Access restricted endpoints

To be able to access the, you must possess a Qualified Website Authentication Certificate (QWAC) and a Qualified Electronic Seal Certificates (QSEAL) certificate delivered by a Qualified Trust Service Provider as required by the PSD2.


During your registration, you will be asked to provide both your QWAC and QSEAL certificates.

Mutual TLS Authentication

All API calls done through require mutual TLS authentication using your QWAC certificate.

During the TLS handshake, you will be presented with Shine's own QWAC certificate.
Our QWAC certificate has been delivered by CertEurope and the root certificate can be found here

HTTP Signature

The request must be signed with your QSEAL certificate according to the draft specification

As of today, our responses, however, are not signed.

What’s Next