Getting Started and Technical Guides

Onboarding

1. Explore our APIs

Browse the available PSD2 APIs to understand what they offer and which ones support your use case. Documentation includes example requests, responses and prerequisites so you can quickly determine what to integrate.

2. Sign up and test in our sandbox

Create your developer account and register your application. During registration you receive a Client ID and Client Secret that allow you to authenticate. With these credentials you can access the sandbox which provides simulated data for experimentation, functionality testing and end to end integration checks.

3. Request production access

After completing your integration in the sandbox you can request access to the production environment. Your request goes through compliance and security checks. Once approved you receive the credentials required for the live APIs.

4. Launch your product

With production access granted your application can interact with real customer data and initiate transactions with the user’s explicit consent. You can now deliver your solution to end users with full confidence and PSD2 compliance.

Environments & OAuth2

Use dedicated authority and API base URLs for Sandbox and Production. Obtain TPP access tokens via the client_credentials grant for scopes psd2:ais, psd2:pis and psd2:piis.

Authentication & Consent

PPC EMI uses OAuth2 with client credentials and authorisation code with PKCE.

Client credentials are used for backend operations such as consent creation.

Authorisation code with PKCE is used for PSU-facing flows where the PSU authenticates and provides consent.

Sandbox behaviour

Synthetic accounts, balances and transactions only.

No real payments.

Push approvals to the mobile app are disabled; PSU approvals are simulated on the consent screen.

PIS payments in Sandbox always follow the PDNG → ACCC pattern.

Payment cancellations always return CANC.

PIIS confirmations always return fundsAvailable: true.

Signing PSD2 HTTP requests (HTTP Signatures)

Use your QSealC certificate to sign selected headers (request-target, Digest, X-Request-ID, created or X-Date).

Include Signature and TPP-Signature-Certificate headers so PPC EMI can validate the certificate chain, digest and signature before processing the request.

Error handling & problem details

All APIs return standard HTTP status codes with application/problem+json payloads.

Log the status, X-Request-ID, error code, message and timestamp.

Sandbox IP Allowlisting

If your systems restrict outbound traffic, ensure that the PPC E-Money Services Sandbox endpoints are allowlisted. The Sandbox environment uses dedicated URLs and may be hosted on separate IP ranges from Production. Requests from IPs that are not allowlisted will be blocked.
 A full list of Sandbox IP addresses is available upon request during onboarding and will be published in the Sandbox configuration section of the Developer Portal.

Common Sandbox Response Patterns and Errors

The Sandbox uses synthetic accounts, balances and transactions only. It does not process real payments, but it reproduces PSD2 headers, error formats and typical validation rules.
 To ensure predictable testing, the following behaviours and errors may occur:

Invalid or expired token returns 401

Missing required headers, including X-Request-ID, returns 400

Invalid signature or missing HTTP Signature headers returns 403

Unsupported or malformed PSU context headers returns 400

Unknown account identifiers return 404

PIS payment execution always follows PDNG to ACCC

Payment cancellation always returns CANC

Funds confirmation PIIS always returns fundsAvailable set to true

These responses allow you to validate your error handling before moving to Production.

Sandbox vs Production Behaviour

The Sandbox mirrors the structure of the Production APIs but contains important differences to ensure safe testing:

No real payments are executed.

All account data, balances and transactions are synthetic.

Mobile push approvals are disabled; PSU approvals are simulated on the consent screen.

SCA timings, user authentication steps and payment execution times do not reflect Production.

PIIS confirmations always return a positive value.

Do not use Sandbox behaviour to estimate real settlement times, SCA flows or Production performance.

Troubleshooting Checklist Before Contacting Support

To reduce investigation time and avoid unnecessary support tickets, verify the following for every PSD2 request:

You are using the correct environment URLs Sandbox or Production.

Your access token includes the correct scope psd2:ais or psd2:pis or psd2:piis.

Your X-Request-ID header is present, unique and properly formatted.

For APIs that require HTTP Signatures, include Signature and TPP-Signature-Certificate headers and ensure the digest and certificate chain are valid.

Your request uses TLS 1.2 or higher.

Your redirect URIs and PSU return URLs match the values registered during onboarding.

You are not attempting to access Production with Sandbox credentials or vice versa.

Your organisation and PSD2 permissions are correctly configured in the Developer Portal.

Capturing this information will significantly speed up support response times.

Additional Notes for a Complete Integration

Always store the X-Request-ID you send and the one returned in the response; mismatches help trace issues across systems.

When testing payments, use synthetic IBANs defined in the Sandbox documentation.

When handling consent flows, validate that your application supports full redirect + PKCE logic as required by PPC EMI.

For periodic or bulk payment scenarios, ensure that you understand how Sandbox simulates statuses and execution windows.

All error responses follow the application/problem+json format described in the Getting Started section.

Profile & Subscriptions

My profile: view and update your full name, email address and organisation.

Security: change your password to keep your account secure.

Close account: request account closure if you no longer need access; this revokes subscriptions and removes Sandbox access.

My subscriptions: view and manage Sandbox and Production subscriptions, including product name, environment, subscription name and status. Use the subscription detail view to show or regenerate keys. Keep subscription keys secret and never commit them to public repositories.

Glossary highlights

PSD2, TPP (AISP, PISP, PIISP), ASPSP, consent, access token, refresh token, Sandbox environment.