Add-on

No. If you already have an internal solution to manage consent, you can use it and provide an integration with the Open Finance Add-on in order to use our Authorization Server.

Can I use the Open Finance solution in hybrid environments?

No. At this first moment, Open Finance is available only for the SaaS model.

When I activate the Add-on, do all incoming requests go through the Open Finance Authorization Server?

No. For an incoming connection to go through the Open Finance authorization mechanism, the API that receives the request must be deployed to an environment associated with an Open Finance inbound address (host). It’s through the inbound address that we identify whether a connection is for Open Finance and route the call to the correct authorization mechanism. See more about the creation of an inbound address for Open Finance.

Does the Authorization Server handle the end users data transmitted between Open Finance institutions?

No. The data of end users are stored in the databases of the Financial Institutions and are never handled by Sensedia. When the institutions connect to each other using our Authorization Server, we validate the access tokens and authorization scopes but never access the databases. The client is in charge of the exchange of information and lets us know if the sharing was successful or not.

What requirements do I need to attend to be able to contract the Open Finance solution?

Firstly, your version of Sensedia API Platform should be 4.5.0.0 or higher (if you are using an earlier version, you will need to request an update).
In addition, mTLS certificates must be provided.

  • For Sandbox:

    • root-ca and issuer-ca from the Sandbox PKI;

    • Server Certificate;

    • Transport Certificate (brcac type Transport Certificate, also known as Client Certificate);

    • Signature Certificate (Signature Certificate of type brseal).

  • For Production:

    • Certification Authorities authorized to issue signing certificates for Open Finance

      • root-ca and issuer-ca of the Certification Authority that generated the signing certificate;

    • Server Certificate;

    • Transport Certificate (brcac type Transport Certificate, also known as Client Certificate);

    • Signature Certificate (Signature Certificate of type brseal).

You will also need the SoftwareId (contained in the software statement) and the CertificateKeyId.

  • For Sandbox: the central directory provides these values in the certificate generation interface.

  • For Production: you need to check if the certificate authority provides this with BACEN.

Finally, for the Consent Engine it is important to inform the addresses according to the examples below:

  • For Sandbox:

    • TLS: https://auth-sandbox-sandbox.clientdomain.com.br

    • mTLS https://matls-auth-sandbox.clientdomain.com.br.

  • For Production:

    • TLS: https://auth-sandbox.clientdomain.com.br

    • mTLS https://matls-auth.clientdomain.com.br.

  • URL for deploying Open Finance regulatory APIs in api-gateway.

  • URL of the end-user login that has access to the Bank/Fintech.

  • Internal Resources URL.

  • Internal Data Permission, Finalities and Deadlines URL (the URL must be unique for the three services).

Thanks for your feedback!
EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]