On this page
No Headings
Last updated: June 25, 2026
The UK Open Banking regulations and the Financial Conduct Authority (FCA) require Account Servicing Payment Service Providers (ASPSPs), such as PayPal, to provide secure API access to regulated Third-Party Providers (TPPs). The Dynamic Client Registration (DCR) specification is a key part of this regulatory framework and serves as the standard method for creating OAuth clients in the Open Banking ecosystem.
Note: While the Payment Services Directive (PSD2) does not mandate the use of DCR, it allows the ASPSPs to use DCR for onboarding TPP applications.
DCR enables TPPs to register their applications programmatically with PayPal through an automated, secure process and obtain OAuth client credentials to access Open Banking APIs. This process replaces manual onboarding and ensures only authorized, certified TPPs can interact with sensitive financial data. It also ensures compliance with regulatory and security requirements.
This document describes how TPPs can programmatically register their applications with PayPal using DCR.
Note: TPPs can also manually register their applications with PayPal.
Financial Conduct Authority (FCA): The UK regulatory authority responsible for authorizing TPPs, supervising ASPSPs, and enforcing compliance with Open Banking rules.
Mutual TLS (mTLS): A communication protocol in which both the client and the server authenticate each other using digital certificates before data exchange.
Open Banking Website Authentication Certificate (OBWAC): A digital certificate issued by the Open Banking Directory, which is managed by the Open Banking Implementation Entity (OBIE). TPPs use OBWAC for securing web-based authentication and authorization flows in UK Open Banking. This verifies that redirects to TPP websites are secure and trusted.
Software Statement Assertion (SSA): A digitally signed JSON Web Token (JWT) issued by the Open Banking Directory. It contains details about the TPP's identity and its application, represented as claims within the JWT payload.
Before registering the TPP application with PayPal, TPPs must obtain the following from OBIE:
Register your application to obtain the OAuth client credentials. After application registration, you can retrieve your application registration details to verify the registration.
All API requests to PayPal must use the mTLS connection established with your OBWAC certificate.
To register your application:
Prepare the registration request:
1. Pass the OBWAC in the pp_client_cert header parameter.
2. Include the signed JWT in the request body. This JWT must contain your SSA and the required claims. For more information about the JWT metadata, see Request JWT metadata.
Send a POST request to the /v1/oauth2/applications endpoint.
PayPal verifies your request and registers the application if all claims are valid.
On successful registration, a success response 201 created is returned along with the client_id and client_secret generated for the application. TPPs use these API credentials to securely access PayPal's Open Banking APIs for Account Information Services (AIS) and Payment Initiation Services (PIS).
Important: client_id and client_secret will be provided only once as part of the POST response. TPPs must securely store these credentials. If credentials are lost, TPPs must submit a new POST request to create a new application registration.
curl -X POST https://openbanking-uk.paypal.com/v1/oauth2/applications \
-H 'Content-Type: application/jwt' \
-H 'Accept: application/json' \
-d 'pp_client_cert: <OBWAC-CERTIFICATE>' \
-d 'eyJraWQiOiJraWQzIiwidHlwIjoiSldUIiwiYWxnIjoiUFMyNTYifQ.eyJhdWQiOiJodHRwczovL3d3dy5hcGkucGF5cGFsLmNvbS92MS9vYXV0aDIvYXBwbGljYXRpb25zIiwic29mdHdhcmVfaWQiOiI3VzhkUXM4M1NCRlpGUXpDRXE0ZWJJMTIzMzMzIiwic29mdHdhcmVfc3RhdGVtZW50IjoiZXlKcmFXUWlPaUpyYVdReklpd2lkSGx3SWpvaVNsZFVJaXdpWVd4bklqb2lVRk15TlRZaWZRLmV5SnpiMlowZDJGeVpWOXRiMlJsSWpvaVZHVnpkQ0lzSW05eVoxOXFkMnR6WDJWdVpIQnZhVzUwSWpvaWFIUjBjSE02THk5MFpTMWtZM0l1Y1dFdWNHRjVjR0ZzTG1OdmJUbzRORFF6TDNZeEwybGtaVzUwYVhSNUwzUmxjM1F2YW5kMEwycDNhM01pTENKemIyWjBkMkZ5WlY5eVpXUnBjbVZqZEY5MWNtbHpJanBiSW1oMGRIQnpPaTh2ZDNkM0xtRmlZM1JsYzNRdVkyOXRMMkZ3YVM5Mk1TOWpjbVZrWlc1MGFXRnNjeTkwYUdseVpDMXdZWEowZVM5allXeHNZbUZqYXlKZExDSnpiMlowZDJGeVpWOWpiR2xsYm5SZmJtRnRaU0k2SW5WcklHOXdaVzRnWW1GdWEybHVaeUIwWlhOMElISmxZV1FnYzI5bWRIZGhjbVVnTVNJc0ltOXlaMTl6ZEdGMGRYTWlPaUpCWTNScGRtVWlMQ0pwYzNNaU9pSlBjR1Z1UW1GdWEybHVaeUJNZEdRaUxDSnpiMlowZDJGeVpWOTBiM05mZFhKcElqb2lhSFIwY0hNNkx5OTNkM2N1Y0dGNWNHRnNMbU52YlM5MWF5OTNaV0poY0hCekwyMXdjQzkxWVM5c1pXZGhiR2gxWWkxbWRXeHNJaXdpYzI5bWRIZGhjbVZmY0c5c2FXTjVYM1Z5YVNJNkltaDBkSEJ6T2k4dmQzZDNMbkJoZVhCaGJDNWpiMjB2ZFdzdmQyVmlZWEJ3Y3k5dGNIQXZkV0V2YkdWbllXeG9kV0l0Wm5Wc2JDSXNJbk52Wm5SM1lYSmxYMmxrSWpvaU4xYzRaRkZ6T0ROVFFrWmFSbEY2UTBWeE5HVmlTVEV5TXpNek15SXNJbk52Wm5SM1lYSmxYMlZ1ZG1seWIyNXRaVzUwSWpvaWMyRnVaR0p2ZUNJc0luTnZablIzWVhKbFgzWmxjbk5wYjI0aU9pSXhMakVpTENKbGVIQWlPakUzTlRRME5UVXhOeklzSW05eVoxOXVZVzFsSWpvaVZHVnpkQ0JWU3lCTVZFUWlMQ0pwWVhRaU9qRTNOVFEwTlRRNE56SXNJbXAwYVNJNkltRm1ZbVkxTUdNeUxURXlOell0TkRoaFppMDRObUk0TFRNNU5HSmtOVEEzTURjeE9DSXNJbk52Wm5SM1lYSmxYMk5zYVdWdWRGOWtaWE5qY21sd2RHbHZiaUk2SW5WcklHOXdaVzRnWW1GdWEybHVaeUIwWlhOMElISmxZV1FnYzI5bWRIZGhjbVVnTVNJc0luTnZablIzWVhKbFgycDNhM05mWlc1a2NHOXBiblFpT2lKb2RIUndjem92TDNSbExXUmpjaTV4WVM1d1lYbHdZV3d1WTI5dE9qZzBORE12ZGpFdmFXUmxiblJwZEhrdmRHVnpkQzlxZDNRdmFuZHJjeUlzSW5OdlpuUjNZWEpsWDJOc2FXVnVkRjkxY21raU9pSm9kSFJ3Y3pvdkwzZDNkeTVoWW1NdVkyOXRMMk5zYVdWdWRIVnlhVEVpTENKemIyWjBkMkZ5WlY5dmJsOWlaV2hoYkdaZmIyWmZiM0puSWpvaVZHbHVNVEl6SWl3aWMyOW1kSGRoY21WZmJHOW5iMTkxY21raU9pSm9kSFJ3Y3pvdkwzZDNkeTV3WVhsd1lXd3hNaTVqYjIwdmRXc3ZkMlZpWVhCd2N5OXRjSEF2Ykc5bmJ5MWpaVzUwWlhJaUxDSnZjbWRmYVdRaU9pSXhNak0wTURBeFNGRlJkRkJCUVZnaUxDSnpiMlowZDJGeVpWOXFkMnR6WDNKbGRtOXJaV1JmWlc1a2NHOXBiblFpT2lKb2RIUndjem92TDJ0bGVYTjBiM0psTG05d1pXNWlZVzVyYVc1bkxtOXlaeTUxYXk4d01ERTFPREF3TURBeFNGRlJkRkJCUVZndmNtVjJiMnRsWkM4M1Z6aGtVWE00TTFOQ1JscEdVWHBEUlhFMFpXSkpMbXAzYTNNaUxDSnpiMlowZDJGeVpWOXliMnhsY3lJNld5SkJTVk5RSWl3aVVFbFRVQ0pkTENKdmNtZGZhbmRyYzE5eVpYWnZhMlZrWDJWdVpIQnZhVzUwSWpvaWFIUjBjSE02THk5clpYbHpkRzl5WlM1dmNHVnVZbUZ1YTJsdVp5NXZjbWN1ZFdzdk1EQXhOVGd3TURBd01VaFJVWFJRUVVGWUwzSmxkbTlyWldRdk1EQXhOVGd3TURBd01VaFJVWFJRUVVGWUxtcDNhM01pTENKdmNtZGhibWx6WVhScGIyNWZZMjl0Y0dWMFpXNTBYMkYxZEdodmNtbDBlVjlqYkdGcGJYTWlPbnNpWVhWMGFHOXlhWE5oZEdsdmJuTWlPbHQ3SW0xbGJXSmxjbDl6ZEdGMFpTSTZJa2RDSWl3aWNtOXNaWE1pT2xzaVVFbFRVQ0lzSWtGSlUxQWlYWDBzZXlKdFpXMWlaWEpmYzNSaGRHVWlPaUpKVWlJc0luSnZiR1Z6SWpwYklsQkpVMUFpWFgxZExDSnlaV2RwYzNSeVlYUnBiMjVmYVdRaU9pSTVPVFEzT1RBaUxDSmhkWFJvYjNKcGRIbGZhV1FpT2lKR1EwRkhRbElpTENKemRHRjBkWE1pT2lKQlkzUnBkbVVpZlgwLldybVdVZ0RGOUxRZDFDaEsxMGJkTXEybFlzUzhPYXh3ZU5oRTdCZV8yLXRkcEphVkZyeGtYMHJ2RVJIMDkyOXRxbTVVQ3o5VktaMng3U3lPYUxyWlNCTkQzeWxvU0o1OUR5WjhoVGZQLXBvbmxFNVhlUnN0UFloQXUxOW9iaE5xdWdYM21ObVlhRTdDQng2THVzQnpvWUsySVZVV21VWUdfbktGS0V3Z2huTlMyNnB3djgwcUE4X0N0UUFtUWJhQTZSbTFQQTI4Z1YxbkRxQlRWX0dURnBuY0MyV0V6TVhBYzVLcVFHRlFYeDhxekEzS3RsbUgyQjkzdzNhVXd1LXlTd1VvRmNVb1BlNDRxdmpIbUZUZHd1Y0RSc1Y4RzRjbnZzWXNpQjExbjdCM0hpakdHdGY2djZtSXJEbVNvSmhLOFVQZXY5VE53SklZNFpma1JTRENxQSIsImdyYW50X3R5cGVzIjpbImNsaWVudF9jcmVkZW50aWFscyIsImF1dGhvcml6YXRpb25fY29kZSIsInJlZnJlc2hfdG9rZW4iXSwiYXBwbGljYXRpb25fdHlwZSI6IndlYiIsImlzcyI6IjdXOGRRczgzU0JGWkZRekNFcTRlYkkxMjMzMzMiLCJyZWRpcmVjdF91cmlzIjpbImh0dHBzOi8vd3d3LmFiY3Rlc3QuY29tL2FwaS92MS9jcmVkZW50aWFscy90aGlyZC1wYXJ0eS9jYWxsYmFjayJdLCJleHAiOjE3NTQ0NTUxNzcsImlhdCI6MTc1NDQ1NDg3NywianRpIjoiZGZhODAxMTYtZDZkMS00NDNiLTliZDQtMzgxODc5ZTIyNTI0IiwidG9rZW5fZW5kcG9pbnRfYXV0aF9tZXRob2QiOiJjbGllbnRfc2VjcmV0X2Jhc2ljIiwicmVzcG9uc2VfdHlwZXMiOlsiY29kZSJdfQ.GuM4XdUIPQP8srimJ_lC4F9SAF-PMsS0fA3ROTeF-Bltn-6_-k_zxsrBlrv5Ht6G8v0pNC6Y249cyH76vMW3f30KE3Y6wGJoZrts6ojOH6nHmfoin5-_gNkiTnyNNsfNRoq6LMu2bxyy3FH0fDPWNJ13k9WmlJX3ACRmkXI0QDJTIfKBbOdHwfxR0sRe0L72vDeaDmjDGUON9RNI_H6Pud1dp43gxEtHL1YdXawwyWqe0NUccJvqHvnFhv0-Nh-nd3duXJ42zz5O8thnVdY2zYb81C1n2FEFEsxs7BwTcEUdHDFku_ffVWFMBzA3VLT-oxIW8yxSvXtbMIXem84I1g'| Claim name | Description |
|---|---|
issRequired, string | Identifier for the TPP. It must match the software_id in the SSA. |
iatRequired, integer | Time at which the request was issued by TPP (seconds since epoch). |
expRequired, integer | Expiry time for the request (seconds since epoch). |
audstring | Audience for the request (PayPal API endpoint). |
jtistring | Unique identifier for the JWT. |
software_statementRequired, JWS | Signed JWT issued by Open Banking Directory. |
redirect_urisRequired, array | Registered URIs the TPP will use to interact with the ASPSP. |
grant_typesRequired, array | JSON array specifying what the TPP can request to be supplied to the token endpoint as exchange for an access token. Possible values:
|
token_endpoint_auth_methodRequired, string | Authentication method for token endpoint preferred by the TPP. Possible value: client_secret_basic |
scopearray | Scopes requested for the TPP application. |
response_typesarray | JSON array specifying what the TPP can request to be returned from the ASPSP authorization endpoint. Possible values:
code id_token |
application_typestring | Type of application being registered. Possible value: web |
id_token_signed_response_algConditional, string | Algorithm which the TPP expects to sign the id_token, if it is returned. This field is required if response_types contains code id_token.Possible values:
|
request_object_signing_algstring | Algorithm which the TPP expects to sign the request object, if it is returned. Possible values:
|
token_endpoint_auth_signing_algstring | Algorithm used by the TPP to authenticate with the token endpoint if private_key_jwt or client_secret_jwt is used in token_endpoint_auth_method. |
software_idstring | Identifier for the TPP software. It must match the software_id specified in SSA. |
For more information about the claims, see the Data dictionary for DCR.
TPPs can send a GET request to /v1/oauth2/applications/<client_id> endpoint to retrieve the details about the registered application.
<client_id> in the path parameter with the client_id received in the response for the POST request.pp_client_cert header parameter.Authorization header parameter as Bearer <ACCESS-TOKEN>. For information about how to get an access_token in exchange for the client_id and client_secret, see Get an access token.A successful request returns a 200 OK response that contains your registered application details.
curl -X GET https://openbanking-uk.paypal.com/v1/oauth2/applications/<client_id> \
-H 'Accept: application/json' \
-d 'pp_client_cert: <OBWAC-CERTIFICATE>' \
-H 'Authorization: Bearer <ACCESS-TOKEN>'