1. Introduction

The API Hub Sandbox contains one or more ‘Model LFIs’, where each Model LFI has:

1. A fully functioning set of API resources (e.g. Authorization Server, Resource Server, etc) aligned to the published Standards which will behave exactly the same as an LFI’s production APIs in the API Hub.

2. Synthetic sample data for a number of fictitious Users (e.g. user names and passwords, accounts, transactions, etc).

This API Hub Sandbox therefore acts as a testing environment for TPPs, so that they can a) test their applications prior to being licensed and/or without accessing any real customer accounts and b) demonstrate their conformance to the Open Finance Standards as set out in the Certification Framework.

The API Hub Sandbox also acts as a reference implementation for LFIs so that they can compare their own API integration with the API Hub, thereby speeding up such integration activity.

2. Pre-Requisites

Developers must firstly make themselves familiar with all aspects of the Standards.

In order to access the API Hub Sandbox, developers must be on-boarded onto the Open Finance Trust Framework (OFTF) Sandbox and have the ability to create Applications under the OFTF Sandbox.

Once onboarded, this allows developers to create the following artefacts within the OFTF Sandbox in order to simulate a TPP application:

1. Client ID

2. Client Transport Certificate

3. Signing Key

4. Signing Key ID (KID)

Detailed information about how to create the OFTF artefacts is covered in the Trust Framework User Documentation.

3. Setting up Postman

The API Hub Sandbox does not in itself have a GUI.

While developers can connect their own TPP applications directly to the API Hub Sandbox (because it behaves exactly the same as an LFI’s production endpoints in the API Hub), the starting point is to use Postman to connect and test out all of the APIs.

Once downloaded and installed on a developer’s PC, the following instructions should be followed to setup Postman.

1. Download the latest Postman Collection (see section 4 below)

2. Download the latest Postman Environment File (see section 4 below)

3. Import the Postman Collection and Environment File into Postman
   

   

4. Configure the OFTF Transport Certificates in Postman

   1. Go to Settings > Certificates > Add Certificate

   2. Enter the Host URL as below (please note this example is for Al Tareq Model LFI 1, and over time we may create additional Model LFIs)

   3. Import the Transport Certificate (CRT file) from the OFTF Sandbox, see section 2 above

   4. Import your Transport Key (KEY file) the Private Key which will have stored locally
      

      

5. Set the following general Postman settings

   1. Go to Settings > General

   2. Set SSL certificate verification: OFF

   3. Set Automatically follow redirects: ON
      

      

      

6. Load the altareq-sandbox environment file, which contains the server host definitions. Make sure you use the correct (latest) evironment.
   

   

7. Edit the altareq-sandbox environment to add the _clientId, kid_local, and pem_local as follows:

   1. _clientId - the Client ID of your application from the OFTF Sandbox

      

      Insert the Client ID value from the OFTF Sandbox into the Postman _clientid variable of the altareq-sandbox environment

      

   2. kid_local - the Key Id (KID) of the OFP UAE CLIENT SIGNING certificate created for your application from the OFTF Sandbox

      

      The KID is then inserted into the kid_local field of the altaraq-sandbox environment

      

   3. pem_local - the Private Key of your Signing Certificate.
      This is the OFTF Signing Certificate Private Key that you created when you created the Signing Certificate CSR.
      The Signing Ley needs to be represented as a single line to be included in the Postman environment.
      To acheive this in MacOS and Linux, the tr (translate) command can be used as follows, which removes the newline characters.

      tr -d '\n' <  98863a9e-ae4f-4593-a894-714cbbc91ffb-opf_uae_client_signing.key >  single-line-opf_uae_client_signing.key

The single line Client Key can then be copied and pasted from the file into the postman environment as the pem-local variable:

4. Latest Postman Files

The latest Postman files can be downloaded here

• Postman Collection

• Environment File

The above Postman Collection currently supports the following API endpoints:

Bank Data Sharing

• GET/account-access-consents

• GET/account-access-consents/{ConsentId}

• PATCH/account-access-consents/{ConsentId}

• GET/accounts

• GET/accounts/{AccountId}

• GET/accounts/{AccountId}/balances

• GET/accounts/{AccountId}/beneficiaries

• GET/accounts/{AccountId}/direct-debits

• GET/accounts/{AccountId}/product

• GET/accounts/{AccountId}/scheduled-payments

• GET/accounts/{AccountId}/standing-orders

• GET/accounts/{AccountId}/transactions

• GET/accounts/{AccountId}/parties

• GET/parties

Bank Service Initiation (Single Instant Payment)

• GET/payment-consents

• GET/payment-consents/{ConsentId}

• PATCH/payment-consents/{ConsentId}

• POST/payments

• GET/payments

• GET/payments/{PaymentId}

Bank Service Initiation (Single Future Dated Payment)

• GET/payment-consents

• GET/payment-consents/{ConsentId}

• PATCH/payment-consents/{ConsentId}

• POST/payments

• GET/payments

• GET/payments/{PaymentId}

Insurance Data

• GET/insurance-consents

• GET/insurance-consents/{ConsentId}

• PATCH/insurance-consents/{ConsentId}

5. Using the Postman Collection

Once your Postman Environment has been updated, you’re ready to run the Postman Collection against the API Hub Sandbox.

The Postman Collection contains a number of steps in order, which will walk you through each of the API flows in the API Standards.

The Authorization Flow currently supports a single test User (username: mits, password: mits)