-redirect-uri`	No	Mandatory for HTTP POST requests
`tpp-nok-redirect-uri`	No	This field should be included as a header of the HTTP POST request

Example signing string

Examples of the signing string for various APIs:

PSD2 - Account Information

date: Tue, 13 Sep 2022 09:51:01 GMT  
digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg== 
x-request-id: 95126d8f-ae9d-4ac3-ac9e-c357dcd78811

Premium - Business Account Insight

date: Thu, 18 Mar 2021 15:10:46 GMT  
digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg== 
x-request-id: e9c96b7e-8470-410a-937c-396fe9512fea

Premium – Account Notification Service

date: Tue, 15 May 2024 08:12:31 GMT
digest: sha-512=YwsbNchoFOeQku7TeKjq/bKCmxEUGaF6m1cuUaG4UvNg9cMJ+hkelyriTgIxC56Yv8zCkWe7VQ2/s6cT+wEZyA==
x-request-id: 594d27d0-26d7-47dc-9d62-c307616220b6

Premium - Batch Transaction Details

date: Tue, 15 Nov 2020 08:12:31 GMT
digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
x-request-id: 594d27d0-26d7-47dc-9d62-c307616220b6

Sign using your Private key

The signature is the signing string signed with the private key: Base64(RSA-SHA512(signing_string))

Create the signing string.
Sign it using the hashing algorithm you used (RSA-SHA512/RSA-SHa256) and the private key of the signing certificate.
Base64 encode the output.

Example signature

Examples of the signature for various APIs:

PSD2 - Account Information

t7b3deOMrTmOs+mjuY43mMcgpttrIWrkEGRmdEXaiurqrl0BO9hPOk4k+7OKmPWbxqE8nBFFSVSDU7+t84cUdjB3VTsl94rPuPVj/4XKwrqzKcmPHQHZ87ENPHWSFEDuOnub0FrJ4pUImsZpbenkZX+I80MElJQ337jp904JzyA+WKi7SzPjgGTUGlujhRUu3kU4TDNkcLIaBrcok9mXFlJSZQuNaaKfz4kqeaBpG2p3ZjcICnuE1aYFu5VZoniJd3Bi3n0ygVyb/9BaGHYMYvDvKHHtw6So8YGTTO+LnLZmOTgjXKhDIdBOgtJ4PWxvrp0Iid/YaM+BHqZPu4N1bw==

Premium - Business Account Insight

aS6D/cKMgEnAES6yVpKs2AjkxbPReF760F8hDHXLZ2ic0OFI84eIjRl2DYLJc4EPjNcsYvxaSyPypJvMnOiU3gnj4vrs/PrR5A/x2COA9fe6OwJThfLTPxeXoRxxw6sGEjRCrF06sY/IKmRPdp4AjVzYfBeAeshjzr/icghp/Zzi4DOOBp+39bdWUJDCVHM9m0V/LRM18xdJtBKssP6Wzy5wncCmk7fHm1nLD31N+SARYcPuMutGHgIwQrNB/czR3e6g7o+2C8J0nC0kPM95VBWAyChTOqPsvcBHKcxreZe9aNywclpVOtXJit05q3O3PfLvJHH3QoPTRpzsP38pOw==

Premium - Account Notification Service

FHTbTEpqnJMDXaRoCd2U7e8Cdigm1yuDAdFPBmF5u7y+Gb6rhpzQ0ZXnrrmlz99ZqQfHYf3x0c2QBdyITn/M/8xbN6WZWCT6VJ5mhXqe4B3DEnaYkg3U11Dda1Zyw9p+cptzcMOEFDO6JH/biB3R57Vi28WHTgdishq+BmzFDw9mjxYOs2+LUAD1ExnAvl5ZcpJKZvsHdqLZPyVDq5YedTgAUAIhfPCRj+eF4qQv5pKJxjGANiwCif5BrVhKTcJ/gYo865xeAQBeAXuIWiq1QIjEyJrwZk0aErVhAo75B0fy5xPFEn6VJLRStuxnrE+mEgasp+H7RDYMdmmFvzSW2A==

Premium - Batch Transaction Details

ckfJsOBu3DRPVQzqIpwte8tUMxg6Mb6ThuA7hH3LuvZtjr8DS4OIKCRPTuC0IgyoCsUciD4CIa2hOWTZHf5tdQsXpruyem7GldFUA2zQFErC9wtAFxGSRs4f+sIKiX5knY//snxlq7xrZVtLc/jqBOBvy/X771SE2GIjtODVO3dcjXR5lnFIc+7uQBSXji9q13JhdJrkNJQt+XlbE0Z5FDTWsu1ZfLa+5Ky7S7+RGANyI02nCekHYc3Un8qdv3g46zw1TubL+HtZyao9mUor576jGiI/gBu9in/IXbZ7typ9kaAmN9iNR1Cw/9sbPJUtydTt1TWn0JWifPtr/+FjBQ==

Create the Signature header

The signature header consists of the following components:

Component	Example	Description
keyId	$ openssl x509 -in cert.pem -noout -text	The serial number of the certificate as defined in 'TPP-Signing-Certificate' header. The format should be Integer not hex. You can use the openssl command line tool to find the serial number.
algorithm	rsa-sha512	Specify which algorithm was used when generating the signature: rsa-sha512 rsa-sha256
headers	"date digest x-request-id"	The list of headers contained in the signature: lowercase separated by a space in the same order as they have in the signing string
signature		The result created at step Sign using your Private key

Example signature header

The resulting signature header for our example:

PSD2 - Account Information

signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="t7b3deOMrTmOs+mjuY43mMcgpttrIWrkEGRmdEXaiurqrl0BO9hPOk4k+7OKmPWbxqE8nBFFSVSDU7+t84cUdjB3VTsl94rPuPVj/4XKwrqzKcmPHQHZ87ENPHWSFEDuOnub0FrJ4pUImsZpbenkZX+I80MElJQ337jp904JzyA+WKi7SzPjgGTUGlujhRUu3kU4TDNkcLIaBrcok9mXFlJSZQuNaaKfz4kqeaBpG2p3ZjcICnuE1aYFu5VZoniJd3Bi3n0ygVyb/9BaGHYMYvDvKHHtw6So8YGTTO+LnLZmOTgjXKhDIdBOgtJ4PWxvrp0Iid/YaM+BHqZPu4N1bw=="

Premium - Business Account Insight

signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="aS6D/cKMgEnAES6yVpKs2AjkxbPReF760F8hDHXLZ2ic0OFI84eIjRl2DYLJc4EPjNcsYvxaSyPypJvMnOiU3gnj4vrs/PrR5A/x2COA9fe6OwJThfLTPxeXoRxxw6sGEjRCrF06sY/IKmRPdp4AjVzYfBeAeshjzr/icghp/Zzi4DOOBp+39bdWUJDCVHM9m0V/LRM18xdJtBKssP6Wzy5wncCmk7fHm1nLD31N+SARYcPuMutGHgIwQrNB/czR3e6g7o+2C8J0nC0kPM95VBWAyChTOqPsvcBHKcxreZe9aNywclpVOtXJit05q3O3PfLvJHH3QoPTRpzsP38pOw=="

Premium - Account Notification Service

Signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="FHTbTEpqnJMDXaRoCd2U7e8Cdigm1yuDAdFPBmF5u7y+Gb6rhpzQ0ZXnrrmlz99ZqQfHYf3x0c2QBdyITn/M/8xbN6WZWCT6VJ5mhXqe4B3DEnaYkg3U11Dda1Zyw9p+cptzcMOEFDO6JH/biB3R57Vi28WHTgdishq+BmzFDw9mjxYOs2+LUAD1ExnAvl5ZcpJKZvsHdqLZPyVDq5YedTgAUAIhfPCRj+eF4qQv5pKJxjGANiwCif5BrVhKTcJ/gYo865xeAQBeAXuIWiq1QIjEyJrwZk0aErVhAo75B0fy5xPFEn6VJLRStuxnrE+mEgasp+H7RDYMdmmFvzSW2A=="

Premium - Batch Transaction Details

signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="ckfJsOBu3DRPVQzqIpwte8tUMxg6Mb6ThuA7hH3LuvZtjr8DS4OIKCRPTuC0IgyoCsUciD4CIa2hOWTZHf5tdQsXpruyem7GldFUA2zQFErC9wtAFxGSRs4f+sIKiX5knY//snxlq7xrZVtLc/jqBOBvy/X771SE2GIjtODVO3dcjXR5lnFIc+7uQBSXji9q13JhdJrkNJQt+XlbE0Z5FDTWsu1ZfLa+5Ky7S7+RGANyI02nCekHYc3Un8qdv3g46zw1TubL+HtZyao9mUor576jGiI/gBu9in/IXbZ7typ9kaAmN9iNR1Cw/9sbPJUtydTt1TWn0JWifPtr/+FjBQ=="

Create a header containing the certificate

In order to verify your signature, you are required to send us a public certificate in a request Header.

To do so:

Strip the pem certificate from its begin and end tags.
Remove all the line breaks.

Example

The result with our example certificate would be:

PSD2

TPP-Signature-Certificate: MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==

Premium

Signature-Certificate: MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==

More information on signatures

See: https://tools.ietf.org/html/draft-cavage-http-signatures-10 https://tools.ietf.org/html/rfc3230