Get the Software Statement Assertion (SSA)
Open Banking software statement
If you're using your Open Banking certificate, use the software statement signed by Open Banking. You can obtain this statement from the Open Banking Directory.
You will need it when you create the JWT later.
Self-signed software statement
If you're using your eIDAS certificate, you must use a self-signed software statement. You will need this software statement when you create the JWT later.
To generate the self-signed software statement, you need to concatenate two base-64 encoded JSON objects. The format is the same as that of a JWT but with no signature.
You can use the following webpage to encode the body and header of your SSA: https://www.base64encode.org/. Tick the Perform URL safe encoding box to ensure it is base64url encoded.
Ensure that the software statement meets the following format. You can also check the included examples.
Header
| SSA header | Type | Description | Required |
|---|---|---|---|
alg | string | Use none as the only value to indicate a self-signed software statement. | Yes |
Example
SSA header:
{
"alg": "none"
}Base-64 encoded SSA header:
ewogICJhbGciOiAibm9uZSIKfQ
Payload
| SSA payload | Type | Description | Required |
|---|---|---|---|
org_jwks_endpoint | URI | The JWKs endpoint. It must contain a signing key (QSealC) that matches with the kid provided in the JWT header of the registration request. | Yes |
org_name | string | Legal Entity Identifier or other known organisation name. It will be shown in the UI when the user interacts with a consent for this application. | Mandatory if software_client_name is not provided. |
software_client_name | string | The name of the application. It will be shown in the UI when the user interacts with a consent for this application. | Mandatory if org_name is not provided. |
software_on_behalf_of_org | string | A reference to a fourth party organisation if the registering TPP is acting on behalf of another (shown in the UI when the user authorises a consent for this application). | No |
software_redirect_uris | URI | The list of allowed redirect URIs, which must contain the same URLs as provided in the JWT redirect_uris later in step 4: Create a JWT. | Yes |
When both org_name and software_client_name are provided, software_client_name will be used as the application name.
This name, together with the value in software_on_behalf_of_org, will be visible to the PSU when authorising consents or when handling existing consent permissions.
Example
SSA payload:
{
"org_name": "TPP Company Ltd.",
"software_client_name": "Accounting Pro",
"org_jwks_endpoint": "https://example.com/jwks",
"software_on_behalf_of_org": "John Doe Co.",
"software_redirect_uris": [
"https://example.com/my_oauth_redirect"
]
}Base-64 encoded SSA payload:
ewogICJvcmdfbmFtZSI6ICJUUFAgQ29tcGFueSBMdGQiLAogICJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6ICJBY2NvdW50aW5nIFBybyIsCiAgIm9yZ19qd2tzX2VuZHBvaW50IjogImh0dHBzOi8vZXhhbXBsZS5jb20vandrcyIsCiAgInNvZnR3YXJlX29uX2JlaGFsZl9vZl9vcmciOiAiSm9obiBEb2UgQ28iLAogICJzb2Z0d2FyZV9yZWRpcmVjdF91cmlzIjogWwogICAgImh0dHBzOi8vZXhhbXBsZS5jb20vbXlfb2F1dGhfcmVkaXJlY3QiCiAgXQp9
Full Software Statement
Example
Resulting self-signed software statement:
ewogICJhbGciOiAibm9uZSIKfQ.ewogICJvcmdfbmFtZSI6ICJUUFAgQ29tcGFueSBMdGQiLAogICJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6ICJBY2NvdW50aW5nIFBybyIsCiAgIm9yZ19qd2tzX2VuZHBvaW50IjogImh0dHBzOi8vZXhhbXBsZS5jb20vandrcyIsCiAgInNvZnR3YXJlX29uX2JlaGFsZl9vZl9vcmciOiAiSm9obiBEb2UgQ28iLAogICJzb2Z0d2FyZV9yZWRpcmVjdF91cmlzIjogWwogICAgImh0dHBzOi8vZXhhbXBsZS5jb20vbXlfb2F1dGhfcmVkaXJlY3QiCiAgXQp9.
The signature of the self-signed software statement is an empty string (there is no string after the second dot).