Skip to Content

When interacting with the Lunar APIs several security mechanisms are in place to ensure integrity and authenticity.

Mutual TLS

Communication between a Third Party Provider (TPP) and Lunar is secured by a mutual TLS (mTLS) connection. The certifcate must be a valid QWAC certificate issued by a Qualified Trust Service Provider (QTSP).

You need a QWAC certificate issued by a QTSP. A list of trusted certificate providers can be found in the Trusted List Browser by CEF Digital . Lunar trusts all root certificates from the Trusted List and follow updates on the list daily.

TLS version

We only accept TLS v1.3 and TLS v1.2 on Lunar Open Banking APIs. Make sure to use clients that support this version.

On Mac OS you can use brew to download curl with OpenSSL.

brew install curl-openssl

OpenID configuration

When requesting access to a Payment Service User (PSU) a decoupled OpenID Connect flow is initiated. Details around the OpenID configuration is hosted in a .well-known resource which can be accessed with a GET HTTP request.

curl \
  --silent \
  https://auth.openbanking.prod.lunar.app/.well-known/openid-configuration

OAuth2 client credentials

Apart from the required mTLS connection all interactions between a TPP and Lunar is authenticated with OAuth2 client credentials issued during registration. These credentials consists of a client id and a client secret and must be used when starting any of the OAuth2 grant types. See Register for more details on registration.

Request IDs

All APIs require an X-Request-ID HTTP header which uniquely identifies the request and is used as an idempotency key. The value must be a valid UUID (RFC-4122), for example:

X-Request-ID: 550e8400-e29b-41d4-a716-446655440000

If you issue two identical requests with the same request ID, you will receive the same result. This is useful for safely retrying requests after network failures or timeouts.

Lost credentials

If you lose your OAuth2 client credentials (clientId and clientSecret), they cannot be recovered. The clientSecret is only returned once during registration and is never stored in a retrievable format.

To regain access, you will need to re-register as a TPP using the same eIDAS certificate. This will generate a new set of credentials.

Last updated on
Registration OverviewRegister as a third party provider