LUXHUB & PSD2
PSD2 is the EU Directive 2015/2366 on payment services in the internal market, published in the Official Journal on 23 December 2015. Its objective is to open access to bank systems to TPP in order to further enhance consumer protection and convenience, to improve the security of payment services and to promote innovation and competition.
PSD2 enables third-party providers without a banking license to provide account information and payment initiation services to their customers. Banks, as account servicing payment service providers, are obliged to enable third party ‘account information service providers' (AISPs) and 'payment initiation service providers' (PISPs) to access the payment account data they hold on customers, if customers consent to it. The regulation requires banks to offer at least one access interface (dedicated API or customer interface in online bank) enabling secure communication with third parties. The interface should also enable third parties to identify themselves and allow them to rely on the authentication procedures that banks provide to their customers.
PSD2 was complemented with Regulatory Technical Standards and several related official texts:
LUXHUB's Developer Portal allows third-party providers to access the PSD2 APIs of many banks. TPP can access API public documentation, browse API Catalog, register on the portal, manage their profile, create and manage applications, monitor API usage and ask for support via LUXHUB's Service Desk.
You don't need a contract to use the Developer Portal nor to consume the PSD2 APIs. However, you need to accept our Terms and Conditions during the registration process.
The PSD2 regulation leaves open the details of the APIs that third parties will use to connect with ASPSPs. Therefore, some initiatives comprising banks, associations and PSP from across the EU, defined common API standards.
The banks exposing their APIs through LUXHUB support Berlin Group or STET. Check out our Providers Catalog to see which standard is supported by each ASPSP.
AIS: Account Information Services
AISP: Account Information Service Provider
ASPSP: Account Servicing Payment Service Provider providing and maintaining a payment account for a PSU
CBPII: Card-based Payment Instrument Issuer (formerly PIISP: Payment Instrument Issuer Service Provider)
NCA: National Competent Authority
PIS: Payment Initiation Services
PISP: Payment Initiation Service Provider
PSD2: Directive (EU) 2015/2366 on payment services in the internal market
PSP: Payment Service Provider
PSU: Payment Service User
RTS: Commission Delegated Regulation (EU) 2018/389 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication
SCA: Strong Customer Authentication
TPP: Third-Party Provider, i.e. AISP, PISP and CBPII
In accordance with Article 30(5) of the RTS, access to the portal is available to authorised third-party providers and payment services providers that have applied for the relevant authorization. See Article 1 of PSD2 for the definition of payment service providers. As part of their existing authorization, Credit institutions that act in their capacity as a third-party provider (whether as an AISP, a PISP and/or a CBPII) can also register to the portal.
To find your company's Registration number, you can consult your National Competent Authority's register:
CZ - Česká národní banka
DK - Finanstilsynet
EE - Finantsinspektsioon
ES - Banco de España
FI - Finanssivalvonta
GR - Trapeza tis Ellados
HU - Magyar Nemzeti Bank
IS - Fjármálaeftirlitið
IT - Banca d'Italia
LT - Lietuvos Bankas
NO - Finanstilsynet
PT - Banco de Portugal
SE - Finansinspektionen
SI - Banka Slovenije
In accordance with Article 30(5) of the RTS, access to the testing facility (so-called sandbox) is available to authorised third-party providers and payment services providers that have applied for the relevant authorization. See Article 1 of PSD2 for the definition of payment service providers. As part of their existing authorization, Credit institutions that act in their capacity as a third-party provider (whether as an AISP, a PISP and/or a CBPII) can also register to the portal.
In sandbox, you don't need passporting rights to access PSD2 APIs. However in production, if you want to provide AIS/PIS activities outside of your home Member State, you need to make a passport application. More information available here.
According to Article 36(5)(b) RTS, we limit the AISP’s access to payment account data without the PSU being directly involved to four times a day.
You can find the URLs to be used on the details page of the selected API. Authorization URLs are documented in the security section.
Yes, sample requests are documented in the technical details section of each API.
Please have a look at the specification of the APIs to learn which credentials are supported in the sandbox of the API you are interested in.
Authorized third-party providers can access production.
As soon as production APIs are available (published state), you will need an eIDAS certificate to access them. You can request one from a Qualified Trust Service Provider once you've received your TPP authorization.
As soon as production APIs are available (published state), you will find the URLs to be used on the details page of the selected API.
Calls to our APIs are encrypted based on TLS. Client authentication is done using eIDAS QWAC certificates and data integrity and non-repudiation is achieved using eIDAS QSeal certificates. The authorization mechanism is based on OAuth 2.0.
OAuth 2.0 is the industry-standard protocol for authorization. For more details, please see the OAuth 2.0 RFC.
To get your OAuth Client_id and Client_secret, go to Applications, select the application you created, click on Edit and go to the Authentication Tab.
You need two types of certificates: QWAC for client-Authentication in MA-TLS and QSeal to use with http signature. To use PSD2 APIs in sandbox, you can use your eIDAS certificate or download mock certificates from our portal. Once the production APIs are available, only valid eIDAS certificates will be accepted.
To request a registration code, you will have to provide us some information to let us verify your identity and make sure that your company is entitled to get access to the portal. The approval process delay will depend on the quality of the information provided. We will send you a registration code once the verifications are completed. The expected response time is between 1-2 Business Days. Our Service Desk is available from Monday to Friday during Business Working Hours (from 8:00 am to 6:00 pm CET).
If you are having login or registration issues, please use our Contact Form to explain your problem. We will respond to your request as soon as possible.
When you register to LUXHUB's Developer Portal, you receive an email with a verification link. You need to click on the link and follow the instructions to activate your account. It might happen that the email gets caught in a spam filter. Please ensure you add support[@]luxhub.com in your safe sender list.
In case you haven't received a verification email or you let your verification link expire, please contact us via the Contact Form and we will send you a new link to the email address you provided during registration.
In case you forgot your password, please click on the Forgot password link in the Sign In screen.
Registering on LUXHUB’s Developer Portal and testing the Sandbox PSD2 APIs is free of charge.
My account & organization
You have to sign in to the portal to be able to change your password. Hover over the profile icon, click on My Profile and select Edit Profile. Then, click on Change Password.
Within LUXHUB's Developer Portal, an organization is a group of registered users belonging to the same company. Each member of an organization can share applications with other members, modify application names, view monitoring results of the shared applications and access application security credentials.
You may want to invite other members from your organization to collaborate on your application. You can share the application with them and define their access level. To that end:
1. Click on the application you want to share and select Edit application > Sharing.
2. To share the application with a user, click on Add user.
3. Select the user(s) you want to share the application with, and click on Apply.
4. By default, the users are only able to view the application, not to edit it. To change the access rights of an user, toggle the View and Edit buttons next to the user's name as needed.
5. To remove the access to the application from a user, click on Remove next to the user's name.
The API Catalog is available in the APIS menu of the Developer Portal. The APIs in the catalog are organized by Provider. You can search for the APIs in the catalog using the Provider name, API name, description, version, state, etc.
To view the details of an API, click on the API you are interested in. The API details page displays the basic details of the API such as its name, version, state, environment, host, base path and available methods.
To have a closer look at a method, click on the method to expand it. You can view, for example, the request parameters, the response format or the model schema.
You have to be registered on the portal to be able to download the REST API Swagger files :
- Just locate the API you are interested in;
- Click on the View the API button;
- A Download Swagger button is available on the top left corner of the page.
If you want to use APIs, you need to register an application - this will include an application name, redirect URLs and other meta-data to manage your OAuth credentials.
Once you have created and activated your account, you will be able to access the Applications menu to create and manage applications:
1. Click on Create application.
2. Enter the details for your application.
3. Select the APIs you want to assign to the application.
4. Click on Save application.
The API responds to requests with different HTTP status codes depending on the result from the request. Error responses might also include an error message in the body to assist in resolving the problem. You can find a complete list of the HTTP Status Code for every methods in the API documentation.
Registering on LUXHUB's Developer Portal and testing the Sandbox PSD2 APIs is free of charge.
However some of the APIs are not free of charge and would require a contract to be signed. Details can be found at each API level, in the Overview section.
You can use the graphical real-time charts on the Monitoring page to monitor how your applications use APIs exposed in the Developer Portal. You can view the usage metrics for applications or the API methods your applications use.
If you are registered in the portal, you can open a ticket via the Service Desk to submit your inquiry. We will get back to you shortly.
To reach LUXHUB's Service Desk, you need to have an account on LUXHUB's Developer Portal. Go to Support and click on Service Desk, then log in with your portal credentials.
Our Service Desk is available from Monday to Friday during Business Working Hours (from 8:00 am to 6:00 pm CET).