A quickstart guide for TPPs can be downloaded from here:
The api will be available under the following path:
BaseURL = <Environment URL>/api/v1/
Please note that only the sandbox environment supports the example PSU-IDs, Passwords and IBANs mentioned under section Demo-Accounts. A QWAC Certificate is required for all environments except for the Documentation and Demo-API.
As TPP you need to be registered for each QWAC protected environment separately. Please send us a short E-Mail with the following information:
If you have any questions regarding executed API-calls, please send us a message containing the following additional informations:
The PASS Banking API - Package XS2A enables banks to comply with the requirements of the PSD2-to implement the directive. PASS is based on the required account access APIs of the specifications of the EBA and the Berlin Group (NextGenPSD2).
For retrieving account information and initiating payments by third-party providers (TPPs) endpoints are provided:
Payment Information Services (PIS)
Confirmation of Funds (PIIS)
The APIs are
The PASS Banking API provides all the relevant information and configurations of the PSD2-Application ready for the administrators of the bank. In a further version, partners receive (TPPs) a developer portal with the necessary documentation and testing of the bank's APIs.
The character set is UTF 8 encoded. This specification is only using the basic data elements "String", "Boolean", "ISODateTime", "ISODate", "UUID" and "Integer" (with a byte length of 32 bits) and ISO based code lists. ASPSPs will accept for strings at least the following character set:
a b c d e f g h i j k l m n o p q r s t u v w x y z
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9
* / - ? : ( ) . , ' +
Lf must never be used as single characters and must only be used together in the sequence
LfCr is not allowed. When the character sequence
CrLf is used in a field format with several lines, it is used to indicate
the end of one line of text and the start of the next line of text.
With the following demo accounts you can test all workflows except payment processing in the SANDBOX environment.
123456(Supports only Embedded SCA Approach)
7891011(Supports Embedded or Decoupled SCA Approach with method selection)
Default TAN (for Embedded SCA):
You may also enjoy the interactive interface provided for this API by Swagger.
|Account Information Service (AIS)||
|| The Account Information Service (AIS) offers the following services
|Confirmation of Funds Service (PIIS)||
||Confirmation of Funds Service (PIIS) returns a confirmation of funds request at the ASPSP.|
|Payment Initiation Service (PIS)||
|| The Description for Payment Initiation Service (PIS) offers the following services:
Requested access services for a consent.
NOTE: All permitted "access" attributes ("accounts", "balances" and "transactions") used in this message shall carry a non-empty array of account references, indicating the accounts where the type of access is requested. Please note that a "transactions" or "balances" access right also gives access to the generic /accounts endpoints, i.e. is implicitly supporting also the "accounts" access.
|AccountBalanceResponse||Body of the response for a successful read balance for an account request.|
|AccountDetails||Details about an account|
|AccountGroup||A group of accounts|
Reference to an account by either
|AccountTransactions||Body of the JSON response for a successful read card account transaction list request. This card account report contains transactions resulting from the query parameters.|
|Accounts||A list of AccountDetails.|
|Amount||An amount of money in a certain currency|
|AuthenticationObject||A method for strong customer authentication|
|AuthenticationType||A specific type of an authentication method|
|AuthorisationUpdate||Different Authorisation Bodies.|
|Authorisations||An array of all authorisationIds|
|Balance||A single balance element|
|BalanceType||Type of balance.|
Bank transaction code as used by the ASPSP and using the sub elements of this structured code defined by ISO 20022.
This code type is concatenating the three ISO20022 Codes
Example: PMNT-RCDT-ESCT defining a transaction assigned to the PayMeNT Domain (PMNT), belonging to the family of ReceivedCreDitTransfer (RCDT) that facilitated the EuropeanSEPACreditTransfer (ESCT)
|Challenge||It is contained in addition to the data element 'chosenScaMethod' if challenge data is needed for SCA. In rare cases this attribute is also used in the context of the 'startAuthorisationWithPsuAuthentication' link.|
|ConsentCreationRequest||Content of the body of a consent request.|
|ConsentCreationResult||The response for a consent creation|
|ConsentData||Basic information about the consent.|
|ConsentStatus||This is the overall lifecycle status of the consent.|
|ConsentStatusResponse||Body of the JSON response for a successful get status request for a consent.|
|ExternalPurpose1Code||The purpose of a transaction|
|FundsConfirmationRequest||JSON Request body for the "Confirmation of Funds Service"|
|FundsConfirmationResponse||JSON Response body for the "Confirmation of Funds Service"|
|HrefType||Link to a resource|
|Links||Definition of _link types. Remark: All links can be relative or full links, to be decided by the ASPSP.|
|LinksAccountDetails||Links to the account, which can be directly used for retrieving account information from this dedicated account. Links to "balances" and/or "transactions" These links are only supported, when the corresponding consent has been already granted.|
|LinksAccountReport||Type of links admitted in this response|
|LinksAll||A _link object with all available link types|
|LinksConsents||Type of links admitted in this response|
|LinksDownload||Type of links admitted in this response. This feature shall only be used where camt-data is requested which has a huge size.|
|LinksGetConsent||Type of links admitted in this response|
|LinksPaymentInitiation||Type of links admitted in this response|
|LinksPaymentInitiationCancel||Type of links admitted in this response|
|LinksSelectPsuAuthenticationMethod||Type of links admitted in this response|
|LinksSigningBasket||Type of links admitted in this response|
|LinksStartScaProcess||Type of links admitted in this response|
|LinksTransactionDetails||Type of links admitted in this response|
|LinksUpdatePsuAuthentication||Type of links admitted in this response|
|LinksUpdatePsuIdentification||Type of links admitted in this response|
|MessageCode2XX||Message codes for HTTP Error codes 2XX.|
|OtpFormat||The format type of the OTP to be typed in. The admitted values are "characters" or "integer".|
|PaymentInitiationResponse||Body of the response for a successful payment initiation request.|
|PaymentStatusResponse||Body of the response for a successful payment initiation status request in case of an JSON based endpoint.|
PSU Data for PSU Authentication.
The password or encryptedPassword subfield is used, depending on encryption requirements of the ASPSP as indicated in the corresponding hyperlink contained in the last response message of the ASPSP.
Remark for Future: More details on the encrypted password transport will be published by a future bulletin.
|ScaStatusResponse||Body of the JSON response with SCA Status.|
|ScaprocessResponse||Common type for a sca process response.|
|StartScaprocessResponse||Body of the JSON response for a Start SCA authorisation request.|
|TppMessageCategory||Category of the TPP message category|
JSON based account report. This account report contains transactions resulting from the query parameters.
'booked' shall be contained if bookingStatus parameter is set to "booked" or "both".
'pending' is not contained if the bookingStatus parameter is set to "booked".
|TransactionStatus||The state of a transaction|
|UpdatePsuDataResponse||Body of the JSON response for a Update SCA authorisation request.|
|Usage||Specifies the usage of the account|