Registering your Application 2 min read
TPPs dynamically register their applications with LFIs by submitting a registration request to the LFI's registration_endpoint, which is discovered via the .well-known endpoint. This request includes the TPP application's transport certificate and corresponding private key to establish a secure and trusted connection.
What you need before registering
Before registering with an Authorisation Server, ensure the following requirements are met:
- Onboarded Organisation in the Trust Framework — your organisation must be successfully registered and approved within the Trust Framework.
- Registered Application — the application must be created within the Trust Framework and assigned the appropriate roles required for the intended use case.
- Valid Transport Certificate — an active transport certificate must be issued and registered in the Trust Framework to enable secure mTLS communication with the Authorisation Server.
- Selected Authorisation Server — you must identify the Authorisation Server you intend to register with by using API Discovery to locate and select the appropriate endpoint.
The roles assigned to your application (BSIP, BDSP, ISP) determine what it is permitted to do with the LFI. Once registered, editing the application's roles in the Trust Framework has no effect — the registered roles are fixed. If the roles later need to change, you must disable the application, create a new one with the correct roles, and register it again.
Discover the URL via .well-known
Once you have identified the Authorisation Server you want to register with, you can locate its registration endpoint via the .well-known OpenID configuration.
Within the returned JSON from the .well-known look for:
"registration_endpoint": "https://rs1.[LFICode].apihub.openfinance.ae/tpp-registration"This is the endpoint your TPP will use to register the application with.
End-to-end TPP registration
Submitting the registration request
/tpp-registrationExample request
curl <registration_endpoint> \
--request POST \
--header 'Content-Type: application/json' \
--cert path/to/your-cert.pem \
--key path/to/your-key.key \
--data '{}'This endpoint uses mutual TLS (mTLS) with transport-level certificates. Make sure that:
--cert— path to your transport client certificate (.pem)--key— path to your transport private key (.key)
Once the registration is successful, you will receive a 204 No Content response. This indicates that your application is registered with the server.
POST/tpp-registration returns no body. Your ClientId is the UUID assigned to your application when it was created in the Trust Framework Directory — it is not issued by this endpoint. Find it on the application detail page: Organisation → Applications → select your application. See Creating an Application for a screenshot.
You will need this value as client_id, iss, and sub in all Client Assertions and Request JWTs.
Registration alone does not grant access
Registration does not automatically grant access. Once a TPP submits a registration request to an LFI, the LFI must activate the TPP, the associated Client, and the Software Statement before the TPP can communicate with the LFI.
Registration with the model bank is activated automatically — no manual approval is required. For all other LFIs, activation must be performed by the LFI via their Admin Portal before the TPP can make API calls.
For guidance on how an LFI activates a TPP's registration request via their Admin Portal, please review the TPP Management & Activation page.