Production API General Availability

Starting today, the OrangeBank's BerlinGroup PDS2 Production API is available to TPP at the base URL "https://api-tpp.orangebank.fr" ( as described here )

It requires a Production PDS2 QWAC certificate.

The Production API is currently at the version V3 of our platform, which behaves as the previously available sandbox.  

On September 14th 2019, these API will become the privileged interface for customer's account access and payment initiations
meanwhile, these APIs should be used to finalize the integration of the TPPs with our system

Developer Portal and Sandbox update

The Developer Portal and Sandbox have been updated. 
They describe and simulate the behaviour of the V4 of our platform (see below for a description of the differences with V3).
The V4 is the target version for the Production environment on September 14th.

The Howtos of the developer portal has been completed with further details (paging behaviour, explanation of the limit of request to 4 in presence of pagination, ... ).
The TPP are encouraged to take another look at them and contact us if further details are necessary.     

Sandbox changelog

  • A certificate following the PDS2 QWAC requirements is now necessary to use the sandbox to establish the TLS MA connections to the API, but it doesn't need to be a production one
  • Evolution of the PIS use case :
    The access token isn't needed anymore to consult the status of a payment (https://devportal-tpp.orangebank.fr/content/howto/pis-payment-status)
    The SCA approach remains the "integrated OAuth2 approach" (derived from the "redirect approach") as described in the BerlinGroup specifications
  • Breaking change : the format of BerlinGroup hypermedia links (returned in "_links" field of most BerlinGroup API responses) has been changed to conform to the BerlinGroup specification (see below)
  • FIX : Authorization header sent to BerlinGroup
    The previous version of the sandbox only accepted the delivery of the access tokens as the whole value of the Authorization header, without the Bearer prefix to specify the authentication scheme
    This version fixed this, the access token must now be sent with the "Bearer " prefix as in : 

    Authorization: Bearer df8be09933f4455e845e5c61553cb93799d0e8b6065d450198ce058c0e8ea9fa7643e79a2ec04193a14699d83780d0d4
  • FIX : correction of the value of the scaOAuth link after the creation of a consent : which can now be relied uppon to launch the SCA

Differences between V3 (currently used by the Production API) and V4 (currently used by the Sandbox)

  • In V3, for the PIS workflow, accessing the status of a payment still requires a valid access token
  • BerlinGroup Hypermedia links format change :
    • In V3, the link value was directly put in each link type field : 
      {
          "consentStatus": "received",
          "consentId": "VALID_CONSENT_ID",
          "_links": {
              "scaOAuth": "https://sandbox-api-tpp.orangebank.fr/public/berlingroup/authorize",
              "status": "http://sandbox-api-tpp.orangebank.fr:443/berlingroup/v1/consents/VALID_CONSENT_ID/status",
              "self": "http://sandbox-api-tpp.orangebank.fr:443/berlingroup/v1/consents/VALID_CONSENT_ID",
              "scaStatus": "http://sandbox-api-tpp.orangebank.fr:443/berlingroup/v1/consents/VALID_CONSENT_ID/authorisations/AUTHORIZATION_ID_RECEIVED"
          }
      }
    • In V4, each link value is now sent into an "href" field of each _links entries : 

      {
          "consentStatus": "received",
          "consentId": "VALID_CONSENT_ID",
          "_links": {
              "scaOAuth": {"href": "https://sandbox-api-tpp.orangebank.fr/public/berlingroup/authorize"},
              "status": {"href": "http://sandbox-api-tpp.orangebank.fr:443/berlingroup/v1/consents/VALID_CONSENT_ID/status"},
              "self": {"href": "http://sandbox-api-tpp.orangebank.fr:443/berlingroup/v1/consents/VALID_CONSENT_ID"},
              "scaStatus": {"href": "http://sandbox-api-tpp.orangebank.fr:443/berlingroup/v1/consents/VALID_CONSENT_ID/authorisations/AUTHORIZATION_ID_RECEIVED"}
          }
      }