Before You Start

Before you start you should do a few basic tasks in following steps:

  1. Register your organization
  2. Invite your developers
  3. Register your application

Step 1. Register your organization

To register your organization you should navigate to . At first you register yourself as your organization administrator by filling your first name, last name, email address, username, password and accepting the End User License Agreement. Then you register your organization by filling its name and description. Your registration is sent to the bank by clicking Register Now button.

After receiving your registration the bank send to your email address confirmation email with link to login yourself into the Developer portal. Your registration is complete after you click to confirmation link and successfully login.

In case you login without successful confirmation the Developer Portal shows you following error message 'Your account has been disabled'.

Organization Name

The Accounts API and Payments API require than your organization name is matching with the name in Financial Services Register provided by National Bank of Slovakia and client certificate.

Password policy

You need a password to login to the Developer Portal which defines the password policy settings to control the complexity and lifetime of passwords. Your password should comply with following rules:

 

Minimum password length
9
Minimum number of capitals
1
Minimum number of special characters
1
Minimum number of lower case letters
1
Maximum number of non-repeating characters
3
Minimum number of numerical values
1
Password History size
3
Password Expiry age
730 days
Password Expiry Warning
14, 3, 1 days

 

Step 2. Invite your developers

As an organization administrator you can invite developers from your organization to join. To invite new developers navigate to Dashboard/Organization page and then to Invitations menu item on the left. Clicking to Invite New Users button you start inviting developers. After filling list of developer's emails click to Send Invitation(s) button to send invitations to the bank. Each developer from your invitation list receives confirmation email with registration link into the Developer portal. Current status of your developers' onboarding you can check on Dashboard/Organization page in Developers menu item.

Step 3. Register your application

Before your first API call is made your application should be registered on the Developer Portal. Navigate to Dashboard/Applications page. To add your new application click to Add Application button and fill Application Information, API Management information and Authorization information. To register your new application click to Save button. After receiving your request the Developer Portal generates API Key e.g. l7xx528bd862138c4e9bab60cfb5d4d85df8 for your application identification. Your subscribed APIs have Sandbox plan.

 

To secure communication an application secret is also generated e.g. Key Secret 3d5e2ac607ff4f5aa6c5132e1f0f0159. Please keep your secret key in safe. However if your application secret is compromised you can request to generate new secret by clicking to Request a New Shared Secret button.

Callback URL

Calback URL is used by the bank authorization server to return responses containing authorization credentials to the application via the your customer user-agent. The bank authorization server require all applications to register one or multiple their redirection endpoints prior to utilizing the authorization endpoint and require the application to provide the complete redirection URI. Redirection endpoint describes OAuth 2.0 protocol in Section 3.1.2. Redirection Endpoint

Scope

For OAuth 2.0 Authorization Code Grant supported scopes are:

  • AISP in the Accounts APIs
  • payments in the Payments APIs

For OAuth 2.0 Client Credentials Grant supported scopes are:

  • PISP in the Payments APIs

Type

OAuth 2.0 protocol defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to maintain the confidentiality of their client credentials) in Section 2.1. Client Types. Please choose option which best suites your application architecture.

Promote application to Live

To promote your application to Live environment navigate to Dashboard/Applications page and start to edit your application. In API Management tab you can request to change plan to Live.

In Live environment the Accounts API and Payments API require Two-Way SSL communication. At first you should send email with attached client certificate to developer@tatrabanka.sk with following body: "As from we are sending our certificate to activate secure communication with Tatra banka for TLS purposes.". Your sender email address should match your organization administrator's email. For your authentication as a client the API accepts two client certificate types:

  • Extended Validation certificate
  • eIDAS-based site authentication certificate

Extended Validation certificate

An EV SSL Certificate must contain required fields described on CA/Browser forum web site.

Certificate Authorities list


Certificate Authority
Certificate Policy Object Identifier
Actalis
1.3.159.1.17.1
AffirmTrust
1.3.6.1.4.1.34697.2.1
1.3.6.1.4.1.34697.2.2
1.3.6.1.4.1.34697.2.3
1.3.6.1.4.1.34697.2.4
A-Trust
1.2.40.0.17.1.22
Buypass
2.16.578.1.26.1.3.3
Camerfirma
1.3.6.1.4.1.17326.10.14.2.1.2
1.3.6.1.4.1.17326.10.8.12.1.2
Comodo Group
1.3.6.1.4.1.6449.1.2.1.5.1
DigiCert
2.16.840.1.114412.2.1
2.16.840.1.114412.1.3.0.2
DigiNotar (defunct[10])
2.16.528.1.1001.1.1.1.12.6.1.1.1
E-Tugra
2.16.792.3.0.4.1.1.4
Entrust
2.16.840.1.114028.10.1.2
ETSI
0.4.0.2042.1.4
0.4.0.2042.1.5
Firmaprofesional
1.3.6.1.4.1.13177.10.1.3.10
GeoTrust
1.3.6.1.4.1.14370.1.6
GlobalSign
1.3.6.1.4.1.4146.1.1
Go Daddy
2.16.840.1.114413.1.7.23.3
Izenpe
1.3.6.1.4.1.14777.6.1.1
Kamu Sertifikasyon Merkezi
2.16.792.1.2.1.1.5.7.1.9
Logius PKIoverheid
2.16.528.1.1003.1.2.7
Network Solutions
1.3.6.1.4.1.782.1.2.1.8.1
OpenTrust/DocuSign France
1.3.6.1.4.1.22234.2.5.2.3.1
QuoVadis
1.3.6.1.4.1.8024.0.2.100.1.2
SECOM Trust Systems
1.2.392.200091.100.721.1
Starfield Technologies
2.16.840.1.114414.1.7.23.3
StartCom Certification Authority
1.3.6.1.4.1.23223.2
1.3.6.1.4.1.23223.1.1.1
Swisscom
2.16.756.1.83.21.0
SwissSign
2.16.756.1.89.1.2.1.1
T-Systems
1.3.6.1.4.1.7879.13.24.1
Thawte
2.16.840.1.113733.1.7.48.1
Trustwave*
2.16.840.1.114404.1.1.2.4.1
Symantec (VeriSign)
2.16.840.1.113733.1.7.23.6
Verizon Business (formerly Cybertrust)
1.3.6.1.4.1.6334.1.100.1
Wells Fargo
2.16.840.1.114171.500.9
WoSign
1.3.6.1.4.1.36305.2

 

eIDAS-based site authentication certificate

An eIDAS SSL certificate must comply requirements according to an Article 45 of Regulation (EU) No 910/2014. Certificate Authorities list you can find on Slovak National Security Authority web site and EU Trust Service web site.

Two-Way SSL (Mutual Authentication)

For secure communication between your application and the bank server TLS version 1.2+ is required in Sandbox and Live environment. For TLS 1.2 protocol details see RFC 5246. For more requirements to secure communication see Chapter 4.2 Securing communication in Slovak banking API standard ver. 1.0 document on Slovak Banking API Standard page.

The Accounts API and Payments API require secure their communication with clients by Two-Way SSL method in Live environment. In this method, the client and server need to authenticate and validate each other's identities. The authentication message exchange between client and server is called an SSL handshake, and it includes the following steps:

  1. A client requests access to a protected resource.
  2. The server presents its certificate to the client.
  3. The client verifies the server's certificate.
  4. If successful, the client sends its certificate to the server.
  5. The server verifies the client’s credentials.
  6. If successful, the server grants access to the protected resource requested by the client.

To establish a Two-Way SSL connection, you must have the following:

  • private key
  • client certificate
  • certificate authority root certificate
  • certificate authority intermediate certificates