https://auth1.openbanking.zopa.com/.well-known/openid-configuration
https://auth1.openbanking.zopa.com/
We currently only support redirect via a deeplink to the Zopa mobile app - this deeplink is different depending on the type of consents (AIS or PIS) and needs to be constructed as follows:
zopa://consent-access-request?client_id={{ the client ID }}&response_type=code&scope=openid%20accounts&request={{the JWT token}}
zopa://open-banking/pis-single-payment-consent?client_id={{ the client ID }}&response_type=code&scope=openid%20payments&request={{the JWT token}}
We do not currently support Dynamic Client Registration.
Please contact our Open Banking support team to be onboarded.
Contact email: openbanking-support@zopa.com
We will also retain your contact details so that you can be informed in the event of any outages or changes to our API specification, as well as to contact you regarding any technical issues. We recommend using a team email address over an individual contact.
As defined further in the Zopa Open Banking API Specification
PS256
code id_token
PS256
PS256
private_key_jwt
, tls_client_auth
For private_key_jwt - the
aud
claim is the url of the token endpoint as specified in OIDC client authentication.
The request object used in OIDC flows the aud claim is the issuer url from the Zopa ASPSP .wellknown endpoint:
https://auth1.openbanking.zopa.com/.well-known/openid-configuration
- though please see above for details of our authorisation URLs which require TPPs to construct deeplinks.
Note: Our Sandbox API also offers less strict profiles to assist with integration testing.
We support the use of OBWAC and OBSeal on our production and sandbox environments. TPPs can use their QWACs and QSeals to onboard to the OBL directory and generate these certificates.
We support the use of QWACs, but this is not our recommended approach. TPPs facing issues onboarding with QWACs should contact our support desk. Please attach a pem file of the certificate to your support ticket.
We support the use of QSeals that have been attached to your software statement in the OB Directory.
Our refresh tokens last one year, after this TPPs will need to generate a new consent in order to get a new refresh token.