Dynamic Client Registration

DocsCurrent

Last updated: Aug 25th, 1:54am

The UK Open Banking regulations and the Financial Conduct Authority (FCA) require Account Servicing Payment Service Providers (ASPSPs), such as PayPal, to provide secure API access to regulated Third-Party Providers (TPPs). The Dynamic Client Registration (DCR) specification is a key part of this regulatory framework and serves as the standard method for creating OAuth clients in the Open Banking ecosystem.

Note: While the Payment Services Directive (PSD2) does not mandate the use of DCR, it allows the ASPSPs to use DCR for onboarding TPP applications.

DCR enables TPPs to register their applications programmatically with PayPal through an automated, secure process and obtain OAuth client credentials to access Open Banking APIs. This process replaces manual onboarding and ensures only authorized, certified TPPs can interact with sensitive financial data. It also ensures compliance with regulatory and security requirements.

This document describes how TPPs can programmatically register their applications with PayPal using DCR.

Note: TPPs can also manually register their applications with PayPal.

Key terms

Financial Conduct Authority (FCA): The UK regulatory authority responsible for authorizing TPPs, supervising ASPSPs, and enforcing compliance with Open Banking rules.

Mutual TLS (mTLS): A communication protocol in which both the client and the server authenticate each other using digital certificates before data exchange.

Open Banking Website Authentication Certificate (OBWAC): A digital certificate issued by the Open Banking Directory, which is managed by the Open Banking Implementation Entity (OBIE). TPPs use OBWAC for securing web-based authentication and authorization flows in UK Open Banking. This verifies that redirects to TPP websites are secure and trusted.

Software Statement Assertion (SSA): A digitally signed JSON Web Token (JWT) issued by the Open Banking Directory. It contains details about the TPP’s identity and its application, represented as claims within the JWT payload.

Prerequisites

Before registering the TPP application with PayPal, TPPs must obtain the following from OBIE:

OBWAC

Onboard your application

Register your application to obtain the OAuth client credentials. After application registration, you can retrieve your application registration details to verify the registration.

All API requests to PayPal must use the mTLS connection established with your OBWAC certificate.

Register your application

To register your application:

Prepare the registration request:
1. Pass the OBWAC in the pp_client_cert header parameter.
2. Include the signed JWT in the request body. This JWT must contain your SSA and the required claims. For more information about the JWT metadata, see Request JWT metadata.

Send a POST request to the /v1/oauth2/applications endpoint.

PayPal verifies your request and registers the application if all claims are valid.

On successful registration, a success response 201 created is returned along with the client_id and client_secret generated for the application. TPPs use these API credentials to securely access PayPal’s Open Banking APIs for Account Information Services (AIS) and Payment Initiation Services (PIS).

Important: client_id and client_secret will be provided only once as part of the POST response. TPPs must securely store these credentials. If credentials are lost, TPPs must send a DELETE request to remove the registration and then submit a new POST request to create a new application registration.

Sample request
Sample response

1curl -X POST https://openbanking-uk.paypal.com/v1/oauth2/applications \ 
2
3-H 'Content-Type: application/jwt' \
4-H 'Accept: application/json' \
5-d 'pp_client_cert: <OBWAC-CERTIFICATE>' \
6-d 'eyJraWQiOiJraWQzIiwidHlwIjoiSldUIiwiYWxnIjoiUFMyNTYifQ.eyJhdWQiOiJodHRwczovL3d3dy5hcGkucGF5cGFsLmNvbS92MS9vYXV0aDIvYXBwbGljYXRpb25zIiwic29mdHdhcmVfaWQiOiI3VzhkUXM4M1NCRlpGUXpDRXE0ZWJJMTIzMzMzIiwic29mdHdhcmVfc3RhdGVtZW50IjoiZXlKcmFXUWlPaUpyYVdReklpd2lkSGx3SWpvaVNsZFVJaXdpWVd4bklqb2lVRk15TlRZaWZRLmV5SnpiMlowZDJGeVpWOXRiMlJsSWpvaVZHVnpkQ0lzSW05eVoxOXFkMnR6WDJWdVpIQnZhVzUwSWpvaWFIUjBjSE02THk5MFpTMWtZM0l1Y1dFdWNHRjVjR0ZzTG1OdmJUbzRORFF6TDNZeEwybGtaVzUwYVhSNUwzUmxjM1F2YW5kMEwycDNhM01pTENKemIyWjBkMkZ5WlY5eVpXUnBjbVZqZEY5MWNtbHpJanBiSW1oMGRIQnpPaTh2ZDNkM0xtRmlZM1JsYzNRdVkyOXRMMkZ3YVM5Mk1TOWpjbVZrWlc1MGFXRnNjeTkwYUdseVpDMXdZWEowZVM5allXeHNZbUZqYXlKZExDSnpiMlowZDJGeVpWOWpiR2xsYm5SZmJtRnRaU0k2SW5WcklHOXdaVzRnWW1GdWEybHVaeUIwWlhOMElISmxZV1FnYzI5bWRIZGhjbVVnTVNJc0ltOXlaMTl6ZEdGMGRYTWlPaUpCWTNScGRtVWlMQ0pwYzNNaU9pSlBjR1Z1UW1GdWEybHVaeUJNZEdRaUxDSnpiMlowZDJGeVpWOTBiM05mZFhKcElqb2lhSFIwY0hNNkx5OTNkM2N1Y0dGNWNHRnNMbU52YlM5MWF5OTNaV0poY0hCekwyMXdjQzkxWVM5c1pXZGhiR2gxWWkxbWRXeHNJaXdpYzI5bWRIZGhjbVZmY0c5c2FXTjVYM1Z5YVNJNkltaDBkSEJ6T2k4dmQzZDNMbkJoZVhCaGJDNWpiMjB2ZFdzdmQyVmlZWEJ3Y3k5dGNIQXZkV0V2YkdWbllXeG9kV0l0Wm5Wc2JDSXNJbk52Wm5SM1lYSmxYMmxrSWpvaU4xYzRaRkZ6T0ROVFFrWmFSbEY2UTBWeE5HVmlTVEV5TXpNek15SXNJbk52Wm5SM1lYSmxYMlZ1ZG1seWIyNXRaVzUwSWpvaWMyRnVaR0p2ZUNJc0luTnZablIzWVhKbFgzWmxjbk5wYjI0aU9pSXhMakVpTENKbGVIQWlPakUzTlRRME5UVXhOeklzSW05eVoxOXVZVzFsSWpvaVZHVnpkQ0JWU3lCTVZFUWlMQ0pwWVhRaU9qRTNOVFEwTlRRNE56SXNJbXAwYVNJNkltRm1ZbVkxTUdNeUxURXlOell0TkRoaFppMDRObUk0TFRNNU5HSmtOVEEzTURjeE9DSXNJbk52Wm5SM1lYSmxYMk5zYVdWdWRGOWtaWE5qY21sd2RHbHZiaUk2SW5WcklHOXdaVzRnWW1GdWEybHVaeUIwWlhOMElISmxZV1FnYzI5bWRIZGhjbVVnTVNJc0luTnZablIzWVhKbFgycDNhM05mWlc1a2NHOXBiblFpT2lKb2RIUndjem92TDNSbExXUmpjaTV4WVM1d1lYbHdZV3d1WTI5dE9qZzBORE12ZGpFdmFXUmxiblJwZEhrdmRHVnpkQzlxZDNRdmFuZHJjeUlzSW5OdlpuUjNZWEpsWDJOc2FXVnVkRjkxY21raU9pSm9kSFJ3Y3pvdkwzZDNkeTVoWW1NdVkyOXRMMk5zYVdWdWRIVnlhVEVpTENKemIyWjBkMkZ5WlY5dmJsOWlaV2hoYkdaZmIyWmZiM0puSWpvaVZHbHVNVEl6SWl3aWMyOW1kSGRoY21WZmJHOW5iMTkxY21raU9pSm9kSFJ3Y3pvdkwzZDNkeTV3WVhsd1lXd3hNaTVqYjIwdmRXc3ZkMlZpWVhCd2N5OXRjSEF2Ykc5bmJ5MWpaVzUwWlhJaUxDSnZjbWRmYVdRaU9pSXhNak0wTURBeFNGRlJkRkJCUVZnaUxDSnpiMlowZDJGeVpWOXFkMnR6WDNKbGRtOXJaV1JmWlc1a2NHOXBiblFpT2lKb2RIUndjem92TDJ0bGVYTjBiM0psTG05d1pXNWlZVzVyYVc1bkxtOXlaeTUxYXk4d01ERTFPREF3TURBeFNGRlJkRkJCUVZndmNtVjJiMnRsWkM4M1Z6aGtVWE00TTFOQ1JscEdVWHBEUlhFMFpXSkpMbXAzYTNNaUxDSnpiMlowZDJGeVpWOXliMnhsY3lJNld5SkJTVk5RSWl3aVVFbFRVQ0pkTENKdmNtZGZhbmRyYzE5eVpYWnZhMlZrWDJWdVpIQnZhVzUwSWpvaWFIUjBjSE02THk5clpYbHpkRzl5WlM1dmNHVnVZbUZ1YTJsdVp5NXZjbWN1ZFdzdk1EQXhOVGd3TURBd01VaFJVWFJRUVVGWUwzSmxkbTlyWldRdk1EQXhOVGd3TURBd01VaFJVWFJRUVVGWUxtcDNhM01pTENKdmNtZGhibWx6WVhScGIyNWZZMjl0Y0dWMFpXNTBYMkYxZEdodmNtbDBlVjlqYkdGcGJYTWlPbnNpWVhWMGFHOXlhWE5oZEdsdmJuTWlPbHQ3SW0xbGJXSmxjbDl6ZEdGMFpTSTZJa2RDSWl3aWNtOXNaWE1pT2xzaVVFbFRVQ0lzSWtGSlUxQWlYWDBzZXlKdFpXMWlaWEpmYzNSaGRHVWlPaUpKVWlJc0luSnZiR1Z6SWpwYklsQkpVMUFpWFgxZExDSnlaV2RwYzNSeVlYUnBiMjVmYVdRaU9pSTVPVFEzT1RBaUxDSmhkWFJvYjNKcGRIbGZhV1FpT2lKR1EwRkhRbElpTENKemRHRjBkWE1pT2lKQlkzUnBkbVVpZlgwLldybVdVZ0RGOUxRZDFDaEsxMGJkTXEybFlzUzhPYXh3ZU5oRTdCZV8yLXRkcEphVkZyeGtYMHJ2RVJIMDkyOXRxbTVVQ3o5VktaMng3U3lPYUxyWlNCTkQzeWxvU0o1OUR5WjhoVGZQLXBvbmxFNVhlUnN0UFloQXUxOW9iaE5xdWdYM21ObVlhRTdDQng2THVzQnpvWUsySVZVV21VWUdfbktGS0V3Z2huTlMyNnB3djgwcUE4X0N0UUFtUWJhQTZSbTFQQTI4Z1YxbkRxQlRWX0dURnBuY0MyV0V6TVhBYzVLcVFHRlFYeDhxekEzS3RsbUgyQjkzdzNhVXd1LXlTd1VvRmNVb1BlNDRxdmpIbUZUZHd1Y0RSc1Y4RzRjbnZzWXNpQjExbjdCM0hpakdHdGY2djZtSXJEbVNvSmhLOFVQZXY5VE53SklZNFpma1JTRENxQSIsImdyYW50X3R5cGVzIjpbImNsaWVudF9jcmVkZW50aWFscyIsImF1dGhvcml6YXRpb25fY29kZSIsInJlZnJlc2hfdG9rZW4iXSwiYXBwbGljYXRpb25fdHlwZSI6IndlYiIsImlzcyI6IjdXOGRRczgzU0JGWkZRekNFcTRlYkkxMjMzMzMiLCJyZWRpcmVjdF91cmlzIjpbImh0dHBzOi8vd3d3LmFiY3Rlc3QuY29tL2FwaS92MS9jcmVkZW50aWFscy90aGlyZC1wYXJ0eS9jYWxsYmFjayJdLCJleHAiOjE3NTQ0NTUxNzcsImlhdCI6MTc1NDQ1NDg3NywianRpIjoiZGZhODAxMTYtZDZkMS00NDNiLTliZDQtMzgxODc5ZTIyNTI0IiwidG9rZW5fZW5kcG9pbnRfYXV0aF9tZXRob2QiOiJjbGllbnRfc2VjcmV0X2Jhc2ljIiwicmVzcG9uc2VfdHlwZXMiOlsiY29kZSJdfQ.GuM4XdUIPQP8srimJ_lC4F9SAF-PMsS0fA3ROTeF-Bltn-6_-k_zxsrBlrv5Ht6G8v0pNC6Y249cyH76vMW3f30KE3Y6wGJoZrts6ojOH6nHmfoin5-_gNkiTnyNNsfNRoq6LMu2bxyy3FH0fDPWNJ13k9WmlJX3ACRmkXI0QDJTIfKBbOdHwfxR0sRe0L72vDeaDmjDGUON9RNI_H6Pud1dp43gxEtHL1YdXawwyWqe0NUccJvqHvnFhv0-Nh-nd3duXJ42zz5O8thnVdY2zYb81C1n2FEFEsxs7BwTcEUdHDFku_ffVWFMBzA3VLT-oxIW8yxSvXtbMIXem84I1g'

Request JWT metadata

Claim name	Description
`iss` Required, string	Identifier for the TPP. It must match the `software_id` in the SSA.
`iat` Required, integer	Time at which the request was issued by TPP (seconds since epoch).
`exp` Required, integer	Expiry time for the request (seconds since epoch).
`aud` string	Audience for the request (PayPal API endpoint).
`jti` string	Unique identifier for the JWT.
`software_statement` Required, JWS	Signed JWT issued by Open Banking Directory.
`redirect_uris` Required, array	Registered URIs the TPP will use to interact with the ASPSP.
`grant_types` Required, array	JSON array specifying what the TPP can request to be supplied to the token endpoint as exchange for an access token. Possible values: `client_credentials` `authorization_code` `refresh_token`
`token_endpoint_auth_method` Required, string	Authentication method for token endpoint preferred by the TPP. Possible value: `client_secret_basic`
`scope` array	Scopes requested for the TPP application.
`response_types` array	JSON array specifying what the TPP can request to be returned from the ASPSP authorization endpoint. Possible values: `code` `code id_token` Default value: `code id_token`
`application_type` string	Type of application being registered. Possible value: `web`
`id_token_signed_response_alg` Conditional, string	Algorithm which the TPP expects to sign the id_token, if it is returned. This field is required if `response_types` contains `code id_token`. Possible values: `RS256` `PS256`
`request_object_signing_alg` string	Algorithm which the TPP expects to sign the request object, if it is returned. Possible values: `RS256` `PS256`
`token_endpoint_auth_signing_alg` string	Algorithm used by the TPP to authenticate with the token endpoint if `private_key_jwt` or `client_secret_jwt` is used in `token_endpoint_auth_method`.
`software_id` string	Identifier for the TPP software. It must match the `software_id` specified in SSA.

For more information about the claims, see the Data dictionary for DCR.

Retrieve your application registration details

TPPs can send a GET request to /v1/oauth2/applications/<client_id> endpoint to retrieve the details about the registered application.

Replace the <client_id> in the path parameter with the client_id received in the response for the POST request.

Pass the OBWAC in the pp_client_cert header parameter.

Include the access token in the Authorization header parameter as Bearer <ACCESS-TOKEN>. For information about how to get an access_token in exchange for the client_id and client_secret, see Get an access token.

A successful request returns a 200 OK response that contains your registered application details.

Sample request
Sample response

1curl -X GET https://openbanking-uk.paypal.com/v1/oauth2/applications/<client_id> \
2
3-H 'Content-Type: application/jwt' \
4-H 'Accept: application/json' \
5-d 'pp_client_cert: <OBWAC-CERTIFICATE>' \
6-H 'Authorization: Bearer <ACCESS-TOKEN>'