Common Request Headers

In order to successfully send API requests, TPPs must send a set of HTTP headers that allow the bank to check the request's validity. This includes signing the request with a qualified certificate.

Formulate the required headers for the Token API in accordance with these formatting rules:

  • Headers are case-insensitive
  • Header fields must be separated by a colon
  • Key-value pairs must be in clear-text string format
  • Denote the end of the header section with an empty field header

For a general review of HTTP 1.1 header formatting, see

The headers listed in the following table marked "mandatory" are required. All others are optional.

Required Headers
Header Description/Purpose POST Requests GET
customer-initiated Boolean. Lets the bank know that the API call was explicitly initiated by the PSUClosedPayment Services User – an individual person or legal business entity making use of an Open Banking service as a payee, payer or both.. Useful in circumnavigating bank restrictions that impose a 4-times-a-day (i.e., the same 24-hour period) access limit on the same AISPClosedAccount Information Service Provider – a TPP authorised to access consumer or business account data from the account holder's financial institutions with the account holder's explicit consent. in accordance with RTS regulationsClosedRegulatory Technical Standard – detailed specifications to achieve the strict security requirements for payment service providers in the EU.. Optional Optional
token-customer-last-logged-time Time when the PSU last logged in with the TPP Optional Optional
token-customer-ip-address PSU's IP address if the PSUClosedPayment Services User – an individual person or legal business entity making use of an Open Banking service as a payee, payer or both. is currently logged in with the TPP.

If the customer IP addressClosedIPv4 addresses are represented in dot-decimal notation, consisting of four decimal numbers, each ranging from 0 to 255, separated by dots, e.g., is supplied (recommended), it is inferred that the PSU is present during the session (i.e., the request is PSU-initiated; adding a "customer-initiated": "true" header makes this explicit).

For AIS calls, if the customer's IP address is not provided in the request, the bank assumes it is a TPP-initiated request and may limit the TPP to 4 TPP-initiated access attempts within a given 24-hour period.


Optional Optional
token-customer-device-id Unique identifier generated on the client side.

Ex: 00000000-00000000-01234567-89ABCDEF

Optional Optional
token-customer-user-agent Specifies the user agent for the PSU..

Format: Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion

Ex: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0

Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0

If the PSU is using the TPP's mobile app, make sure the mobile app user-agent string is different than browser-based user-agent strings

Optional Optional
token-json-error Boolean. Converts the error response, if any, to JSON format. See Changing Error Responses to JSON Format. Optional Optional
Authorization Passes valid credentials constructed for either Token Authentication (Basic) or JWT Authentication (Bearer) authentication schemes.

Ex: Use the links above for basic and bearer authentication to see the respective format and examples.

Mandatory Mandatory