Common Request Headers

In order to successfully send API requests, TPPs must send a set of HTTP headers that allow the bank to check the request's validity. This includes signing the request with a qualified certificate.

Formulate the required headers for the Soldo API in accordance with these formatting rules:

  • Headers are case-insensitive
  • Header fields must be separated by a colon
  • Key-value pairs must be in clear-text string format
  • Denote the end of the header section with an empty field header

For a general review of HTTP 1.1 header formatting, see https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html.

The headers listed in the following table marked "mandatory" are required. All others are optional.

Required Headers
Header Description/Purpose POST Requests GET
Requests
Authorization Passes valid credentials constructed for either Token Authentication (Basic) or JWT Authentication (Bearer) authentication schemes.

Ex: Use the links above for basic and bearer authentication to see the respective format and examples.

Mandatory Mandatory
customer-initiated Boolean. Lets the bank know that the API call was explicitly initiated by the PSU. Useful in circumnavigating bank restrictions that impose a 4-times-a-day (i.e., the same 24-hour period) access limit on the same AISP in accordance with RTS regulations. Optional Optional
request-timeout Integer. Sets the number of elapsed seconds until the call is aborted with a DEADLINE_EXCEEDED exception due to no response received. Optional Optional
token-customer-last-logged-time Time when the PSU last logged in with the TPP Optional Optional
token-customer-ip-address PSU's IP address if the PSU is currently logged in with the TPP.

If the customer IP address is supplied (recommended), it is inferred that the PSU is present during the session (i.e., the request is PSU-initiated; adding a "customer-initiated": "true" header makes this explicit).

For AIS calls, if the customer's IP address is not provided in the request, the bank assumes it is a TPP-initiated request and may limit the TPP to 4 TPP-initiated access attempts within a given 24-hour period.

Ex: 172.16.254.1

Optional Optional
token-customer-device-id Obtained by the TPP from details in the user agent information of the PSU.

Ex: 00000000-00000000-01234567-89ABCDEF

Optional Optional
token-customer-user-agent Specifies the user agent for the PSU..

Format: Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion

Ex: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0

Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0

If the PSU is using the TPP's mobile app, make sure the mobile app user-agent string is different than browser-based user-agent strings

Optional Optional
token-json-error Boolean. Converts the error response, if any, to JSON format. See Changing Error Responses to JSON Format. Optional Optional