Dynamic Client Registration
Application Registration
Metro Bank is only accepting registrations from organisations that are authorised by the Financial Conduct Authority (FCA)
To register an app with Metro Bank, please follow the steps below:
- Obtain a Qualified website authentication certificate (QWAC) for non UK based TPPs - As a first step towards registering your client app with Metro Bank, please obtain a valid QWAC certificate from a recognized QTSP
- Obtain an Open Banking website authentication certificate (OBWAC) for UK based TPPs – As a first step towards registering your client app with Metro Bank, please obtain a valid OBWAC certificate from Open Banking.
- Obtain a Software Statement Assertion (SSA) from the Open Banking Implementation Entity - Please enrol with Open Banking in the UK and follow their guidelines for generating a SSA.
- Register your client application - When you have both the QWAC and SSA or OBWAC and SSA with you it's time to use our Dynamic Client Registration (DCR) API, designed in accordance with OBIE's DCR specification V3.1 to on board your client app with us.
- Retrieve your registered app details - Metro Bank's DCR API will provide a resource for you to retrieve the details of a registered app.
Dynamic Client Registration API
Metro Bank requires that API requests are made over a connection secured with mutual TLS. Please use the QWAC or OBWAC to establish the mutual TLS connection with our APIs available at the host https://api.metrobankonline.co.uk
Registering a new application
To register a new app, please use the /register API resource on the DCR API.
If you already use Metro Bank’s APIs, please ensure that you use a different app name for DCR.
Sample DCR API request and response
API Request:
HOST https://api.metrobankonline.co.uk POST /open-banking/v3.1/dcr/register HTTP/1.1 Content-Type: application/jwt Accept: application/json eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IllvdXIgUVdBQyBvciBPQldBQyBLaWQifQ.eyJpc3MiOiJZb3VyIFNvZnR3YXJlIElkIGZyb20gU1NBIiwiaWF0IjoxNTY4NzMzMjY1LCJleHAiOjQwOTMzNDEyNjUsImp0aSI6IlNob3VsZCBiZSBhIHZhbGlkIEpUSSIsInJlZGlyZWN0X3VyaXMiOlsiWW91ciBSZWRpcmVjdCBVUkkuIFNob3VsZCBiZSBwcmVzZW50IGluIHRoZSBTU0EiXSwiYXVkIjoiTWV0cm8gQmFuaydzIG9yZyBpZCBmcm9tIE9CSUUiLCJ0b2tlbl9lbmRwb2ludF9hdXRoX21ldGhvZCI6InRsc19jbGllbnRfYXV0aCIsImdyYW50X3R5cGVzIjpbInJlZnJlc2hfdG9rZW4iLCJjbGllbnRfY3JlZGVudGlhbHMiLCJhdXRob3JpemF0aW9uX2NvZGUiXSwic2NvcGUiOlsib3BlbmlkIiwiYWNjb3VudHMiLCJwYXltZW50cyJdLCJzb2Z0d2FyZV9zdGF0ZW1lbnQiOiJZb3VyIE9CIElzc3VlZCBTU0EiLCJhcHBsaWNhdGlvbl90eXBlIjoid2ViIiwiaWRfdG9rZW5fc2lnbmVkX3Jlc3BvbnNlX2FsZyI6IlBTMjU2IiwicmVxdWVzdF9vYmplY3Rfc2lnbmluZ19hbGciOiJQUzI1NiIsInRva2VuX2VuZHBvaW50X2F1dGhfc2lnbmluZ19hbGciOiJQUzI1NiIsInRsc19jbGllbnRfYXV0aF9kbiI6IllvdXIgQ2VydGlmaWNhdGUgQXV0aCBETiIsInNvZnR3YXJlX2lkIjoiWW91ciBTb2Z0d2FyZSBJZCBmcm9tIFNTQSJ9.cUDoxriqAlFTVu8oCZvA3noYL4c_RWTC83yeOWxEPZnTsP2CuDGFtTIVgjvtKsAkNblLsVxCjJk8bCFz4RRzbgGi3ITGu6bEMYd9sKcfFLvsFpPPH7Z6iDBqgkvjjx0F1WNzbKO_A6U_eKZjFBQuQVtrxHy82lo3XonV41eG0_B3tUfUXyPTxw1NiEdtgcTNqICGcz7JBASVE1qP4muoVGdSAFiVmbZ11bxU7yUuJGH8GsPOHwPkN30lzjnBzsfwkaVvRgn68bdgkSDHpnV8SdpCW8-fG-yDxUfXbqlo7TYmDKePS5fK-VqSvobqz7td0ecMERhnyOKlzJ3_4BpzWA
The below table will provide some guidance on the request JWT
|
Parameter Name |
Description |
M/O |
|---|---|---|
| iss | Identifier for the TPP. | M |
| iat | The time at which the request was issued by the TPP expressed as "seconds since the epoch". | M |
| exp | The time at which the request expires expressed as seconds since the epoch. | M |
| aud | This should be the unique identifier for the ASPSP issued by the issuer of the software statement. | M |
| jti | A unique identifier for the JWT. | M |
| redirect_uris | Registered URIs the TPP will use to interact with the ASPSP Authorization Server. Metro Bank currently accepts only one redirect URI and that needs to be present in the SSA. |
M |
| token_endpoint_auth_method | Specifies which token endpoint authentication method the TPP wants to use. Metro Bank accepts tls_client_auth. | M |
| grant_types | A JSON array specifying what the TPP can request to be supplied to the token endpoint as exchange for an access token. Metro Bank supports and requires the grant types: client_credentials, authorization_code, refresh_token. | M |
| response_types | A JSON array specifying what the TPP can request to be returned from the ASPSP authorisation endpoint. Metro Bank accepts and requires: code id_token. Defaults to code id_token if not specified / specified with an empty array. |
O |
| software_id | If specified, the software_id in the request MUST match the software_id specified in the SSA. | O |
| scope | Scopes the client is asking for. Metro Bank accepts any combination of values openid, accounts, payments, where value openid is mandatory. Default value openid, accounts, payments. |
O |
| software_statement | Software statement assertion issued by Open Banking. It is advisable to have the app name different from any existing app registered with us using developer portal registration. |
M |
| application_type | Type of application. Metro Bank accepts web, mobile. |
M |
| id_token_signed_response_alg | Algorithm which the TPP expects to sign the id_token, if an id_token is returned. Metro Bank accepts PS256 only. |
M |
| request_object_signing_alg | Algorithm which the TPP expects to sign the request object if a request object will be part of the authorization request sent to the ASPSP. Metro Bank accepts PS256 only. |
M |
| token_endpoint_auth_signing_alg | Algorithm which the TPP uses to authenticate with the token endpoint if using private_key_jwt or client_id_jwt. Metro Bank accepts PS256 only. |
O |
| tls_client_auth_dn | This value must be set if token_endpoint_auth_method is set to tls_client_auth. | M |
Please use the QWAC or OBWAC to sign the JWT payload
API Response:
HTTP/1.1 201 Created
Content-Type: application/json
{
"client_id": "Some Value",
"client_secret": "Some Value",
"client_id_issued_at": 2893256800,
"client_secret_expires_at": 0,
"redirect_uris": [
"Your Specified Redirect URI"
],
"token_endpoint_auth_method": "tls_client_auth",
"grant_types": [
"refresh_token",
"client_credentials",
"authorization_code"
],
"software_id": "Your Specified Software Id",
"scope": [
"openid",
"accounts",
"payments"
],
"software_statement": "Your specified software statement",
"application_type": "web",
"id_token_signed_response_alg": "PS256",
"request_object_signing_alg": "PS256",
"token_endpoint_auth_signing_alg": "PS256",
"tls_client_auth_dn": "Your SpecifiedCertificate Auth DN"
}
Please keep a note of the client credentials of the newly generated app.
Retrieve information about your registered application
To retrieve the details about a registered app, an access token is required .
Please use the app credentials from the registration response to request an access token.
When you have an access token, please provide it as a bearer token to receive the information about your registered app
Sample access token request and response
API Request:
HOST https://api.metrobankonline.co.uk
POST /identity/v1/token HTTP/1.1
Authorization: Basic {base64 encoded value of {client_id}:{client_secret}}
Content-Type: application/x-www-form-urlencoded
scope=read&grant_type=client_credentials
API Response:
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token": "Some Value",
"token_type": "Bearer",
"expires_in": 32399
}
Following is a sample of the API Request and Response of app information retrieval API
Sample client app registration retrieval request and response
API Request:
HOST https://api.metrobankonline.co.uk
GET /open-banking/v3.1/dcr/register/{client_id} HTTP/1.1
Accept: application/json
Authorization: Bearer {Generated access token}
API Response:
HTTP/1.1 200 OK
Content-Type: application/json
{
"client_id": "Some Value",
"client_secret": "Some Value",
"client_id_issued_at": 2893256800,
"client_secret_expires_at": 0,
"redirect_uris": [
"Your Specified Redirect URI"
],
"token_endpoint_auth_method": "tls_client_auth",
"grant_types": [
"refresh_token",
"client_credentials",
"authorization_code"
],
"software_id": "Your Specified Software Id",
"scope": [
"openid",
"accounts",
"payments"
],
"software_statement": "Your specified software statement",
"application_type": "web",
"id_token_signed_response_alg": "PS256",
"request_object_signing_alg": "PS256",
"token_endpoint_auth_signing_alg": "PS256",
"tls_client_auth_dn": "Your SpecifiedCertificate Auth DN"
}
For additional information on the API, please refer to the Open Banking DCR specification here