PSD2 Sandbox

A registered TPP organisation may use a test calls in a sandbox environment to test its integration on fixed, mock data. Sandbox calls should be used for integration testing instead of real data.

Sandbox calls are driven by the API plan assigned to the application (individual API). If the assigned plan is "Sandbox" then all calls are handled in the sandbox. By default every new registration is assigned Sandbox API plan  and can be later changed to production plans by requesting API Plan change. This behaviour ensures that new applications are tested against safe sandbox data first.

These sandboxed calls behaved the same way as regular PSD2 APIs with the following key differences.

  • The OAuth does not require a real bank customer login. Instead the authorization code is issued immediately after calling https://api.moneta.cz/oauth2/auth  with proper parameters.
  • All PSD2 OpenBanking APIs respond with dummy, fixed responses. These responses have a proper response format for a valid API call, but they do not react to malformed requests by an error message.
  • All OAuth tokens obtained though a sandbox OAuth calls may only be used in the Sandbox environment. Similarly OAuth tokens issued in live API environment will not function in the sandbox.

In order to use the sandbox the TPP organisation must pass the organisation registration, register an application in the portal and also register the client certificate. All these registrations can be shared between the sandbox and real environment, i.e. the application and/or certificate registered for the sandbox will work later in real production. Similarly the application or certificates registered in the live API branch will work for sandbox calls.

Note well: make sure that all your APIs in the PSD2 package have the same API Plan - either Sandbox or any suitable production plan. Sandbox OAuth tokens have different scopes from "non-sandbox"  and because all APIs are in one group, mixing API Plans results in access denied on many places.

Below is a full list of available sandboxed API endpoints

Authorization

  • https://api.moneta.cz/oauth2/auth - OAuth authorization code request.
  • https://apiauth.moneta.cz/oauth2/token - OAuth token issue request API
  • https://apiauth.moneta.cz/oauth2/register - TPP certificate registration API endpoint

OpenBanking API

  • https://apiauth.moneta.cz/api/* - The actual OpenBanking API tree for making account and trasaction requests. For a full list of API endpoints under the sandbox, refer to the PSD2 OpenBanking API documentation.