Check our FAQs below to find the help you need.

General

I have registered but I am not able to log on.

If you forgot your password, you can reset it here.

Rabobank cipher suites policy

To facilitate a secure connection to its APIs, Rabobank supports the following cipher suites for TLS.

 TLSv1.3
 IANA Cipher Name   OpenSSL Hexcode
 TLS_AES_256_GCM_SHA384   0x1302
 TLS_CHACHA20_POLY1305_SHA256   0x1303
 TLS_AES_128_GCM_SHA256   0x1301

 

 TLSv1.2
 IANA Cipher Name   OpenSSL Hexcode
 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   0xc02c
 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   0xc02b
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   0xc030
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   0xc02f
 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256   0xcca9
 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   0xcca8

 

Rabobank will inform you when this list will be updated. You can expect this information at least three months before the protocol versions or cipher suites are set to be removed from the Production environment, unless an immediate action is required due to security risks.

To ensure smooth working, you are required to update your environment(s) that use these ciphers.

In case you encounter any problems while testing or have questions, feel free to reach out to contact us.

How can I validate the server certificate?

The server certificate of api.rabobank.nl is an EV certificate (EV = Extended Validation). To be able to validate this certificate during the TLS handshake you should trust the Root CA that issued the certificate. For the api.rabobank.nl certificate you must trust the Root CA certificates from DigiCert and Sectigo that these companies use for signing EV certificates.

In the future we will replace the current EV certificate by a QWAC certificate issued under the European eIDAS trust scheme which can be found here: https://ec.europa.eu/digital-single-market/en/eu-trusted-lists

Can I use AIS to access my own account without a PSD2 eIDAS certificate?

No, that is not possible. We are looking for possibilities to introduce the product in the near future.

I want to start using Rabobank production APIs. What do I need to do?

Once you have completed your development on our Sandbox environment you cannot automatically start using our production APIs.

For PSD2 APIs it is possible to get an account by using the PSD2 enrollment API if you are a certified AISP, PISP or CISP. Our Account Information, Payment Initiation and Confirmation Availability of Funds API are available in production.

For using non-PSD2 APIs in production, please refer to the overview page of the API you want to use to learn more about how to request access to production. 

My contact details are changing, how do I report this?

When your email address changes, the owner of your developer organization needs to send an invite to your new address. It is not possible to change your email address. 

If you are the owner of the developer organization, make sure to also change ownership to your new address.

How do I stay informed about changes within an API that I am subscribed to?

You will receive an email about breaking changes with an indication of how long the old version will stay available.

I signed up for Sandbox but I didn't get an email from Rabobank

Please check your spam-folder. If you still need help contact us via the contact form.

I have a problem using a Rabobank API. What do I do?

Check our other FAQs to find a solution to your problem.

Do you still need help? Go to our contact page to report a problem.

Can a minor give consent?

For now it is only possible for adults (18+) to give consent.

What is the difference between Sandbox and Production?

The main difference between Sandbox and Production is the data that is returned by the APIs. In Sandbox test data is returned while in Production live data is returned.

The Sandbox environment enables you to develop and test your application.

  • Sandbox mimics all interactions with Rabobank just as we have in production.
  • Sandbox allows you to fully test the OAuth2.0 process without needing a real Rabobank account.
  • Sandbox APIs describe how to trigger specific functional or error responses.
I have an idea for a new API. What can I do?

If you have a great idea for a new API please let us know. Go to our contact page to request an enhancement and share your thoughts with us.

My activation link is not working.

Try to copy the complete link manually and paste it in the address bar of your browser.
The link expires after 24 hours. In case of an expired activation link please contact us via the contact form.

API-usage

I have lost my client secret. How do I reset it?

To reset your client secret click 'My Apps' in the main menu, click on the application in question and then click the 'Reset' link in the 'Client Secret' section. Your new secret will be displayed.

Why do I get a rejection after sending in a (Cross Border) payment?

A rejection can have several causes. Please check if the correct endpoint is used and/or whether all mandatory fields are provided. Note that Cross Border payments require additional information compared to SEPA payments.

Can I have two QSeal certificates active at the same time?

A QSeal certificate is sent with a request, we do not store your certificate. It therefore is possible to have two valid QSeal certificates active at the same time if your own systems can store this.

How do I change my QSeal certificate?

When you have a new QSeal certificate you don’t have to change anything on our developer portal. A QSeal certificate is sent with the request, so you need to make sure you change the certificate in your own systems. Because we do not store your certificate it is possible to have two valid QSeal certificates active at the same time if your own systems can store this.

Can I have two TLS certificates active at the same time?

It is not possible to have two TLS certificates active at the same time. Reason for this is that a TLS certificate needs to be uploaded in PEM format on our developer portal in your app, and at this moment we only have the option to add one. We are aware that not having the possibility to upload multiple TLS certificates can create problems. We have this in scope to change it in the future.

How do I change my TLS certificate?

You can change your TLS certificate by logging into your developer account. Then go to "My Apps" and select the app you want to change the TLS certificate off. Click in the right corner "Edit" and upload your TLS certificate in PEM format.

How do I configure multiple OAuth redirect URLs for my application?

When creating or editing your application, you can provide multiple OAuth URLs in the "OAuth Redirect URI" field. Separate them with a comma like so:

https://your-app.com,https://your-app.nl

When you supply multiple URLs, you need to specify which one we should use when you redirect the user to the authorization URL.

What is the difference between a SEPA EU credit transfer and a Cross Border credit transfer?

All payments in EUR to countries in the SEPA region are SEPA EU payments. Payments in EUR outside the SEPA region and all non-EUR payments are Cross Border credit transfers. To initiate these payments you need to use a different endpoint then for the SEPA EU payments. Please check the API documentation.

How can we use the "In-app" consent flow to make it possible for the user to give consent without having the need for a Rabo-scanner?

We support both the Web and In-app consent flow. For the Web flow the Rabo scanner is mandatory and for the In-app flow consent can be given via the Rabo Bankieren App.

Prerequisites:

  • the Rabobank Bankieren app needs to be installed on and registered to the device. On iOS use Bankieren app version >= 6.7, on Android use Bankieren app >= 5.14.1
  • since the url is picked up from the device itself, the oAuth2 /authorize call should be done on the device. If not, the web flow will start.
What is a plan?

Plans specify the limitations and subscription details of how developers can use our API Products. A plan for instance includes rate limit setting for a product or specific API.

How to use OAuth 2.0?

Rabobank secured APIs use OAuth2 for authentication and authorization. When you succesfully pass the OAuth flow you receive a access token.

A detailed description on how to use OAuth2 can be found here.

How do I create a TLS certificate (x509)?

You can generate one yourself with openssl for example:

$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
How do I subscribe my application?

After you have created your application you can check our API marketplace and subscribe your application.

Where can I find OAuth 2.0 scopes?

To find OAuth 2.0 scopes first select a product, then select an API by clicking 'View reference' and lastly search for Scopes within the oAuth2.0 access code flow section.

API-calls fail although the same requests works fine in sandbox.

There can be multiple reasons why requests are failing. Most errors are self-explanatory. However, your request could be failing because it doesn't contain the "user-agent". Make sure you provide a user agent in your request.

I am getting a 429 (too many requests) HTTP status code. What went wrong?

The 429 HTTP status code indicates that your application exceeded the rate limit. Check the plan of the product you subscribed your application to for more information on rate limits.

I am getting a 401 (unauthorized) HTTP status code. What went wrong?

The possible reasons for a 401 HTTP status code:

  • The required client id or client secret has not been successfully provided.
  • Your application is not subscribed to the correct product.
  • The TLS certificate for your application was not provided in the developer portal.
  • The TLS certificate was not added to the API call.
  • The TLS certificate added to the API call does not match the one provided in the developer portal.
How can I migrate to a different version of the same product?

When migrating to a new version of a product you first need to unsubscribe your application from the current product. Now you can subscribe your application again to the desired version of the product.

How to use mutual TLS?
  1. Generate an x509 certificate and key pair.
  2. Register your application and paste the contents of your x509 certificate in PEM format.
  3. Use your prefered programming language or framework to create a secure request using the certificate and private key from step 1.

A more detailed description on how to use mutual TLS can be found here.

PSD2

Which accounts can I access?

You can access Rabobank current accounts that our clients use in Rabo Online Banking.

When will it be possible to use the PSD2 APIs?

Our Account Information, Payment Initiation and Confirmation Availability of Funds API are available in production.

Who can use the Account Information (AIS) APIs?

Only registered AISPs with a license from “De Nederlandsche Bank” can use the AIS APIs. AISPs that are registered in another member state need a passporting notification from “De Nederlandsche Bank”.

Who can use the Payment Initiation (PIS) APIs?

Only registered PISPs with a license from “De Nederlandsche Bank” can use the PIS APIs. PISP’s that are registered in another member state need a passporting notification from “De Nederlandsche Bank”.

How do I create the digest header?

The digest is a base64 encoded hash of the body: Base64(SHA512(body))

  1. Take the body of your request or an empty string if there is no body.
  2. Pass the body through the SHA512 hashing algorithm (SHA256 is also allowed).
  3. Make sure the hashed output is binary. In other words; do not convert it to a string.
  4. Base64 encode the output.
  5. Add the result to your Digest header and make sure that you declare which hashing algorithm you have used.

An example of the digest header for an empty body using SHA256 or SHA512:

Digest: SHA-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
Digest: SHA-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==

For more information about siging read Signing requests for Rabobank APIs

When can a future dated payment be deleted?

You can only delete future dated payments with the status ACSP.

Which types of statuses does the Rabobank provide?

Through the PAIN.002 you can retrieve status information on the submitted bulk file(s) (RECEIVED or REJECTED). In addition you can find status information on the batches in the bulk file and the individual transactions in the batches.

Which users can sign bulk files?

The same users who are authorized to sign bulk files in Rabo Internet Banking (Professional). The accountholder or administrator have the possibility in Rabo Internet Banking Professional to change the authorizations regarding which users can sign bulk files

Which accounts can I access to initiate bulk payments?

You can access Rabobank Business accounts that our client use in Rabo Internetbanking.

The execution of the bulk file needs to be authorized by more than one person. What do I do?

You can initiate the first signature through the API. A possible second signature needs to be authorized within Rabo Internet Banking.

Which banks participate in Instant Payments?

The following banks participate from mid-2019: Rabobank, ING, ABN Amro, Volksbank (SNS, Regio Bank and ASN), Knab.

When will a Credit Transfer be processed as an Instant Payment (Credited directly)?

Rabobank will process credit transfers via Instant Payments, in case the beneficiary bank is participating in instant payments (Also see “which banks participate in Instant Payments”).

If the account of the recipient is not at one of these banks, we will process the payment according to the timelines of a SEPA credit transfer. This means that a payment to another bank takes more time and that the amount is not credited on the account of the recipient in the evenings and at the weekend. We inform the user about this during authorisation of the payment.

Using the Signature header

Please read our extensive explanation on how to sign PSD2 requests with your eIDAS QSEAL certificate.

Where to find a Qualified Trust Service Provider (QTSP)

You can find a list of QTSPs in the Trusted List Browser at https://webgate.ec.europa.eu/tl-browser/.

I enrolled for PSD2 but I didn't get an email from Rabobank

After you enroll you should receive an email with an activation link within 8 working hours. If you didn't receive this email, check if you are using the correct email address, also check your spam-folder. If you still need help contact us.

My activation link is not working after using the PSD2 enrollment API

You need to activate your account within 24 hours otherwise the link expires. You cannot request a new activation link yourself.

In case of an expired activation link please contact us.

I received an error message during PSD2 enrollment, what can I do?

Please check whether the company name stated on the Certificate and in the NCA register are identical. If they are, please contact us.

I can see all APIs after the PSD2 enrollment, may I use them all?

No, you may only use the PSD2 APIs for which you are licensed by your National Competent Authority.

Which type of payments can be deleted?

You can delete future dated payments and recurring payments containing single Euro Credit Transfer (SEPA) and cross border payments (non-SEPA).

Need help with an API, have account related issues or a question about something else? Please get in touch with our support team.