Welcome to the PSD2 API of Bank Alpinum. These pages dedicated to PSD2 help you perform first steps to access bank accounts through our API. The API is providing access to accounts that are online enabled by a valid e-banking contract. For those accounts the API offers three services.
All three services can be used by licensed TPPs (Third Party Provider) possessing the specific certificate. Each service offered by a TPP needs to be instructed by the PSU (Payment System User).
These instructions are called consents. In order to establish a valid consent a consent request is created by the TPP. Once that consent is approved by the PSU the consent is valid and can be used to retrieve account information from the banking system. The following scheme shows the process for creating and validating a consent.
Our XS2A API follow the specifications of the Berlin Group.
As of 30.09.2020 the test option (hereinafter referred to as "Sandbox") is available for all payment initiation, account information and payment service providers.
Access to sandbox:
The test interface ("XS2A Sandbox") provides pure test data with random IBAN and random amounts.
Access to production:
For a TPP to gain access to the sandbox or production environment, you must have a valid QWAC certificate
(Qualified Website Authentication Certificate). The certificates must be issued by one of the following certificate authorities:
A-Trust(Österreich), D-Trust(DE), CertEurope(FR), InfoCert(IT), BVTrust(DE)
Please use that certificate to access both, the sandbox and the production environment.
An example API call in CURL would look like:
To gain access to account information, the TPP first sends a consent request to the bank. Before the request is forwarded to the PSD2 interfaces, the certificate of the TPP is checked for validity. If the certificate is valid the consent is created in the consent management system of the bank. Before that consent can be used for account information requests, the consent must be authorized by the PSU (Payment System User). To initiate this flow, the TPP receives a link in the response of the consent creation request. This link will be forwarded to the PSU. Afterwards, the PSU logs on to the bank's access identity system with his e-banking account, password, and a second factor (Short Message or CrontoSign). A consent user interface will be shown, and the PSU can confirm or deny the consent. After successful consent validation, the TPP can request the required account information using the validated consent-id.
In the sandbox environment the following contract (PSUID) can be used to validate a consent and to go through the whole consent flow:
The SCA (strong customer authentication) process will be executed in 4 steps:
1. Open the sca redirect link from the consent response body. The login screen from the e-banking system will appear
2. Input PSUID (VT9999999) and password
3. Input token from received short message. After valid input, the consent user interface will be shown
4. Approve or deny consent or payment initiation. Afterward you will be forwarded to the tpp application
In case of technical issues, please send an email to the indicated contact.
In the event of a failure, the emergency mechanism pursuant to Article 33 (4) DelVO (EU) 2018/389 shall come into effect: In the event of an unforeseen unavailability or a system failure of the XS2A interface pursuant to Article 33 (1) DelVO (EU) 2018/389, the use of the online banking access provided for our customer under the URL https://xs2a-fallback.bankalpinum.com/authen/login is permitted.
For identification purposes, the respective certificate must be sent with each request, which is also used when requesting the XS2A interface. This does not change the behavior of online banking; the same web pages are delivered.
We refer to the general conditions mentioned in Article 33 (5) DelVO (EU) 2018/389. The information required in Article 33 (5) e) DelVO (EU) 2018/389 should be sent to the e-mail addresses mentioned in section "contact".
The API documentation for PSD2 with all endpoints can be found here:
Open API Documentation
A TPP requires an appropriate certificate to execute a request. These certificates cannot be stored in the documentation environment. For this reason, requests must be sent from a local program (e.g., CURL), including the certificates. However, the CURL statements can be generated via the API documentation.
Please contact us. We can extend the list of trusted Certificate Authorities.
Currently the payment type SEPA CREDIT TRANSFER in currencies EUR and CHF is supported. More currencies could be added to the list of available currencies. The api currently supports single payments.
There are two type of consents:
Consent for Account information to retrieve account balance and account transactions
Consent for Funds Coverage Check. To do a fund coverage check, the TPP needs to establish a consent for FCS and have the PSU approve it.
The initiation of a single payment always requires the approval of this payment. The approval is done by logging in the PSU with PSUID, a password, and the 2nd factor. After that, the payment details are displayed, and the PSU can accept or deny the initiation of the payment. Due to this process, consent for payments in advance is not necessary.
Payment initiations can be performed. However, payments will not be processed and the status will remain "PDNG" (pending).
A fund coverage request (FCS) for a given account will only be executed correctly if the currency for the requested amount is the same as the account currency.
The onboarding for the productive environment is an automatic process. It is performed based on your client certificate and will take place with the first productive request.
If the payment service user is supposed to execute the authorization process on the smartphone, the authentication method mTan (Short message) should be set on the e-banking contract. By delivering the message as a short message, the PSU can transfer the code directly to the login form.
Please see contact details in tab "Contact". We will try to get back to you as soon as possible.
For general questions about the PSD2 services and payment services offered by Bank Alpinum, please get in contact via email to:
For technical questions about the PSD2 API, please get in contact via email to:
The regulatory required reports show the availability and response times of the PSD2 services.
After the end of each quarter the reports are produced and published on this page.
The columns in the file have the following meaning:
Changes for Service PSD2 planned or done:
Maintenance release deployed with documentation of end points updated .
PSD2 API with Finnova Integration. Ready to use by TPP.
PSD2 API with a sandbox environment for integration and testing purposes.