Q1 - What method of Application Layer Authentication will you use for securing calls made by OFP to Bank Connect ?

Select one

•  None
•  API Key
•  Client Credentials Grant
•  JWT Auth

Q2 - Will you be sending JWT Auth headers for calls to the Consent Manager and Authorisation Server?

Select one

•  Yes
•  No

Provide the API key that you require to be included as a Bearer token in calls to Ozone Connect.

The key is a shared secret.

We will specify a method for sharing this securely.

How often will this key be rotated?

Select one

•  Every 12 months
•  Never

Provide the URL of the well-known endpoint of the authorisation server used to get a client credentials grant.

The URL must return a payload compliant with OIDC discovery.

The response must include a token_endpoint that supports a client credentials grant.

What method of client authentication is used?

Select one of:

•  private_key_jwt
•  tls_client_auth
•  client_secret_basic
•  client_secret_jwt

client_secret_basic and client_secret_jwt use a shared secret and are not considered secure for financial grade APIs.

What is the client_id for the OFP client?

If you selected client_secret_basic and client_secret_jwt as client authentication method, provide the client_secret for the client.

The key is a shared secret.

We will specify a method for sharing this securely.

How often will the client_secret be rotated?

Select one

•  Every 12 months
•  Never

If you selected private_key_jwt, please specify the signing alg to be used.

Select one

•  PS256
•  RS256

RS256 is not considered secure for financial grade APIs.

Confirm that the client specified above has been configured to participate in a client_credentials grant.