1 1. Introduction
2 2. Bank Sandbox (AlTareq1)
- 2.1 2.1 TPP Client Registration
- 2.2 2.2 Environment Variables
- 2.3 2.3 Supported Endpoints
  - 2.3.1 2.3.1 Trust Framework
  - 2.3.2 2.3.2 Service Initiation
  - 2.3.3 2.3.3 Bank Data Sharing
  - 2.3.4 2.3.4 Confirmation of Payee
  - 2.3.5 2.3.5 Balance Check
  - 2.3.6 2.3.6 Refunds
3 3. Insurance Sandbox (AlTareq2)
- 3.1 3.1 TPP Client Registration
- 3.2 3.2 Environment Variables
- 3.3 3.3 Supported Endpoints
  - 3.3.1 3.3.1 Trust Framework
  - 3.3.2 3.3.2 Motor Insurance
4 4. Release Notes
- 4.1 4.1 Enhancements
- 4.2 4.2 Fixes
- 4.3 4.3 Known Issues
- 4.4 4.4 Next Release

Version	v1.1 2024.12.17
Publication Date	Dec 17, 2024
Classification	Public

1. Introduction

This release includes all API endpoints in version 1.1 of the standards, together with a number of fixes as outlined in API Hub Sandbox v1.1 2024.12.17 | 4. Release Notes

2. Bank Sandbox (AlTareq1)

2.1 TPP Client Registration

To register a client on the on the API Hub Sandbox, the following command can be used:

curl --location --request POST 'https://rs1.altareq1.sandbox.apihub.openfinance.ae/tpp-registration' \
--header 'x-fapi-interaction-id: {UUIDv4}' \
--cert /path/to/your_certificate.pem \
--key /path/to/your_private_key.pem \
--cacert /path/to/your_ca_certificate.pem

Parameters	Description

Parameters	Description
`x-fapi-interaction-id`	A UUIDv4 used for traceability. Each request should have a unique id.
`--cert`	Your OFTF Application Transport certificate
`--key`	Your OFTF Application Transport private key
`--cacert`	The OFTF CA Certificate

2.2 Environment Variables

Base URL	`https://rs1.altareq1.sandbox.apihub.openfinance.ae`
OIDC Discovery Endpoint	`https://auth1.altareq1.sandbox.apihub.openfinance.ae/.well-known/openid-configuration`
Postman Collection

2.3 Supported Endpoints

2.3.1 Trust Framework

POST /tpp-registration

2.3.2 Service Initiation

Single Instant Payments

POST /par
GET /payments
GET /payments/{PaymentId}
GET /payment-consents
GET /payment-consents/{ConsentId}
PATCH /payment-consents/{ConsentId}
POST /payments

Future Dated Payments

POST /par
GET /payments
GET /payments/{PaymentId}
GET /payment-consents
GET /payment-consents/{ConsentId}
PATCH /payment-consents/{ConsentId}
POST /payments

Recurring Payments

POST /par
GET /payments
GET /payments/{PaymentId}
GET /payment-consents
GET /payment-consents/{ConsentId}
PATCH /payment-consents/{ConsentId}
POST /payments

Variable Recurring Payments

POST /par
GET /payments
GET /payments/{PaymentId}
GET /payment-consents
GET /payment-consents/{ConsentId}
PATCH /payment-consents/{ConsentId}
POST /payments

International Payments

POST /par
GET /payments
GET /payments/{PaymentId}
GET /payment-consents
GET /payment-consents/{ConsentId}
PATCH /payment-consents/{ConsentId}
POST /payments

Bulk / Batch Payments

POST /par
GET /payments
GET /payments/{PaymentId}
GET /payment-consents
GET /payment-consents/{ConsentId}
PATCH /payment-consents/{ConsentId}
POST /payments

2.3.3 Bank Data Sharing

Accounts

POST /par
GET /accounts/{AccountId}
GET /accounts
GET /account-access-consents
GET /account-access-consents/{ConsentId}
GET /accounts/{AccountId}/consents
PATCH /account-access-consents/{ConsentId}

Balances

POST /par
GET /accounts/{AccountId}/balances
GET /account-access-consents
GET /account-access-consents/{ConsentId}
GET /accounts/{AccountId}/consents
PATCH /account-access-consents/{ConsentId}

Transactions

POST /par
GET /accounts/{AccountId}/transactions
GET /account-access-consents
GET /account-access-consents/{ConsentId}
GET /accounts/{AccountId}/consents
PATCH /account-access-consents/{ConsentId}

Parties

POST /par
GET /accounts/{AccountId}/parties
GET /parties
GET /account-access-consents
GET /account-access-consents/{ConsentId}
GET /accounts/{AccountId}/consents
PATCH /account-access-consents/{ConsentId}

Product

POST /par
GET /accounts/{AccountId}/product
GET /account-access-consents
GET /account-access-consents/{ConsentId}
GET /accounts/{AccountId}/consents
PATCH /account-access-consents/{ConsentId}

Beneficiaries

POST /par
GET /accounts/{AccountId}/beneficiaries
GET /account-access-consents
GET /account-access-consents/{ConsentId}
GET /accounts/{AccountId}/consents
PATCH /account-access-consents/{ConsentId}

Direct Debits

POST /par
GET /accounts/{AccountId}/direct-debits
GET /account-access-consents
GET /account-access-consents/{ConsentId}
GET /accounts/{AccountId}/consents
PATCH /account-access-consents/{ConsentId}

Scheduled Payments

POST /par
GET /accounts/{AccountId}/scheduled-payments
GET /account-access-consents
GET /account-access-consents/{ConsentId}
GET /accounts/{AccountId}/consents
PATCH /account-access-consents/{ConsentId}

Standing Orders

POST /par
GET /accounts/{AccountId}/standing-orders
GET /account-access-consents
GET /account-access-consents/{ConsentId}
GET /accounts/{AccountId}/consents
PATCH /account-access-consents/{ConsentId}

2.3.4 Confirmation of Payee

POST /confirmation
POST /discovery

2.3.5 Balance Check

POST /par
GET /accounts/{AccountId}/balances

2.3.6 Refunds

POST /par
GET /payment-consents/{ConsentId}/refund

3. Insurance Sandbox (AlTareq2)

3.1 TPP Client Registration

To register a client on the on the API Hub Sandbox, the following command can be used:

Parameters	Description

Parameters	Description
`x-fapi-interaction-id`	A UUIDv4 used for traceability. Each request should have a unique id.
`--cert`	Your OFTF Application Transport certificate
`--key`	Your OFTF Application Transport private key
`--cacert`	The OFTF CA Certificate

3.2 Environment Variables

Base URL
OIDC Discovery Endpoint
Postman Collection

3.3 Supported Endpoints

3.3.1 Trust Framework

POST /tpp-registration

3.3.2 Motor Insurance

POST /par
GET /insurance-policies/{InsurancePolicyId}/customer-payment-details
GET /insurance-policies
GET /insurance-policies/{InsurancePolicyId}
GET /insurance-consents
GET /insurance-consents/{ConsentId}
PATCH /insurance-consents/{ConsentId}

4. Release Notes

This release supports all endpoints in v1.1 of the standards.

It also introduces several enhancements, including improved payment consent screens, AIS APIs that support PIS consents, and upgraded event notification reporting. Additionally, this update addresses various issues within insurance APIs, currency validation, and file payments. Resolved defects include those in CBUAE APIs and payment consent flows.

However, there are some known issues, please see below.

4.1 Enhancements

Creditor Account on Consent Screen:
The creditor account details are now prominently displayed on the payment consent screen.
Payment Consent Permissions:
Specific permissions have been added to the payment consent response schema, enhancing access control.
AIS APIs with PIS Consent Support:
The AIS APIs have been updated to include support for Payment Initiation Service (PIS) consents.
Event Notification Report:
We have introduced event notification reporting to improve tracking and management.
Cbuae Insurance APIs:
The insurance APIs have been refactored, and the cbuae-api-spec-insurance.yaml specification has been updated.
New Payment Schema Enhancements:
Schema issues in the file have been resolved, and combined payments have been optimised for better compatibility.
Standardisation Error Messages:
Standardised error messages for Data Sharing, Payment Initiation.
Insurance Module:
- Updated insurance schema paths for efficient data loading.
- Corrected hardcoded paths in the mock server configuration for CBUAE.
- Added the previously missing Dynamic Client Registration (DCR) configurations.
- Streamlined the data load process for non-insurance RS scenarios.
- Revised LFI notification paths for CBUAE insurance.
- The change logs for the cbuae-api-spec-insurance provide essential updates and modifications.

4.2 Fixes

PAR Parameter Error:
Fixed issue where excluding optional parameters "nonce" and "aud" from the PAR creation request body caused an error.
Transaction Permission Misbehaviour:
Resolved issue where granting "ReadTransactionsDebits" permission caused credit transactions to appear in the response.
Consent Variation:
Addressed issue where payments were processed successfully even with varying values during consent creation.
PII Mismatch in Payment Initiation:
Fixed issue allowing payment initiation when Personally Identifiable Information (PII) in the consent request differed from the PII provided during payment initiation.
Admin Portal Roles Issue:
Corrected display issue where roles appeared as "undefined" for the "Ozone API Test 1 TPP" on the admin portal.
IsSingleAuthorisation Patch Error:
Fixed error occurring when patching the consent with IsSingleAuthorisation: false.
PATCH Consent Status Error:
Resolved error triggered when setting the consent status to "Suspended" via the PATCH /consent API.
Invalid Optional Header Values:
Addressed issue where the endpoint processed requests with invalid values for optional headers.
Links Object Format:
Corrected the format of the "Related" field in the Links object for the "Get Payment Consents" endpoint.
Path-to-RegExp Vulnerability:
Mitigated a ReDoS vulnerability found in the path-to-regexp library.

4.3 Known Issues

Error Propagation:
The system does not currently process or honor errors sent by the LFI.
PAR Request Support:
The system only supports the creditor object within PII data for PAR requests (Consent creation).
Insurance Augmentation API:
The insurance augmentation API has been enabled.
Consent Revocation:
After consent revocation, the Data Sharing and Service Initiation API responses do not return the correct error codes to the TPP.
Regulatory Error Codes:
Some regulatory-specific error codes may be missing in certain scenarios.
Insurance Permissions Display:
Permissions related to insurance are not displayed in the Heimdall UI.
Confirmation of Payee POST /discovery:
The response for this endpoint will return an empty payload with status code 204. This is the expected behavior as LFI data has not been mapped.

4.4 Next Release

The next release will include the resolution of all known issues.