Retail FAQs

Does Nationwide support a faster re-authentication flow?

Yes we do. 

If the Third Party is requesting to re-authorise the same list of accounts from the initial authorisation, the PSU (NBS Member) will skip the ‘account selection’ step of the Digital journey and be directed back to the Third Party once they have authenticated in our channel.

Do you support CIBA (client initiated back-channel authentication)?

We currently do not offer this functionality, but are looking to include it in the future.

How have we implemented the 90 day access exemption (RTS Article 10)?

We support the authentication exemption, which means that you will be able to set up enduring access to 90 days worth of balances and transactions data via a single authentication of the customer (PSD2 RTS Article 10)

  • When authentication is completed, you will be able to access all account information the customer has agreed to share during the initial session (1 hour duration), including up to 15 months of transactions data for Personal Current Accounts, and up to 90 days of transactions data for Credit Cards.
  • Subsequent requests for Balance and Transaction data no more than 90 days old will not need to be reauthenticated until the authorisation has expired
  • Where requests are made for account information other than Balances or Transactions, or for data more than 90 days old, a reauthentication is required. We will return a 401(Unauthenticated/Unauthorised) HTTP code to inform you where this scenario occurs

How can I get a summary of your technical documentation, including future APIs?

A summary of our technical documentation can be found on our Implementation Guide.

Below you can find a table of all future live APIs and their deployment dates.

API Version Live Date
GET /accounts/{AccountID}/statements v3.1 November
GET /accounts/{AccountID}/statements/{StatementId}/file v3.1 November
GET /accounts/{AccountID}/party v3.1 November

What URL can I use to access your Sandbox APIs via my application?

As well as using our Developer Portal UI to access our Sandbox, you can also call our APIs direct from your application by using the below URL followed by the endpoint information that you wish to call.

https://api.obtpp.nationwideinterfaces.io

The only exception to this is if you are calling our GET /.well-known endpoint where you will need to use the below URL.

https://apionline.obtpp.nationwideinterfaces.io/open-banking/.well-known/openid-configuration

What do your Member authorisation journeys look like?

If you want to take a look at our Member authorisation journeys, you can find these on our Implementation Guide.

What is your API call limit when a Member is not present?

If we receive more than four requests for data where the Member is not present from a third party within a 24hr period, we will process requests on the understanding that the third party (AISP) has obtained consent from our Member to request data more frequently.

How does functionality in the Sandbox differ from your live environment?

  • In live, we support version 1.1 of the PIS endpoints but these are not available in our Sandbox.
  • We also offer AIS version 1.1 and 2 in live but only offer version 3 in the Sandbox.
  • Open Data APIs are available to everyone in our production environment hence they are not part of our Sandbox.
  • Here in our Sandbox environment, we have provided a number of test accounts covering a multitude of scenarios that can be used to fully test your application. In live, you will be using Member's real data.
  • We are providing a simulated Customer Auth UI where authorisations will be consented to, by default, as there is no Member present in this journey.
  • To test out expiration of a consent, you will need to wait for the test account’s authorisation to expire.
  • To test revocation of a consent, you will need to create an authorisation on a test account and then delete it by calling the DELETE endpoint for that consent. You can then come back and call your chosen test account to cover this scenario.

Having trouble hitting the OAuth or GET/ authorize endpoints?

If you double URL encode, your calls to both OAuth and GET/ authorize endpoints will fail.

Which signing algorithm can I use?

From 13 March, we will only accept requests signed with the PS256 signing algorithm in both the live and Sandbox services.

Our payloads and ID Tokens will be signed using PS256.