For a third-party provider (TPP) client application to access the SMBC Group production APIs, the client application needs specific information to interact with the server such as OAuth 2.0 client credentials. This service enables the TPP to manage the lifecycle of the client application including obtaining the client credentials, refreshing the client secret and updating the redirect URIs. The two relevant specifications are:
All operations require the TPP to authenticate as follows:
Furthermore, all operations that change the state of a client registration must be signed - specifically the three operations POST, PUT and DELETE - using the same digital signature algorithm that we adopt for the payments and signing baskets services. Please refer to the sandbox digital signature utility for more details on the signing algorithm and how to test your digital signatures. Note that you will require a Qualified Certificate for Electronic Seals (QSEAL) signing certificate from a QTSP for this purpose. The following must be included in the signing string when creating the digital signature:
(request-target)
- This is the request URI including any request parameters of the production endpoint, e.g., "POST /client/v1/register"date
- The current date-time when the request is generated in the format defined in RFC 7231digest
- SHA-256 hash of the request message payload