Sorry, you need to enable JavaScript to visit this website.

How to use mutual TLS

Some Rabobank APIs are protected with an extra layer of security. Clients (apps) that call these APIs are authenticated in compliance to a standard known as an X.509 certificate. They use mutual TLS (mTLS) to encrypt the traffic.

If an API requires a registered X.509 client certificate, this will be stated in the API reference documentation in the Security section.

If your application wants to use these mTLS protected APIs, you must complete these extra steps:

  1. Getting an X.509 certificate.
  2. Register the certificate on the Rabobank Developer Portal.
  3. Configure your client software to use the certificate during the TLS handshake.

Step 1: Getting an X-509 certificate

You can:

  • For PSD2 APIs, you must use a Qualified Certificate for Website Authentication (QWAC certificate). Use a certificate issued by the Qualified Trust Service Provider of your choice.
  • For Premium APIs please check: Which certificates do we support.
  • Use our example certificate in the sandbox environment. See: Signing requests for PSD2 APIs.

Step 2: Register the certificate on the Rabobank Developer Portal


  • You must register your app before you can register the certificate.
  • You can only register one TLS certificate per app.

To register the certificate:

  1. Log into the Rabobank developer portal.
  2. Click My Apps.
  3. Select the app that will make the TLS protected requests.
  4. Click Edit.
  5. Click on the TLS Certificate field and paste your TLS client certificate. This certificate must be in PEM format. For more information, see RFC7468.
  6. Click Submit.

Step 3: Configure your client software to use the certificate during the TLS handshake

This step assumes you have already subscribed your app to the product containing the API that requires an X.509 client certificate.

When your application calls an API that requires an X.509 client certificate, you must configure your software so it can use the private key and certificate.



curl \
--header "x-ibm-client-id:REPLACE_WITH_CLIENT_ID" \
--verbose \
--insecure \
--location \
--cookie curlcookies REPLACE_WITH_API_URL

Explanation of the options:

Option Description
--header Add header to the request
--key Absolute path to the key file
--cert Absolute path to certificate file
--verbose Verbose output
--insecure Ignore server certificate (you probably don't need this option)
--location Follow redirectsfollow redirects
--cookie Use a cookiejar