Skip to main content

Dynamic Client Registration Service SMBC Group v1.0.1

About this service

For a third-party provider (TPP) client application to access the SMBC Group production APIs, the client application needs specific information to interact with the server such as OAuth 2.0 client credentials. This service enables the TPP to manage the lifecycle of the client application including obtaining the client credentials, refreshing the client secret and updating the redirect URIs. The two relevant specifications are:

    Authentication

    All operations require the TPP to authenticate as follows:

    • The client credentials for the dynamic client registration service. For production access, you should create a dedicated application on the developer portal for the sole purpose of managing the lifecycle of your production client application using the production dynamic client registration service. This is to distinguish from the sandbox dynamic client registration service that enables you to test your registration process and tooling.
    • The Qualified Website Authentication Certificates (QWACs) TLS certificate to establish a mutually authenticated TLS connection. The QWAC certificate must be issued by a Qualified Trust Service Provider (QTSP).

    Digital signature

    Furthermore, all operations that change the state of a client registration must be signed - specifically the three operations POST, PUT and DELETE - using the same digital signature algorithm that we adopt for the payments and signing baskets services. Please refer to the sandbox digital signature utility for more details on the signing algorithm and how to test your digital signatures. Note that you will require a Qualified Certificate for Electronic Seals (QSEAL) signing certificate from a QTSP for this purpose. The following must be included in the signing string when creating the digital signature:

    • (request-target) - This is the request URI including any request parameters of the production endpoint, e.g., "POST /client/v1/register"
    • date - The current date-time when the request is generated in the format defined in RFC 7231
    • digest - SHA-256 hash of the request message payload

    Need help?

    Check our FAQs for common queries, otherwise please get in touch with our API support team to discuss your on-boarding.