Built by the community
Navigation
Metrics
Program
Service DeskPricingPoliciesDocument RepositoryLive Ecosystem
Developer Docs
TPP — Open Finance StandardsLFI — Integration GuideAPI SpecsKnowledge BaseRelease Notes & Erratas
NewsGitHub
TPP · Getting Started · Sandbox

Getting Started for TPPs (Sandbox) 6 min read

A guided walkthrough that takes you from a freshly onboarded sandbox application to a successful end-to-end payment, using the Postman collection and the included O3 sandbox utilities.

01 Prerequisites

Before you start

02 Postman Collection (Sandbox)

Generate a personalised Postman script

Fill in the values below using an Application (Client) you have created in the Sandbox Trust Framework.

Client ID — use the client_id from your Trust Framework application detail page. See: Trust Framework client_id

Looks like: https://rp.sandbox.directory.openfinance.ae/openid_relying_party/c6fb03a0-…

Client rolesClient roles — pick the roles assigned to your app (BDSP for data sharing, BSIP for payments / service initiation). See: roles reference

Redirect URI — must exactly match a redirect URI registered on your Trust Framework application. See: redirect URI guidance

Transport key ID — the kid from your transport certificate details in the Trust Framework. See: mTLS certificates

Signing key ID — the kid from your signing certificate details in the Trust Framework. See: finding your key ID (kid)

Signing private key

Accepted: .key, .pem or .txt private key files.

While we accept your signing private key here to bootstrap sandbox testing, this is for testing only. In production, never share private keys — they must stay inside your environment. See Secure Management of Keys and Credentials.

LFI Discovery URL — the .well-known endpoint of the target LFI; the model bank URL is prefilled. See: The .well-known Endpoint

Model bank: https://auth1.altareq1.sandbox.apihub.openfinance.ae/.well-known/openid-configuration
Pre-prod: https://auth1.[LFI CODE].preprod.apihub.openfinance.ae/.well-known/openid-configuration

This collection is for API version v2.1. Switch versions via the navigation header. See the Postman guide for details.

03 Setting Up Postman

Install, import, and configure mTLS

  1. Install Postman

    Download Postman from postman.com/downloads. Launch Postman and sign in (or create a free account).

  2. Import the collection

    • In Postman, click Import (top left).
    • Select the downloaded .json file.
    • The collection will appear in your Collections sidebar.

  3. Configure mTLS certificates in Postman

    • Open Postman settings: gear icon (top right) → SettingsCertificates tab.
    • Click Add Certificate.
    • Enter the host of the LFI Discovery URL, e.g. *.altareq1.sandbox.apihub.openfinance.ae or *.[LFI CODE].preprod.apihub.openfinance.ae. Leave port blank (defaults to 443).
    • Attach CRT: client_transport.pem.
    • Attach KEY: client_transport.key.
    • Save the certificate entry.

    Test by registering

    Send a request to the TPP's registration endpoint. A 204 (No Content) response confirms the certificate is correctly attached.

    Postman Registration Request
    Postman Registration Request

    Note: if you are testing multiple LFIs in sandbox/pre-prod you may need to change the host in the Add Certificate step.

04 Your First Open Finance Requests

An end-to-end Single Instant Payment in the sandbox

  1. Prepare the requests for /par

    Navigate to the Auth Flow folder within Single Instant Payment and run the three O3 utility requests in order:

    1. Send O3 Util: Prepare Encrypted PII — encrypts the PII payload required for the consent.
    2. Send O3 Util: Prepare Request Object JWT — builds the signed request object for the /par call.
    3. Send O3 Util: Prepare Private Key JWT — creates the client assertion used for authentication.

  2. Stage the consent and redirect to the LFI

    1. Send the POST/par request to stage the payment consent.
    2. Click Visualize in the Postman response panel — this renders the response as a clickable redirect link.
    3. Copy the link and open it in a browser to start the authorization redirect to the LFI.

  3. Authenticate and authorize

    1. Authenticate with the LFI.
    Model Bank Credentials (v2.1)

    If you are using the Model Bank, the sandbox credentials are:

    UsernamePassword
    [email protected]PIX
    1. Select the account to debit and authorize the payment consent.

  4. Exchange the authorization code for a token

    After the LFI redirects back to your redirect_uri, the URL will contain a code query parameter.

    1. Copy the code value from the redirect URL.
    2. Set it as the authorizationCode collection variable in Postman.
    3. Send the token request to exchange the code for an access token.

  5. Initiate the payment

    Navigate to the Payments folder and run the O3 utility requests, then submit the payment:

    1. Send O3 Util: Prepare Encrypted PII — encrypts the payment PII.
    2. Send O3 Util: Prepare Request Object JWT for SIP — builds the signed request object for the payment.
    3. Send POST/payments.

    A 201 response confirms the payment was successfully initiated.

  6. Retrieve the Payment ID and status

    Decode the JWT received in the POST/payments response to retrieve the PaymentId and Status. The status will typically start as Pending.

    Decoded payment response JWT showing PaymentId and Status
    Decoded payment response JWT showing PaymentId and Status