To change your email, the owner of your developer organization should send an invite to your new email address. 

If you are the owner of the developer organization, make sure to change ownership to your new email address.

To facilitate a secure connection to its APIs, Rabobank supports the following cipher suites for TLS.

Rabobank will inform you when this list will be updated. You can expect this information at least three months before the protocol versions or cipher suites are set to be removed from the Production environment, unless an immediate action is required due to security risks.

To ensure smooth working, you are required to update your environment(s) that use these ciphers.

In case you encounter any problems while testing or have questions, feel free to reach out to contact us.

The server certificate of api.rabobank.nl is an Extended Validation (EV) certificate.

Premium APIs

Rabobank accepts: 

• EV SSL certificates from the certificate issuers listed in the Mozilla CA Certificate report.
• X.509 format
• RSA: key length should be at least 2048-bit
• Certificate should be valid for a maximum of one year.

PSD2 APIs

Rabobank currently accepts a QWAC certificate issued under the European eIDAS trust scheme, this can be found here: https://ec.europa.eu/digital-single-market/en/eu-trusted-lists. 

Info: This will be replaced in the future.

You can access business accounts using our Business account Insight API. 

Info: This is not currently supported for retail accounts. We are working to introduce this product in the future.

Once you have completed your development on our Sandbox environment you cannot automatically start using our production APIs.

For PSD2 APIs it is possible to get an account by using the PSD2 enrollment API if you are a certified AISP, PISP or CISP. Our Account Information, Payment Initiation and Confirmation Availability of Funds API are available in production.

For using non-PSD2 APIs in production, please refer to the overview page of the API you want to use to learn more about how to request access to production. 

You will receive an email about changes/updates with an indication of the impact and action needed.

You can try the following:

• Check your junk email/spam box.
• Clear your web browser cookies.
• Use incognito mode of your web browser.
• Try different web browsers, such as EDGE, Chrome, or Firefox.

If none of the above work, feel free to contact us using the contact form.

You can try to copy the link manually and paste it in the address bar of your browser.

The activation link is only valid for 24 hours. To request a new link, contact our support.

Our support team is always happy to guide you through our APIs. Describe your problem using our contact page and we will contact you shortly.

For now it is only possible for adults (18+) to give consent.

The main difference between Sandbox and Production is the data that is returned by the APIs.

Sandbox mimics interactions with Rabobank using example data based on production like scenarios.

In Production, the live data is returned.

If you have a great idea for a new API please let us know. Go to our contact page to request an enhancement and share your thoughts with us.

To reset your client secret click 'My Apps' in the main menu, click on the application in question and then click the 'Reset' link in the 'Client Secret' section. Your new secret will be displayed.

A QSeal certificate is sent with a request, we do not store your certificate. 

It therefore is possible to have two valid QSeal certificates active at the same time, if your own system allows.

For more information, feel free to contact us.

When you have a new QSeal certificate you don’t have to change anything on our developer portal. 

A QSeal certificate is sent with the request, so you need to make sure you change the certificate in your own systems. 

It is not possible to have two TLS certificates active at the same time because currently you can only upload one TLS certificate (PEM format) to your application in the Rabobank developer portal.

We are working on the requirement to add two certificates for the future.

To change your TLS certificate:

1. Log in to the Rabobank developer portal.
2. Go to My Apps and select the app for which you want to change the TLS certificate. 
3. Click Edit and upload your TLS certificate in PEM format.
4. Click Save.

When creating or editing your application, you can provide multiple OAuth URLs in the "OAuth Redirect URI" field. Separate them with a comma like so:

https://your-app.com,https://your-app.nl

When you supply multiple URLs, you need to specify which one we should use when you redirect the user to the authorization URL.

All payments in EUR to countries in the SEPA region are SEPA EU payments. Payments in EUR outside the SEPA region and all non-EUR payments are Cross Border credit transfers. To initiate these payments you need to use a different endpoint then for the SEPA EU payments. Please check the API documentation.

We support both the Web and In-app consent flow. For the Web flow, the Rabo scanner is mandatory and for the In-app flow consent can be given using the Rabo Bankieren App.

Prerequisites:

• The Rabobank Bankieren app should be installed on and registered to the device being used to give consent. Available in versions:
  • iOS use Bankieren app version >= 6.7, 
  • Android use Bankieren app >= 5.14.1
• The url is picked up from the device, the oAuth2 /authorize call should be executed on the device. If this is not available, the web flow is initiated.

Plans specify the limitations and subscription details of how developers can use our API Products. A plan for instance includes rate limit setting for a product or specific API.

After you have created your application you can check our API marketplace and subscribe your application.

To find OAuth 2.0 scopes first select a product, then select an API by clicking 'View reference' and lastly search for Scopes within the oAuth2.0 access code flow section.

The 429 HTTP status code indicates that your application exceeded the rate limit. Check the plan of the product you subscribed your application to for more information on rate limits.

The possible reasons for a 401 HTTP status code:

• The required client id or client secret has not been successfully provided.
• Your application is not subscribed to the correct product.
• The TLS certificate for your application was not provided in the developer portal.
• The TLS certificate was not added to the API call.
• The TLS certificate added to the API call does not match the one provided in the developer portal.

When migrating to a new version of a product you first need to unsubscribe your application from the current product. Now you can subscribe your application again to the desired version of the product.

To use Mutual TLS:

1. Generate an x509 certificate and key pair.
2. Register your application and paste the contents of your x509 certificate in PEM format.
3. Use your prefered programming language or framework to create a secure request, using the certificate and private key.

A more detailed description on how to use mutual TLS can be found here.

There can be multiple reasons why requests are failing. Most errors are self-explanatory. However, your request could be failing because it doesn't contain the "user-agent". Make sure you provide a user agent in your request.

Rabobank secured APIs use OAuth2 for authentication and authorization. When you succesfully pass the OAuth flow you receive a access token.

A detailed description on how to use OAuth2 can be found here.

You can generate one yourself with openssl for example:

$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

You can initiate the first signature using the redirect link provided by the API. A possible second signature needs to be authorized using Rabo Internet Banking.

You can access Rabobank Business accounts used by the clients through Rabo Internetbanking.

Info: Retail and Saving account are not yet accessible.

You can only delete future dated payments with ACSP status.

ACSP - The payment is signed but not yet processed.

Read how to sign PSD2 requests with your eIDAS QSEAL certificate.

The digest is a base64 encoded hash of the body: Base64(SHA512(body))

1. Take the body of your request or an empty string if there is no body.
2. Pass the body through the SHA512 hashing algorithm (SHA256 is also allowed).
3. Make sure the hashed output is binary. In other words; do not convert it to a string.
4. Base64 encode the output.
5. Add the result to your Digest header and make sure that you declare which hashing algorithm you have used.

An example of the digest header for an empty body using SHA256 or SHA512:

Digest: SHA-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
Digest: SHA-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==

For more information about siging read Signing requests for Rabobank APIs

You can find a list of QTSPs in the Trusted List Browser at https://webgate.ec.europa.eu/tl-browser/.

After you enroll you should receive an email with an activation link within 8 working hours. If you didn't receive this email, check if you are using the correct email address, also check your spam-folder. If you still need help contact us.

The activation link is only valid for 24 hours. To request a new link, contact our support.

Please check whether the company name stated on the Certificate and in the NCA register are identical. If they are, please contact us.

You can delete future dated payments and recurring payments containing single Euro Credit Transfer (SEPA) and cross border payments (non-SEPA).