Open Banking API: Updates to OpenID config file, account subtype, and DCR scopes

Breaking changes

On 23rd March 2026, we will update our Open Banking API to include changes to:

• OpenID configuration file and its issuer value
• AccountSubType values returned when retrieving accounts
• Application DCR endpoints and their scope parameter

Although these changes are minor, they may still impact your application. Please review them carefully and adjust your implementation if required.

OpenID configuration file​

On 23 March 2026, the issuer value in the OpenID configuration file will be updated from https://oba.revolut.com to https://oba-auth.revolut.com to correctly reflect the changes to subdomains announced on 4 March 2025.

After the change, we will continue to support both values (https://oba.revolut.com and https://oba-auth.revolut.com), and either will be accepted in the aud parameter of JWTs attached to your requests. However, we strongly recommend that you update your solution promptly to use the new value to reflect the issuer present in the openid-configuration file and prevent potential disruptions in the future.

Note

This change affects only the issuer value inside the file. It does not affect the URL where the file is hosted. The configuration file will remain available at https://oba.revolut.com/openid-configuration.

AccountSubType for Credit Card accounts​

When you retrieve an account or all accounts, the AccountSubType value for Credit Card accounts is currently returned as Loan. From 23 March 2026, it will change to CreditCard to reflect this subtype more accurately.

Application scopes for DCR endpoints​

Dynamic Client Registration (DCR) endpoints are endpoints that you use to manage your applications. When you use this API to register or update an application, you provide the scope as part of the base64URL-encoded payload of the JWT included as the request body. This parameter is then explicitly returned in the response to those endpoints, along other application details. It's also returned when you use this API to retrieve application details.

Currently, the form of this scope parameter varies across these endpoints. For some endpoints, it takes the form of an array, for example: ["openid", "accounts", "payments"]. For others, it's a space-separated string, for example: "openid accounts payments".

From 23 March 2026, the scope parameter will be unified across endpoints. This means that the following changes will apply:

• Requests: The scope parameter included in the JWT payload must be provided as a space-separated string. For example, openid accounts payments. The affected endpoints are:

  • Register an application: POST /register
  • Update an application: PUT /register/{ClientId}

• Responses: The scope parameter will be returned as a space-separated string. For example, openid accounts payments. The affected endpoints are:

  • Register an application: POST /register^*
  • Update an application: PUT /register/{ClientId}
  • Get an application: GET /register/{ClientId}

^*Already implemented

Note

The API documentation has also been updated to reflect the upcoming changes.