/
API Hub Sandbox v1.1 2024.11.19

API Hub Sandbox v1.1 2024.11.19

Owned by Chris Michael
Last updated: 20 Nov 2024
3 min read

Version

v1.1 2024.11.19

Publication Date

Nov 19, 2024

Classification

Public

1. Introduction

This release includes additional endpoints and fixes as outlined in API Hub Sandbox v1.1 2024.11.19 | 4. Release Notes

2. Bank Sandbox (AlTareq1)

2.1 TPP Client Registration

To register a client on the on the API Hub Sandbox, the following command can be used:

curl --location --request POST 'https://rs1.altareq1.sandbox.apihub.openfinance.ae/tpp-registration' \ --header 'x-fapi-interaction-id: {UUIDv4}' \ --cert /path/to/your_certificate.pem \ --key /path/to/your_private_key.pem \ --cacert /path/to/your_ca_certificate.pem

Parameters

Description

Parameters

Description

x-fapi-interaction-id

A UUIDv4 used for traceability. Each request should have a unique id.

--cert

Your OFTF Application Transport certificate

--key

Your OFTF Application Transport private key

--cacert

The OFTF CA Certificate

2.2 Environment Variables

Base URL

https://rs1.altareq1.sandbox.apihub.openfinance.ae

OIDC Discovery Endpoint

https://auth1.altareq1.sandbox.apihub.openfinance.ae/.well-known/openid-configuration

Postman Collection

Notes

n/a

2.3 Supported Endpoints

2.3.1 Trust Framework

  • POST /tpp-registration

2.3.2 Service Initiation

Single Instant Payment

  • POST /par

  • GET /payments

  • GET /payments/{PaymentId}

  • GET /payment-consents

  • GET /payment-consents/{ConsentId}

  • PATCH /payment-consents/{ConsentId}

  • POST /payments

Future Dated Payment

  • POST /par

  • GET /payments

  • GET /payments/{PaymentId}

  • GET /payment-consents

  • GET /payment-consents/{ConsentId}

  • PATCH /payment-consents/{ConsentId}

  • POST /payments

2.3.3 Bank Data Sharing

Account Data

  • POST /par

  • GET /accounts/{AccountId}

  • GET /accounts

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

Balance Data

  • POST /par

  • GET /accounts/{AccountId}/balances

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

Transaction Data

  • POST /par

  • GET /accounts/{AccountId}/transactions

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

Customer and Meta Data

  • POST /par

  • GET /accounts/{AccountId}/parties

  • GET /parties

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

Product Data

  • POST /par

  • GET /accounts/{AccountId}/product

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

Beneficiaries

  • POST /par

  • GET /accounts/{AccountId}/beneficiaries

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

Direct Debits

  • POST /par

  • GET /accounts/{AccountId}/direct-debits

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

Scheduled Payments

  • POST /par

  • GET /accounts/{AccountId}/scheduled-payments

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

Standing Orders

  • POST /par

  • GET /accounts/{AccountId}/standing-orders

  • GET /account-access-consents

  • GET /account-access-consents/{ConsentId}

  • GET /accounts/{AccountId}/consents

  • PATCH /account-access-consents/{ConsentId}

3. Insurance Sandbox (AlTareq2)

This Sandbox will be included in the next release due on Dec 6, 2024

4. Release Notes

4.1 Extended Features and Enhancements

  • Standards and Spec Updates (v1.1):

    • Updates for the Ozone API Hub and Consent Manager APIs, including GET/POST requests and response format changes.

    • Integration of new data-sharing, consent management, and service initiation functionalities.

  • FAPI :

    • Enhancements made to ensure compliance with CBUAE FAPI standards..

  • Payment Consent

    • Additional updates for sequential user authorisations in payment consent workflows.

  • PAR and Consent Updates:

    • Changes to PAR authorisation details, JWT payload validation, and common claim checks.

    • Expanded support for consent event tracking and new consent data requirements.

  • API Validation & Error Handling:

    • Validation checks added for Single Instant Payment, Future-Dated Payment, and Data Sharing endpoints.

    • Error handling improvements for ‘x-idempotency-key’, JSON, and JWT flows across several endpoints, including Payments, Accounts, and Direct Debits.

  • Schema Validation Updates:

    • Schema validation fixes for endpoints such as Scheduled Payments, Standing Orders, Direct Debits, and Beneficiaries.

4.2 Fixes

  • Resolved issue with receiving /par URL in the Link.self field for the consent endpoint.

  • Fixed issue where transaction responses were returned despite invalid fromBookingDateTime or toBookingDateTime values.

  • Addressed the problem of receiving response_type as undefined in auth during headless-Heimdall flow

4.3 Known Issues

  • While creating a PAR, the parameters "nonce" and "aud" are optional. However, removing them from the request body results in an error.

  • When the "ReadTransactionsDebits" permission is granted, Credit Transactions are also reflects in response.

  • When creating consent with varying values, the payment is successfully processed.

  • Payments may still be initiated even when the Personally Identifiable Information (PII) provided during the consent request differs from the PII used during the actual payment initiation.

  • Roles are displayed as "undefined" for the Ozone API Test 1 TPP on the admin portal.

  • IsSingleAuthorisation: false gets an error while patching the consent.

  • In the PATCH /consent API call, setting the status to "Suspended" results in an error.

  • The endpoint processes requests even when invalid values are provided for optional headers.

  • The authorisation request without a nonce fails when using the FAPI 2.0 Security Profile

  • The fapi2-security-profile-id2 requires that an unsigned request to the PAR (Payment Initiation Request) endpoint fails, but currently, unsigned requests may not trigger a failure as expected.

  • In the FAPI 2.0 Security Profile, JWT client assertions with a "Not Before" (nbf) claim set more than 60 seconds into the future fails.

© CBUAE 2025