The changes will apply to all consent authorisation flows and endpoints. This will affect both existing and new consents.
On 10 July 2025, we will update our Open Banking API to the FAPI 1.0 Advanced standard, enhancing data security. This means that all TPPs using our Open Banking APIs will need to implement several changes.
New requirements for request JWTs
Starting from 10 July 2025, any request JSON Web Token used for consent authorisation must contain the nbf (not before), exp (expiration time) and aud (audience) claims:
The
nbfclaim must be a Unix timestamp, in seconds, before which the JWT is not valid.The
expclaim must be a Unix timestamp, in seconds, after which the JWT is no longer valid.
Additionally, this value must be no more than 60 minutes later than the value ofnbf.The
audclaim must contain the URI of the intended service. In this case, depending on your environment, this should be:- Production:
https://oba-auth.revolut.com - Sandbox:
https://sandbox-oba-auth.revolut.com
- Production:
Read more about the JWT payload parameters.
New subdomains and mandatory mTLS
From 10 July 2025, we will enforce mutual TLS (mTLS) on all our Open Banking API endpoints. This also means new subdomains for most Open Banking API endpoints.
To ensure a smooth transition, we will introduce a deprecation period from 10 March 2025 till 10 July 2025. Within this period, all TPPs must implement changes and start using the new subdomains:
- For Production:
oba.revolut.com->oba-auth.revolut.com. - For Sandbox:
sandbox-oba.revolut.com->sandbox-oba-auth.revolut.com.
The subdomains oba-auth.revolut.com and sandbox-oba-auth.revolut.com are already used for the /token and /register endpoints.
These endpoints will remain unaffected by this change, as they are already mTLS-secured.
After the deprecation period, the old subdomains, oba.revolut.com and sandbox-oba.revolut.com, will stop working, and all requests made to these URLs will fail.