Q:
Can I update an eIDAS QSealC certificate myself?
A:
Yes, you can perform eIDAS QSealC certificate update by yourself in our:
by logging in by your organisation owner's email and referring to:
How to use the 'Edit App' function and update your eIDAS certificate
We recommend replacing your existing certificate during non-business hours as the update would take maximum 5 minutes (downtime). After that API calls will be approved using the new certificate.
Note: make sure you upload your eIDAS QSealC certificate into the proper field under eIDAS Certificate given to PSD2 license holders (marked yellow on the picture below):

Q:
Does Nordea currently use Mutual TLS (mTLS) for PSD2 APIs? If yes, is mTLS achieved through QSealC certificate or else?
A:
We currently do not support mTLS by QWAC or other means for PSD2 APIs. We use TLS as described in API Market specification for the encryption and support eIDAS QSEALc certificates for the signatures.
API Market (Sandbox Developer Portal)
Q:
Do we lose access to connected accounts when certificates are changed? If we connect an account using certificate A and start using certificate B, will we still be able to retrieve data from the accounts connected with certificate A using the new certificate B?
A:
The Client Application is connected to one eIDAS certificate at the time (certificate A). Certificate A can be replaced by eIDAS certificate B anytime via our Production Portal without losing access to accounts for customers with active consents and duration to the Client Application. The certificate A is by this action removed and certificate B will be active instead.
Q:
Does your APIs support multiple production applications with different certificates for a single Third Party Provider? Our intention is to continue using our existing application with certificate A, while simultaneously creating another application with certificates B to connect accounts with.
A:
Yes, our technical setup supports multiple production Applications with different/same certificates for a single Third Party Provider. It is recommended/practiced to keep the number of Client Applications at the necessary low numbers due to editing and maintenance reasons (changes/updates).
Q:
While following your instructions:
How to use the 'Edit App' function and update your eIDAS certificate
We encountered this issue:
"eIDAS validation failed as the eIDAS Certificate is malformed, expired or invalid for other reason. Please, check the certificate and try again."
when trying to perform the certificate rotation by uploading the new eIDAS QSealC certificate in Production Portal. We tried several options to upload the cert: base64 encoded, the x5c-value from the jwks-endpoint and the decoded cert without the ----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- lines but something is wrong. Can you tell me what?
A:
Make sure to provide an accurate eIDAS Public certificate key issued by the QTSP including the valid roles and for the relevant TPP. Refer to (Role validation in eIDAS certificate section):
What is a Software Statement Assertion (SSA) required for onboarding?
Note: If you still need our assistance, please share your eIDAS Public certificate key in text format for us to analyse your upload.
Q:
After seemingly successful certificate upload, we get:
Response
"group_header": {
"message_identification": "212f2bd2c6471234",
"creation_date_time": "2024-01-31T07:22:46.04803484Z",
"http_code": 401
},
"error": {
"request": {
"url": "/personal/v5/authorize"
},
"failures": [
{
"code": "error.signature.invalid",
"description": "Signature is invalid."What can be the issue?
A:
Verify if you precisely followed our instructions:
How to use the 'Edit App' function and update your eIDAS certificate
and pasted the certificate in a proper field - under eIDAS Certificate given to PSD2 license holders (marked yellow on the picture below):

Q:
Will an access token not be invalid when we change/update certificate for a customer who is using premium Instant Reporting API?
A:
The certificate exchange will not affect any token.
Q:
After the certificate update we are getting the following error response:
{"group_header":{"message_identification":"0efc30595c171234","creation_date_time":"2023-10-10T08:04:53.608458603Z","http_code":401},"error":{"request":{"url":"/business/v5/authorize"},"failures":[{"code":"error.certificate.invalid","description":"Certificate has expired or it has been revoked."}]}}when calling:
What can be the root cause? Our certificate is valid.
A:
Try to update the certificate according to:
How to use the 'Edit App' function and update your eIDAS certificate
without -----BEGIN CERTIFICATE----- / -----END CERTIFICATE-----
Q:
Can you recommend some place where to buy QSealC certificate?
A:
Refer to:
How do I get access to live PSD2 data?
Q:
What will be the Application and Organisation names in Production Portal after performing PSD2 onboarding:
Compliance (PSD2) API Products Onboarding
A:
The Application and Organisation names are created based on the details of eIDAS certificate - CN (Common Name) field within the certificate details (Details->Subject):
Note: When you've onboarded at least one application already and have access to our Production Portal, you can also create an app and add PSD2 subscriptions directly from Production Portal. If you are creating or changing a Title/name for a PSD2 application that is using the eIDAS Certificate Subject / Common name in certificate, then the new name will be exposed to the PSU in the Authentication process redirect flow. To ensure that your application always expose the eIDAS certificate Subject / Common name, you have to manually add the correct common name of the eIDAS certificate into the Title field when creating or editing the App name.
Creating an App and requesting for PSD2 subscription in Production Developer Portal - quick guide
You can easily find your Organisation by logging in to our Production Portal and selecting your Organisation (from the drop down menu) and choosing the App. Refer to:
How to view your organisation, invite additional users and change organisation ownership
Q:
Does updating a certificate in Production Portal mean the certificate is rotated for all markets (FI, SE, DK, NO) and for Personal and Business segments?
A:
The eIDAS certificate is connected to a given Client ID (application identifier), hence all existing PSD2 API subscriptions that are connected to a given Client ID will remain intact and cover the Nordic countries (FI, SE, DK, NO) for both Personal APIs and Business APIs.
after performing the onboarding by:
Compliance (PSD2) API Products Onboarding
Q:
After successful PSD2 onboarding and the first request towards:
we encounter the following error:
"httpCode": "401",
"httpMessage": "Unauthorized",
"moreInformation": "Invalid client id or secret."
What can be the reason?
A:
Make sure that Client ID (API Key) and Client Secret (API Secret) values and formats (with or without hyphens) are exactly the same as in our Production Portal for a given application. Refer to:
Q:
When we last updated our certificates, we created a new app to avoid downtime and put the certificate's expiration year in the app name to tell the apps apart, but we realize now that it is shown briefly on the redirect page. We want to change the app name to just the name of our service. How should we proceed?
A:
In this specific case we recommend to adjust the app name (Title field in Production Portal) to the Common Name in the certificate which is defined as CN (Subject field) in eIDAS certificate:
See also:
Creating an App and requesting for PSD2 subscription in Production Developer Portal - quick guide
How to use the ‘Create new App’ function
Q:
Is it possible to do the onboarding twice with the same entity (i.e., maintain two separate registrations on your platform)?
A:
Yes, in this case two different organizations will be created. You will have one account with two organizations and by switching between those you can manage two different apps.
Note: If two different emails are used for onboarding, two different accounts will be created - even with the same data (except email). Also, the same email can be used to perform two onboardings - in this case two organizations (even with the same name) within the same account will be created and you will be able to switch between them.
Q:
We tried to subscribe to PSD2 Accounts and Payments API but our subscriptions were denied. Could it be due to having only PSP_IC role (in Qualified Certificate Statements) in our certificate?
A:
You need to have PSP_AI/PSP_AS and PSP_PI roles in your certificate.
Q:
After successful onboarding all our requests fail with:
{"httpCode":"401","httpMessage":"Unauthorized","moreInformation":"Invalid client id or secret."}
How can we reset API Secret in Production Portal?
A:
Please follow our detailed instructions:
Q:
We see that requesting Production Access via:
Compliance (PSD2) API Products Onboarding
requires a Software Statement JSON Web Token (JWT). How should we proceed? We already have eIDAS QSealC certificate and a redirect URI ready.
A:
As we don't provide tools for generating Software Statement Assertion (SSA) please follow our article on how to create it by yourself: What is a Software Statement Assertion (SSA) required for onboarding?
Q:
We successfully completed the production onboarding and our application was automatically created. How to retrieve its Client ID (API Key) and Client Secret (API Secret)?
A:
Please follow these instructions on how to manage it:
Q:
Do I need a different login and password to access:
than to:
API Market (Sandbox Developer Portal)
A:
To log in to our Production Developer Portal you need to use a developer organisation owner e-mail you've provided while performing:
Compliance (PSD2) API Products Onboarding
Please refer to:
Q:
After the eIDAS certificate update, we did not make any changes to our signature creation process. Could this be the reason of the following error: "code":"error.signature.invalid", "description":"Signature is invalid."?
{"group_header":{"message_identification":"23f85e8a2df21681","creation_date_time":"2025-11-06T14:45:39.901724267Z","http_code":401},"error":{"request":{"url":"/personal/v5/authorize"},"failures":[{"code":"error.signature.invalid","description":"Signature is invalid."}]}}
A:
Please refer to: Signature Creation: FAQ
Q:
We are currently working on obtaining a certificate signed by a CA (Certificate Authority) provider for our integration with corporate PSD2 Nordea Open Banking APIs. The CA provider we are considering is DigiCert. We would like to confirm whether Nordea maintains a list of approved or preferred CA providers and whether DigiCert is amongst them.
A:
Please see: How do I get access to live PSD2 data?
Q:
Which signature algorithms do you support for eIDAS certificates?
A:
We support eIDAS certificates using RSA-SHA256 signature algorithms. Please see also:
What is a Software Statement Assertion (SSA) required for onboarding?
Note: Nordea follows IETF RFC7591 and RFC7519 standards and recommendations for RS256 signatures in SSA validations and PSD2 APIs. These widely adopted standards have long been used by EU TPPs.
Q:
Is it supported to have separate applications per market - one for Finland and another for Denmark, each with its own QSealC certificate? Or does Nordea recommend a single application with one QSealC certificate for all Nordic markets?
A:
We recommend a single application with eIDAS QSealC certificate to cover all Nordic markets.
Q:
Is proof of TPP authorization/passporting needed for each country (e.g., FI Finanssivalvonta + DK Finanstilsynet) before enabling live API access, or does a single EU-wide AISP/PISP authorization cover all Nordic markets on your platform?
A:
A single EU-wide AISP/PISP authorization is sufficient to access all Nordic markets.
Q:
Do you accept Advanced Electronic Seal (AdESeal) for PSD2 API signing, or do you require Qualified Electronic Seal (QSealC)?
A:
A valid Qualified Electronic Seal (QSealC) certificate is required. AdESeal certificates are not supported.
Q:
Does requiring a valid QSealC mean the private key must be kept non-extractable in a secure device (e.g., HSM/QSCD), or is a file-based setup allowed?
A:
Nordea does not mandate that the private key be stored on a secure device or that it be non-extractable. Clients can select their own secure storage methods, including file-based configurations.