How to integrate LUXHUB One 

LUXHUB One provides a unified interface to access the PSD2 APIs of multiple providers, establishing a common data model, security profiles and authorization flows to overcome the complexities caused by differing implementation standards.

Therefore, as a consumer of LUXHUB One, you are able to seamlessly integrate the APIs of various PSD2 providers and thus provide easy access to PSD2 account information and payment initiation services to your customers.

LUXHUB One is available to PSD2-regulated providers, including:

• PSD2-licenced TPPs, who have been registered as a Payment Initiation Service Provider (PISP) and/or Account Servicing Payment Service Providers (ASPSP) with their National Competent Authority (NCA or Regulator), and
  
  
• Financial regulated entities, such as banks, Payment institutions (PI) and Electronic Money institutions (EMI)

Your onboarding as a new consumer of LUXHUB One involves certain technical and business steps, which are required in order to ensure a smooth and compliant start:

Step 1: Signing an agreement with LUXHUB

Step 2: Initial technical setup

Step 3: Onboarding with API providers of your choice

Step 4: Testing in Sandbox environment

Step 5: Go live

Step 1: Signing an agreement with LUXHUB

This step comes after the usual sales procedure that ensures that you are aware of all the functionalities and capabilities of LUXHUB One, as well of all the necessary steps involved in becoming a consumer; potential fallacies; roles and responsibilities of each party; project management items and pricing of the service. The contract will formalize all of these aspects, so they can be agreed upon by each party and include various annexes related to the technical procedures to follow during the onboarding and normal operation during the product life cycle.

If you did not yet start with this process, feel free to get in touch with the LUXHUB sales team.

Step 2: Initial technical set up 

This step involves granting you access to the LUXHUB One API endpoints, based on the contractual relationship established during the previous step. This step is mostly technical and involves setting up a secured access (MTLS setup and Oauth 2 credentials) to consume the API  in Sandbox environment. You will need to follow a process described below to complete this step:

1. Create a user on the LUXHUB developer portal. You must use "Organization Developer" registration option using the registration code provided to you by LUXHUB or request a registration code in case you do not have one.
2. Sign in and create an application.
3. Assign LUXHUB One API in Sandbox to your application.
4. Download MTLS certificate, MTLS key,  signing certificate and signing key. Please keep in mind that the page should not be refresh between downloading the signing key and certificate because a new pair will be refreshed on every page refresh.
5. Create Oauth 2 credentials by editing the application and navigating to “Authentication” tab where you can generate your credentials.
   On that point you will be requested to upload the MTLS certificate you just downloaded in a previous step and to fulfil the authorized redirect URLs that will be used as callback URL.
   Once your credentials are created, you will be able to get your client id and secret. 

Step 3: Onboarding with API providers of your choice

As part of the Sales process, you will need to outline the providers whose PSD2 services you are interested in consuming. 

LUXHUB One covers all major banks and other PSD2 providers in Luxembourg, in addition to several Belgian and French banks.

The LUXHUB One delivery team will be in charge of registering you, as a TPP, with each of these providers. This process might be automatic with some providers, or manual for others. Also, as part of this process, the LUXHUB delivery team will need to register you as a consumer of the provider's API (first in the Sandbox environment and then in Production).

It is important to note that the majority of providers require  real eIDAS certificates, even in Sandbox mode. On the other side, there are providers who will allow the registration of TPPs in Sandbox mode without eIDAS certificates. While this is possible and supported, it is recommended to use real certificates.

Your eIDAS certificates (QWAC and QSEALC) will be used to identify LUXHUB One towards the API providers of your choice.  

LUXHUB recommends issuing a new pair of eIDAS certificates dedicated to consuming LUXHUB One API. The process of obtaining new eIDAS certificates is described below:

1. In order to avoid sharing private keys, LUXHUB delivery team will create CSR requests for each consumer certificate that it needs to have for its operation, i.e. QWAC and QSEALC. These CSRs will be created with the required eIDAS profile and data in order to identify you for the purpose of PSD2 API usage. Private keys always remain with LUXHUB. To initiate CSR creation please create a ticket in the Service Desk.
2. LUXHUB sends you the CSRs.

3. Send the CSR to the Qualified Trusted Service Provider (QTSP) of your choice with all required forms signed in your name.  You should also request test certificates from the QTSP if available.

4. You get, from the QTSP, eIDAS certificates based on the CSR LUXHUB provided.

5. You provide the certificates  to LUXHUB. 

6. You maintain full control over the certificate (you can revoke it, etc.); you also have the responsibility to manage certificate renewal or revocation (by restarting the aforementioned process).

7. LUXHUB configures these certificates in the system and uses them to identify you towards the API providers in the context of the PSD2 framework.

The certificates you will provide cannot be used in any way for a different consumer registration (other than LUXHUB One consumer)- even for testing/Sandbox purposes.

You will be able to change the list of providers that you are interested in after the onboarding, however onboarding of new providers will be considered outside of your initial setup and hence might be subject to additional setup fees.

Step 4: Testing in Sandbox environment

Once you are registered with the respective providers and your access is set up, you are ready to begin using the LUXHUB One API. The access will start in Sandbox mode, i.e. accessing providers' PSD2 sandboxes, and, when you decide that you are satisfied with the level of testing of your application, it can be migrated to Production.

It is important to note that all considerations above related to your onboarding are environment specific, i.e. there is no necessary link between the onboarding of the consumer in the Sandbox and Production environments. As such, none of the artifacts required for onboarding should be considered a priori shared between environments.

Please refer to the next tabs to learn how to use LUXHUB One API.

 Step 5: Go live

Once you are ready to go live, LUXHUB One delivery team will assist you in promoting your application to production.

Prior to going live it will be important to ensure that

1. The registration with providers in Production environment is complete.
2. You created a production application in Developer portal and assigned LUXHUB One production API.
3. You created a service request ticket via the Service desk to obtain the MTLS certificate required to connect to LUXHUB One in production.
4. You setup Oauth 2 credentials.

It is recommended to perform a few tests in Production prior to opening up your application to your users.

Once all is setup, you are ready to enjoy the full power of LUXHUB API!