Getting Started for TPPs (Sandbox) v2.1

Prerequisites

• You are onboarded to the sandbox Trust Framework: If you are not onboarded onto the sandbox Trust Framework please see Trust Framework Onboarding

Postman Collection (Sandbox)

Please fill in the below using an Application (Client) you have created in the Sandbox Trust Framework

Enter your Client Id

Client ID - Use the client_id from your Trust Framework application detail page.
See: Trust Framework client_id

Your Client Id should look like: https://rp.sandbox.directory.openfinance.ae/openid_relying_party/c6fb03a0-e987-49d5-94e2-76cfec02c522

Client Roles

Client Roles - Choose the roles assigned to your app (BDSP for data sharing, BSIP for payments/service initiation).
See: roles reference

Enter your Redirect URI

Redirect URI - Must exactly match a redirect URI registered on your Trust Framework application.
See: redirect URI guidance

Enter your Client Transport Key ID

Transport key ID - - The kid from your transport certificate details in the Trust Framework.
See: mTLS certificates

Enter your Client Signing Key ID

Signing key ID - The kid from your signing certificate details in the Trust Framework.
See: finding your key ID (kid)

Upload signing private key (.key)

Choose fileNo file chosen

Accepted: .key, .pem or .txt private key files.

While we request your Signing Private Key here to help you get up and running in the sandbox environment, this is strictly for testing purposes. In production, never share your private keys—they must stay secure within your own environment. Please refer to Secure Management of Keys and Credentials in UAE Open Finance for guidance.

Enter the LFI's Discovery Endpoint

LFI Discovery URL - The .well-known endpoint of the target LFI; model bank URL is prefilled.
See: The .well-known Endpoint

The discovery uri for the model bank is:
https://auth1.altareq1.sandbox.apihub.openfinance.ae/.well-known/openid-configuration
for an LFI's preprod environment it will be
https://auth1.[LFI CODE].preprod.apihub.openfinance.ae/.well-known/openid-configuration

This Postman collection is for API version v2.1. To download a different version, change the version in the navigation header. See the Postman guide for more details.

Setting Up Postman

1. Install postman

• Download Postman from https://www.postman.com/downloads/.
• Launch Postman and sign in (or create a free account).

2. Import the Collection

• In Postman, click Import (top left).
• Select the downloaded .json file.
• The collection will appear in your Collections sidebar.

3. Configure mTLS certificates in Postman

1. Open Postman settings

   • Click the gear icon (top right) → Settings → Certificates tab.

2. Navigate to the Certificates tab.

3. Click Add Certificate:

4. Add the host of the LFI Discovery URL you input

   • In Host, enter the domain (no protocol), e.g. *.altareq1.sandbox.apihub.openfinance.ae. or *.[LFI CODE].preprod.apihub.openfinance.ae
   • Leave port blank (defaults to 443)

5. Attach your certs

   • CRT file: browse to client_transport.pem.
   • KEY file: browse to client_transport.key.
   • Save the certificate entry.

6. Test by registring
   • Send a request to the TPP's registration endpoint.
   • If you receive a 204 (No Content)

Click to expand

Note if you are testing multiple LFIs in sandbox/pre-prod you may need to change the host in (4)

Your First Open Finance Requests

Step 1 – Prepare the requests for /par

Navigate to the Auth Flow folder within Single Instant Payment and run the three O3 utility requests in order:

1. Send O3 Util: Prepare Encrypted PII — encrypts the PII payload required for the consent.
2. Send O3 Util: Prepare Request Object JWT — builds the signed request object for the /par call.
3. Send O3 Util: Prepare Private Key JWT — creates the client assertion used for authentication.

Step 2 – Stage the Consent and Redirect to the LFI

1. Send the POST /par request to stage the payment consent.
2. Click Visualize in the Postman response panel — this renders the response as a clickable redirect link.
3. Copy the link and open it in a browser to start the authorization redirect to the LFI.

Step 3 – Authenticate and Authorize

1. Authenticate with the LFI.

Model Bank Credentials (v2.1)

If you are using the Model Bank, the sandbox credentials are:

Username	Password
[email protected]	PIX

2. Select the account to debit and authorize the payment consent.

Step 4 – Exchange the Authorization Code for a Token

After the LFI redirects back to your redirect_uri, the URL will contain a code query parameter.

1. Copy the code value from the redirect URL.
2. Set it as the authorizationCode collection variable in Postman.
3. Send the token request to exchange the code for an access token.

Step 5 – Initiate the Payment

Navigate to the Payments folder and run the O3 utility requests, then submit the payment:

1. Send O3 Util: Prepare Encrypted PII — encrypts the payment PII.
2. Send O3 Util: Prepare Request Object JWT for SIP — builds the signed request object for the payment.
3. Send POST /payments.

A 201 response confirms the payment was successfully initiated.

Step 6 – Retrieve the Payment ID and Status

1. Decode the JWT received in the POST /payments response to retrieve the PaymentId and Status. The status will typically start as Pending.

Click to expand