PSD2 Information


FirstBank APIs

Applying to use our APIs

Prior to commencing your application to access and use our APIs, please ensure that you have registered with the FCA as an Account Information Service Provider (AISP) and/or Payment Initiation Service Provider (PISP)

Contact  to express your interest in using our APIs and provide details of your FCA registration.

We will then contact you to progress your application.

What we Provide

In accordance with the Payment Services Directive 2 (PSD2) we provide, access to a Sandbox environment at the current time. The Sandbox provides mocked responses for each of the APIs that we have made available. This will allow you to test that your API calls receive the documented response. The Sandbox is not transactional.

We are working to provide access to the live banking system in line with the PSD2 directive.


After acceptance by the bank to use our APIs, we will create an Application Developer account, provide access to your application key and give you access to our API Catalog in our Developer Portal hosted on Oracle Cloud. , you will be provided with log in credentials to access our Developer API Portal where you can view the API Catalog for the APIs that are relevant to your FCA registration. W The API Catalog provides access to the documentation for each API that we have available. You will receive an email with your username after we have on-boarded you to our API Platform. You can find the application key by viewing ‘My Applications’ in our Developer Portal.


Our APIs are protected by OAuth 2.0 security. We will provide details of the process needed to be followed for security and authentication.

The OAuth Policy attached to our APIs asserts the JSON Web Token (JWT) access token and validates various standard claims as defined in RFC7519. For more information about the JWT specification, see

We require that the JWT token be signed per the JWS Compact Serialization format. See

The JWT must have the following characteristics:

  • JWT must contain an issuer (“iss”) claim.
  • JWT must contain an audience (“aud”) claim.
  • JWT must contain an issued (“iss”) and expiry (“exp”) time.
  • JWT should be digitally signed to ensure the integrity of the message. The expectation is that it should be signed asymetrically.
  • The scope should be defined in the JWT as “scope”. The scope claim is a string with scope claim values separated by spaces.

Using our Developer API Portal

Our Developer API Portal is accessed at:

Enter the username and temporary password as received in the Welcome to Oracle Cloud email. Update with a new password and proceed to our API Developer Portal and log in with your latest credentials.

After logging in you have three main options at the top right of the page:

By default, the API Catalog is displayed showing all the APIs that you have access to.

Click My Applications to show the Applications that have been assigned to your organisation. Typically, there will only be one per organisation.

In the My Applications page click on the Application to drill down to further information. Here you can access:

  • Overview – this is where you obtain the application key value that needs to be passed in the HTTP Header app-key.
  • Subscriptions – shows the Plans that your application can access and also provides the API endpoints for Sandbox and Production
  • Grants – shows who at the bank manages your application
  • Analytics – allows you to show usage analytics for each of the APIs that the application is entitled for.

The APIs page provides a listing of each of the APIs made available to your organisation.

It provides the following for each API after clicking on the API name to drill down:

  • Documentation – this provides detailed information about the API. There is also an option to try out the mock service prior to interacting with the API having implemented the authentication flow described above.
  • Plans – lists the Plan that this API is a member of

The Plans page provides access to:

  • A list of Plans that your organisation is currently entitled to use
  • Drill down from the Plan to list the APIs included in the Plan and whether there are any specific quota restrictions

Calling our APIs

You can find the Sandbox API endpoints for our APIs using the API Catalog in our Developer Portal. To call each API you will need to send a valid OAuth Token in the Authorization HTTP Header and send the application key for your designated application in a custom HTTP Header named app-key to successfully reach the service endpoint.

Our production API endpoints will also be shown in the Developer Portal in line with the PSD2 implementation schedule.

REP020 – Quarterly Statistics on Availability and Performance of Dedicated Interfaces

REP020 SEPT 2023 

REP020_ DEC_2023

REP020_ MAR_2024

REP020_ June_2024