Check our FAQs below to find the help you need.


I want to change my email address in the Rabobank developer portal, how should I do this?

To change your email, the owner of your developer organization should send an invite to your new email address. 

If you are the owner of the developer organization, make sure to change ownership to your new email address.

Rabobank cipher suites policy

To facilitate a secure connection to its APIs, Rabobank supports the following cipher suites for TLS.

 IANA Cipher Name   OpenSSL Hexcode
 TLS_AES_256_GCM_SHA384   0x1302
 TLS_CHACHA20_POLY1305_SHA256   0x1303
 TLS_AES_128_GCM_SHA256   0x1301


 IANA Cipher Name   OpenSSL Hexcode


Rabobank will inform you when this list will be updated. You can expect this information at least three months before the protocol versions or cipher suites are set to be removed from the Production environment, unless an immediate action is required due to security risks.

To ensure smooth working, you are required to update your environment(s) that use these ciphers.

In case you encounter any problems while testing or have questions, feel free to reach out to contact us.

What certificates are accepted for PSD2 and premium APIs?

The server certificate of is an Extended Validation (EV) certificate.

Premium APIs

Rabobank accepts: 

  • EV SSL certificates from the certificate issuers listed in the Mozilla CA Certificate report.
  • X.509 format
  • RSA: key length should be at least 2048-bit
  • Certificate should be valid for a maximum of one year.


Rabobank currently accepts a QWAC certificate issued under the European eIDAS trust scheme, this can be found here:

Info: This will be replaced in the future.

Can I use AIS to access my own account without a PSD2 eIDAS certificate?

You can access business accounts using our Business account Insight API. 

Info: This is not currently supported for retail accounts. We are working to introduce this product in the future.

I want to start using Rabobank production APIs. What do I need to do?

Once you have completed your development on our Sandbox environment you cannot automatically start using our production APIs.

For PSD2 APIs it is possible to get an account by using the PSD2 enrollment API if you are a certified AISP, PISP or CISP. Our Account Information, Payment Initiation and Confirmation Availability of Funds API are available in production.

For using non-PSD2 APIs in production, please refer to the overview page of the API you want to use to learn more about how to request access to production. 

How am I notified about the changes/updates to the APIs in my subscriptions?

You will receive an email about changes/updates with an indication of the impact and action needed.

I did not receive a verification email to activate my Sandbox account, What can I do?

You can try the following:

  • Check your junk email/spam box.
  • Clear your web browser cookies.
  • Use incognito mode of your web browser.
  • Try different web browsers, such as EDGE, Chrome, or Firefox.

If none of the above work, feel free to contact us using the contact form.

My activation link is not working, what can I do?

You can try to copy the link manually and paste it in the address bar of your browser.

The activation link is only valid for 24 hours. To request a new link, contact our support.

I am facing issues using a Rabobank API. Who can I talk to?

Our support team is always happy to guide you through our APIs. Describe your problem using our contact page and we will contact you shortly.

Can a minor give consent?

For now it is only possible for adults (18+) to give consent.

What is the difference between Sandbox and Production?

The main difference between Sandbox and Production is the data that is returned by the APIs.

Sandbox mimics interactions with Rabobank using example data based on production like scenarios.

In Production, the live data is returned.

I have an idea for a new API. What can I do?

If you have a great idea for a new API please let us know. Go to our contact page to request an enhancement and share your thoughts with us.


I have lost my client secret. How do I reset it?

To reset your client secret click 'My Apps' in the main menu, click on the application in question and then click the 'Reset' link in the 'Client Secret' section. Your new secret will be displayed.

Can I have two QSeal certificates active at the same time?

A QSeal certificate is sent with a request, we do not store your certificate. 

It therefore is possible to have two valid QSeal certificates active at the same time, if your own system allows.

For more information, feel free to contact us.

I want to change my QSeal certificate, how can I do this?

When you have a new QSeal certificate you don’t have to change anything on our developer portal. 

A QSeal certificate is sent with the request, so you need to make sure you change the certificate in your own systems. 

Can I have two TLS certificates active at the same time?

It is not possible to have two TLS certificates active at the same time because currently you can only upload one TLS certificate (PEM format) to your application in the Rabobank developer portal.

We are working on the requirement to add two certificates for the future.

How do I change my TLS certificate?

To change your TLS certificate:

  1. Log in to the Rabobank developer portal.
  2. Go to My Apps and select the app for which you want to change the TLS certificate. 
  3. Click Edit and upload your TLS certificate in PEM format.
  4. Click Save.
How do I configure multiple OAuth redirect URLs for my application?

When creating or editing your application, you can provide multiple OAuth URLs in the "OAuth Redirect URI" field. Separate them with a comma like so:,

When you supply multiple URLs, you need to specify which one we should use when you redirect the user to the authorization URL.

What is the difference between a SEPA EU credit transfer and a Cross Border credit transfer?

All payments in EUR to countries in the SEPA region are SEPA EU payments. Payments in EUR outside the SEPA region and all non-EUR payments are Cross Border credit transfers. To initiate these payments you need to use a different endpoint then for the SEPA EU payments. Please check the API documentation.

How can we use the "In-app" consent flow to make it possible for the user to give consent without having the need for a Rabo-scanner?

We support both the Web and In-app consent flow. For the Web flow, the Rabo scanner is mandatory and for the In-app flow consent can be given using the Rabo Bankieren App.


  • The Rabobank Bankieren app should be installed on and registered to the device being used to give consent. Available in versions:
    • iOS use Bankieren app version >= 6.7, 
    • Android use Bankieren app >= 5.14.1
  • The url is picked up from the device, the oAuth2 /authorize call should be executed on the device. If this is not available, the web flow is initiated.
What is a plan?

Plans specify the limitations and subscription details of how developers can use our API Products. A plan for instance includes rate limit setting for a product or specific API.

How do I subscribe my application?

After you have created your application you can check our API marketplace and subscribe your application.

Where can I find OAuth 2.0 scopes?

To find OAuth 2.0 scopes first select a product, then select an API by clicking 'View reference' and lastly search for Scopes within the oAuth2.0 access code flow section.

I am getting a 429 (too many requests) HTTP status code. What went wrong?

The 429 HTTP status code indicates that your application exceeded the rate limit. Check the plan of the product you subscribed your application to for more information on rate limits.

I am getting a 401 (unauthorized) HTTP status code. What went wrong?

The possible reasons for a 401 HTTP status code:

  • The required client id or client secret has not been successfully provided.
  • Your application is not subscribed to the correct product.
  • The TLS certificate for your application was not provided in the developer portal.
  • The TLS certificate was not added to the API call.
  • The TLS certificate added to the API call does not match the one provided in the developer portal.
How can I migrate to a different version of the same product?

When migrating to a new version of a product you first need to unsubscribe your application from the current product. Now you can subscribe your application again to the desired version of the product.

How to use mutual TLS?

To use Mutual TLS:

  1. Generate an x509 certificate and key pair.
  2. Register your application and paste the contents of your x509 certificate in PEM format.
  3. Use your prefered programming language or framework to create a secure request, using the certificate and private key.

A more detailed description on how to use mutual TLS can be found here.

API-calls fail although the same requests works fine in sandbox.

There can be multiple reasons why requests are failing. Most errors are self-explanatory. However, your request could be failing because it doesn't contain the "user-agent". Make sure you provide a user agent in your request.

How to use OAuth 2.0?

Rabobank secured APIs use OAuth2 for authentication and authorization. When you succesfully pass the OAuth flow you receive a access token.

A detailed description on how to use OAuth2 can be found here.

How do I create a TLS certificate (x509)?

You can generate one yourself with openssl for example:

$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365


The execution of the bulk file must to be authorized by more than one person. How can I do this?

You can initiate the first signature using the redirect link provided by the API. A possible second signature needs to be authorized using Rabo Internet Banking.

Which accounts can I access to initiate bulk payments?

You can access Rabobank Business accounts used by the clients through Rabo Internetbanking.

Info: Retail and Saving account are not yet accessible.

Can a payment with a future date be deleted?

You can only delete future dated payments with ACSP status.

ACSP - The payment is signed but not yet processed.

How to use the Signature header?

Read how to sign PSD2 requests with your eIDAS QSEAL certificate.

How do I create the digest header?

The digest is a base64 encoded hash of the body: Base64(SHA512(body))

  1. Take the body of your request or an empty string if there is no body.
  2. Pass the body through the SHA512 hashing algorithm (SHA256 is also allowed).
  3. Make sure the hashed output is binary. In other words; do not convert it to a string.
  4. Base64 encode the output.
  5. Add the result to your Digest header and make sure that you declare which hashing algorithm you have used.

An example of the digest header for an empty body using SHA256 or SHA512:

Digest: SHA-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
Digest: SHA-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==

For more information about siging read Signing requests for Rabobank APIs

Where to find a Qualified Trust Service Provider (QTSP)

You can find a list of QTSPs in the Trusted List Browser at

I enrolled for PSD2 but I didn't get an email from Rabobank

After you enroll you should receive an email with an activation link within 8 working hours. If you didn't receive this email, check if you are using the correct email address, also check your spam-folder. If you still need help contact us.

My activation link is not working after using the PSD2 enrollment API.

The activation link is only valid for 24 hours. To request a new link, contact our support.

I received an error message during PSD2 enrollment, what can I do?

Please check whether the company name stated on the Certificate and in the NCA register are identical. If they are, please contact us.

Which type of payments can be deleted?

You can delete future dated payments and recurring payments containing single Euro Credit Transfer (SEPA) and cross border payments (non-SEPA).

Need help with an API, have account related issues or a question about something else? Please get in touch with our support team.