Skip to content
Examples for generating certificates for MTLS, JWT Signing and registering to OP's PSD2 Sandbox
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

TPP Registration Example Code For Sandbox

This module contains Java code for

  1. Generating Certificates for MTLS and JWT Signing and
  2. Registering to OP's PSD2 Sandbox.

For information on the details, see the source code and the TPP setup page.


  • Java 11
  • Maven
  • Api Key: Register an app on OP Developer and subscribe to one or more PSD2 sandbox APIs. The API key is the value labeled APP_API_KEY.
  • Fill in the required values in (in the root directory of this project).

Key Explanation Example value
tpp.registration.register.url URI of the registration service. Only change this if you know the service URI has changed.
tpp.client.cert.generation.url URI of the certificate generation service (incl. query marker "?"). Only change this value if you know the URI has changed. The redirect URIs you want to register for your application. A comma-separated list of redirect URIs. These URIs do not have to match the values you may have provided on OP Developer. https://localhost:8181,https://localhost:8080 PSD2 license roles available to you. A comma-separated list of roles. In sandbox, you man choose whichever roles you like. AIS,PIS,CPBII Name of your software client. Choose this as you wish. Home domain of your software client.
tpp.api.key API key of your client app. Obtained from OP Developer after client app registration. fejw019ghawbv78oatuio Common Name of the TPP company.

Getting started

  1. Clone the repository and install the required dependencies
  2. Build and run the project
mvn clean package
java -jar target/oop-registration-example-fat.jar


After successful registration, you will find four new files in the project directory.

Filename Explanation
client.crt This is your client certificate, emulating QWAC. Present this any time you want to establish a mutually authenticated TLS connection.
key.pem Private key corresponding to the certificate in client.crt. Used for encrypting traffic and must be used when establishing mutually authenticated TLS.
OP-TEST-TPP-<generated-tpp-id>-client.p12 P12 keystore. Password and passphrase will be "test" unless you modify the code to change them. Store the tpp id as it is needed with authorization requests.
ssa-signing-key.pem Your private key for signing JWTs, emulating QSEALC. Used for signing the SSA and registration JWT, but ALSO used for signing authorization request JWTs. Use ES256 asymmetric signing.
registration-result.txt Details of the registration. This file will contain e.g. client_id, client_secret, ssaSigningKid, and all other information related to your client app.

For more information on certificates and PSD2 APIs see OP Developer.


This project is licensed under the terms of the MIT license.

You can’t perform that action at this time.