401 Unauthorized
error.
The aim for Qonto is to identify the TPP acceding to the PSU accounts. Technically, the procedure consists of calling the usual endpoints, in which the TPP adds supplementary headers to identify itself. This procedure is based on the STET PSD2 API document.
BothSignature
andDigest
are required for the request to be considered valid.
digest
of the HTTP body and adding this digest as an extra HTTP header. Digest header consists of “SHA-256=” prefix followed by digest value.
signature
using a specific Qualified Certificate (QSealC), respecting the ETSI/TS119495 Technical Specification, in order to apply a RSA-SHA256 signature on all the following headers (that are present within the HTTP request sent by the TPP):
Digest
(always);Content-Type
(always);Content-Length
(always);Date
(if available);PSU-
prefixed headers:PSU-IP-Address
;PSU-IP-Port
;PSU-HTTP-Method
;PSU-Date
;PSU-User-Agent
;PSU-Referer
;PSU-Accept
;PSU-Accept-Charset
;PSU-Accept-Encoding
;PSU-Accept-Language
;PSU-GEO-Location
;PSU-Device-ID
.Content-Type
and Content-Length
headers should always be signed when there are present in the request;(request-target)
value that consists of<request_method> <request_path>
is required to be signed along with the headers list.keyId
) which must specify the way to get the relevant qualified certificate. It is requested that this identifier is an URL aiming to provide the relevant Qualified Certificate;signature
header are sent in lowercase, like in the example above.