Check our FAQs below to find the help you need.
General
If you forgot your password, you can reset it here.
To facilitate a secure connection to its APIs, Rabobank supports the following cipher suites for TLS.
TLSv1.3 | |
---|---|
IANA Cipher Name | OpenSSL Hexcode |
TLS_AES_256_GCM_SHA384 | 0x1302 |
TLS_CHACHA20_POLY1305_SHA256 | 0x1303 |
TLS_AES_128_GCM_SHA256 | 0x1301 |
TLSv1.2 | |
---|---|
IANA Cipher Name | OpenSSL Hexcode |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 0xc02c |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 0xc02b |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 0xc030 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 0xc02f |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | 0xcca9 |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 0xcca8 |
Rabobank will inform you when this list will be updated. You can expect this information at least three months before the protocol versions or cipher suites are set to be removed from the Production environment, unless an immediate action is required due to security risks.
To ensure smooth working, you are required to update your environment(s) that use these ciphers.
In case you encounter any problems while testing or have questions, feel free to reach out to contact us.
The server certificate of api.rabobank.nl is an EV certificate (EV = Extended Validation). To be able to validate this certificate during the TLS handshake you should trust the Root CA that issued the certificate. For the api.rabobank.nl certificate you must trust the Root CA certificates from DigiCert and Sectigo that these companies use for signing EV certificates.
In the future we will replace the current EV certificate by a QWAC certificate issued under the European eIDAS trust scheme which can be found here: https://ec.europa.eu/digital-single-market/en/eu-trusted-lists
No, that is not possible. We are looking for possibilities to introduce the product in the near future.
Once you have completed your development on our Sandbox environment you cannot automatically start using our production APIs.
For PSD2 APIs it is possible to get an account by using the PSD2 enrollment API if you are a certified AISP, PISP or CISP. Our Account Information, Payment Initiation and Confirmation Availability of Funds API are available in production.
For using non-PSD2 APIs in production, please refer to the overview page of the API you want to use to learn more about how to request access to production.
When your email address changes, the owner of your developer organization needs to send an invite to your new address. It is not possible to change your email address.
If you are the owner of the developer organization, make sure to also change ownership to your new address.
You will receive an email about breaking changes with an indication of how long the old version will stay available.
Please check your spam-folder. If you still need help contact us via the contact form.
Check our other FAQs to find a solution to your problem.
Do you still need help? Go to our contact page to report a problem.
For now it is only possible for adults (18+) to give consent.
The main difference between Sandbox and Production is the data that is returned by the APIs. In Sandbox test data is returned while in Production live data is returned.
The Sandbox environment enables you to develop and test your application.
- Sandbox mimics all interactions with Rabobank just as we have in production.
- Sandbox allows you to fully test the OAuth2.0 process without needing a real Rabobank account.
- Sandbox APIs describe how to trigger specific functional or error responses.
If you have a great idea for a new API please let us know. Go to our contact page to request an enhancement and share your thoughts with us.
Try to copy the complete link manually and paste it in the address bar of your browser.
The link expires after 24 hours. In case of an expired activation link please contact us via the contact form.
API-usage
To reset your client secret click 'My Apps' in the main menu, click on the application in question and then click the 'Reset' link in the 'Client Secret' section. Your new secret will be displayed.
A rejection can have several causes. Please check if the correct endpoint is used and/or whether all mandatory fields are provided. Note that Cross Border payments require additional information compared to SEPA payments.
A QSeal certificate is sent with a request, we do not store your certificate. It therefore is possible to have two valid QSeal certificates active at the same time if your own systems can store this.
When you have a new QSeal certificate you don’t have to change anything on our developer portal. A QSeal certificate is sent with the request, so you need to make sure you change the certificate in your own systems. Because we do not store your certificate it is possible to have two valid QSeal certificates active at the same time if your own systems can store this.
It is not possible to have two TLS certificates active at the same time. Reason for this is that a TLS certificate needs to be uploaded in PEM format on our developer portal in your app, and at this moment we only have the option to add one. We are aware that not having the possibility to upload multiple TLS certificates can create problems. We have this in scope to change it in the future.
You can change your TLS certificate by logging into your developer account. Then go to "My Apps" and select the app you want to change the TLS certificate off. Click in the right corner "Edit" and upload your TLS certificate in PEM format.
When creating or editing your application, you can provide multiple OAuth URLs in the "OAuth Redirect URI" field. Separate them with a comma like so:
https://your-app.com,https://your-app.nl
When you supply multiple URLs, you need to specify which one we should use when you redirect the user to the authorization URL.
All payments in EUR to countries in the SEPA region are SEPA EU payments. Payments in EUR outside the SEPA region and all non-EUR payments are Cross Border credit transfers. To initiate these payments you need to use a different endpoint then for the SEPA EU payments. Please check the API documentation.
We support both the Web and In-app consent flow. For the Web flow the Rabo scanner is mandatory and for the In-app flow consent can be given via the Rabo Bankieren App.
Prerequisites:
- the Rabobank Bankieren app needs to be installed on and registered to the device. On iOS use Bankieren app version >= 6.7, on Android use Bankieren app >= 5.14.1
- since the url is picked up from the device itself, the oAuth2 /authorize call should be done on the device. If not, the web flow will start.
Plans specify the limitations and subscription details of how developers can use our API Products. A plan for instance includes rate limit setting for a product or specific API.
Rabobank secured APIs use OAuth2 for authentication and authorization. When you succesfully pass the OAuth flow you receive a access token.
A detailed description on how to use OAuth2 can be found here.
You can generate one yourself with openssl for example:
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
After you have created your application you can check our API marketplace and subscribe your application.
To find OAuth 2.0 scopes first select a product, then select an API by clicking 'View reference' and lastly search for Scopes within the oAuth2.0 access code flow section.
There can be multiple reasons why requests are failing. Most errors are self-explanatory. However, your request could be failing because it doesn't contain the "user-agent". Make sure you provide a user agent in your request.
The 429 HTTP status code indicates that your application exceeded the rate limit. Check the plan of the product you subscribed your application to for more information on rate limits.
The possible reasons for a 401 HTTP status code:
- The required client id or client secret has not been successfully provided.
- Your application is not subscribed to the correct product.
- The TLS certificate for your application was not provided in the developer portal.
- The TLS certificate was not added to the API call.
- The TLS certificate added to the API call does not match the one provided in the developer portal.
When migrating to a new version of a product you first need to unsubscribe your application from the current product. Now you can subscribe your application again to the desired version of the product.
- Generate an x509 certificate and key pair.
- Register your application and paste the contents of your x509 certificate in PEM format.
- Use your prefered programming language or framework to create a secure request using the certificate and private key from step 1.
A more detailed description on how to use mutual TLS can be found here.
PSD2
You can access Rabobank current accounts that our clients use in Rabo Online Banking.
Our Account Information, Payment Initiation and Confirmation Availability of Funds API are available in production.
Only registered AISPs with a license from “De Nederlandsche Bank” can use the AIS APIs. AISPs that are registered in another member state need a passporting notification from “De Nederlandsche Bank”.
Only registered PISPs with a license from “De Nederlandsche Bank” can use the PIS APIs. PISP’s that are registered in another member state need a passporting notification from “De Nederlandsche Bank”.
The digest is a base64 encoded hash of the body: Base64(SHA512(body))
- Take the body of your request or an empty string if there is no body.
- Pass the body through the SHA512 hashing algorithm (SHA256 is also allowed).
- Make sure the hashed output is binary. In other words; do not convert it to a string.
- Base64 encode the output.
- Add the result to your Digest header and make sure that you declare which hashing algorithm you have used.
An example of the digest header for an empty body using SHA256 or SHA512:
Digest: SHA-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
Digest: SHA-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
For more information about siging read Signing requests for Rabobank APIs
You can only delete future dated payments with the status ACSP.
Through the PAIN.002 you can retrieve status information on the submitted bulk file(s) (RECEIVED or REJECTED). In addition you can find status information on the batches in the bulk file and the individual transactions in the batches.
The same users who are authorized to sign bulk files in Rabo Internet Banking (Professional). The accountholder or administrator have the possibility in Rabo Internet Banking Professional to change the authorizations regarding which users can sign bulk files
You can access Rabobank Business accounts that our client use in Rabo Internetbanking.
You can initiate the first signature through the API. A possible second signature needs to be authorized within Rabo Internet Banking.
The following banks participate from mid-2019: Rabobank, ING, ABN Amro, Volksbank (SNS, Regio Bank and ASN), Knab.
Rabobank will process credit transfers via Instant Payments, in case the beneficiary bank is participating in instant payments (Also see “which banks participate in Instant Payments”).
If the account of the recipient is not at one of these banks, we will process the payment according to the timelines of a SEPA credit transfer. This means that a payment to another bank takes more time and that the amount is not credited on the account of the recipient in the evenings and at the weekend. We inform the user about this during authorisation of the payment.
Please read our extensive explanation on how to sign PSD2 requests with your eIDAS QSEAL certificate.
You can find a list of QTSPs in the Trusted List Browser at https://webgate.ec.europa.eu/tl-browser/.
After you enroll you should receive an email with an activation link within 8 working hours. If you didn't receive this email, check if you are using the correct email address, also check your spam-folder. If you still need help contact us.
You need to activate your account within 24 hours otherwise the link expires. You cannot request a new activation link yourself.
In case of an expired activation link please contact us.
Please check whether the company name stated on the Certificate and in the NCA register are identical. If they are, please contact us.
No, you may only use the PSD2 APIs for which you are licensed by your National Competent Authority.
You can delete future dated payments and recurring payments containing single Euro Credit Transfer (SEPA) and cross border payments (non-SEPA).