The PSD2 specification mandates that a Third Party Provider (TPP) should possess a valid certificate issued by a valid issuer. This is called as an EIDAS certificate which allows OFX to verify that the TPP is a valid entity within the European financial eco-system. The EIDAS certificate adds enhanced security to entities exchanging financial data.

For more information, please visit here.

There are two types of EIDAS certificates.

  1. QWAC (Qualified Certificate for Website Authentication)

    QWAC is an enhanced TLS level web certificate which is used to encrypt the communication between TPP and API.

  2. QSEALC (Qualified Certificate for Electronic Seal)

    QSEALC is also an enhanced SSL certificate which is used to sign the payload for data modifying API calls. For example if a TPP posts data, it can be signed by its QSEALC private key and send the signed digest in a header value. This signed digest can be verified at the API level using the TPP provided QSEALC public key.

    There are many certificate issuers where a valid QWAC and QSEALC can be purchased.


During the API implementation OFX has added support to verify the QWAC certificate of the TPP, QSEALC is currently not supported.

  1. During the on-boarding of the TPP to use OFX’s API’s, it must provide a valid QWAC certificate which OFX will store in its system.
  2. In each API call (other than authentication), OFX expects the QWAC certificate to be sent in a header as a base64 encoded value.
  3. The name of the header must be ‘ssl-client-cert’
  4. In each API call (other than authentication) OFX validates the provided QWAC certificate in the request against the certificate provided during TPP on-boarding
  5. If an incorrect QWAC certificate is provided, the API call will be forbidden.

In addition to the above, OFX does perform a validity check of QWAC certificate of any TPP during on-boarding and periodically.

Who does this apply to?

The PSD2 specification mandates that any TPP registered in the EU must have a valid EIDAS QWAC certificate before consuming any API’s exposed by ASPSP’s registered in the EU including OFX (UKForex).