Receive Data

securely get customer permissioned data add applications see all available data providers authenticate with their authorisation servers discover published apis for you to integrate with in a standardized way prerequisites your organisation is onboarded within the ecosystem/federation and active your organisation has an domains docid\ i0uww6vk2u3hkirrqahdw and a roles docid\ xw3vr6nmb0sirrxtus107 assigned by the trust framework participants docid\ zwoo4fno16xiy1mcodij5 add application to enable your software application to become a part of the trust framework docid\ orq fx71kdupt8j17ckkd and request resources from data providers docid\ apm ilivcfpfft1ld0puc , you need to register it within the centralized directory docid\ kt2uiavikzfzklbevp1 g first navigate to your organisation select applications > new application to open up the connect's wizard a software statement is a json web token (jwt rfc7519) containing metadata about the client software your application it is included in the client registration request to the data provider's authorisation servers docid\ aw0rfr 6i9dbui8sh7hkd and must be signed using json web signature (jws) for more information on how to set up applications, see the add and manage applications docid x1gpnkw44xyryobh6wp6 article select next and fill in the details of your application field name required field description example client name yes it is recommended to use the brand name that the customers are familiar with this is the name of your software application a user sees while providing their consent to share data raidiam client uri yes website or root uri from the resource https //raidiam com/info html policy uri yes must be a defined text sequence that represents a single unique policy uri https //raidiam com/policy html logo uri yes brand logo uri https //raidiam com/logo svg terms of service uri no must be a text string that represents the unique uri for tos https //raidiam com/tos html application and technical redirects yes must be a text string that represents an unique uri for application and redirects this is the uri where the user is redirected back after they provide their consent you can provide one or more uris that will be registered at the authorisation server https //raidiam com/cb1 https //raidiam com/cb2 description no a text description of your application raidiam your service solution version yes version of your application m ust be defined by a numeric value, an integer, or a floating point number 1 2 select save and next at this point, your application is created and you can either proceed further with the wizard (recommended) or finalize working on the next steps later on note, however, you are not able to get back to the wizard itself to configure the same application again select roles add application roles docid\ yotcq4bxhcuwao2b w iz the amount of roles and what roles are available depend on the roles assigned to your organisation by the trust framework participants docid\ zwoo4fno16xiy1mcodij5 if you see no roles available within the wizard, you can skip this step and later on assign it manually it is considered a good practice not to assign all available roles to client applications, but only the ones the client application needs for example, if you are going to call the connect's apis in the future, create a separate client application for that need and assign the appropriate role to that end request transport certificate in this step, you will create a public and private keys docid\ xb31qsym6rjvvzucnk1ex and a certificate signing request (csr) to request a transport certificates docid\ g ci bmrum8en1ffwnzi this certificate can be used in mutual tls (mtls) communication between the data providers docid\ apm ilivcfpfft1ld0puc and data receivers docid 0icz dap0cfxtlrhddxni technical resources such certificates both the participants can trust empower your technical assets, such as your client application, to establish a secure connection with the data provider's authorization server and resource server, enabling them to engage in tls handshakes and enable secure connection during the data exchange select transport certificate type and continue execute the provided csr generation command in your terminal the csr is generated and saved within the same directory you execute the command sample csr generation command openssl req new newkey rsa 2048 out bf2ccc5e 406a 45a1 bef1 39333c239c2d transport csr keyout transport key subj "/c=uk/o=raidiam/ou=79b34d52 125b 4e5a 8b69 db93e737aa78/cn=bf2ccc5e 406a 45a1 bef1 39333c239c2d" sha256 upload the generated csr file find data providers and authorisation servers once your application is set up, you need to integrate it with a data providers docid\ apm ilivcfpfft1ld0puc and their authorisation servers docid\ aw0rfr 6i9dbui8sh7hkd in order to get an access token such token enables your application to authenticate itself while accessing the data provider's data apis (resource server) open data ecosystems if your framework is an open data ecosystem, client application's can utilize the participants api docid\ odlwcbfq2 hurdrzotlaq to receive a json document containing a list of all participants and their authorization servers other ecosystems to get a list of authorisation servers registered within the framework, you can utilize the following apis get all organisations lists all organisations the user is authorised to retrieve get all authorisation servers for given organisation lists all authorisation servers registered within an organisation along with their configuration get authorisation server by identifier returns a selected authorisation server along with its configuration sequencediagram autonumber participant tpp as data receiver (client application) participant das as raidiam authorisation server participant dapi as raidiam connect's apis tpp >>das /token note over tpp,das grant type=client credentials\<br/>oauth 2 0 tls client auth for authentication \<br/> scope directory\ software\<br/>client id=$client id das >>das validate certificate das >>tpp access token tpp >>dapi retrieve authorisation servers note over tpp, dapi the request contains the received access token dapi >>tpp authorisation servers get an access token (read only) docid\ psoqdln1ie6dtn12rzn3r use the oauth client credentials flow as the grant type and tls client auth as client authentication method request the directory\ software access token scope raidiam connect's authorisation server validates the certificate as part of the tls client auth client authentication process if validation is successful, the server returns an access token you can use to call raidiam's apis and retrieve information about the authorisation servers and their configuration retrieve authorisation servers using one of the apis listed above include the access token you got in the step #1 to authenticate your client application's request the platform returns a list of authorisation servers and their configuration register client application at authorisation server depending on the type of the registration framework docid\ q6si2ya2zeapvwb028 er used within the framework, registration framework docid\ q6si2ya2zeapvwb028 er (dcr), registration framework docid\ q6si2ya2zeapvwb028 er , or raidiam's simple registration endpoint, you may need to register your client application at the authorisation servers docid\ aw0rfr 6i9dbui8sh7hkd if dcr is used as the framework openid federation and raidiam's simple registration endpoint if openid federation or raidiam's fedlite is used, there is no need to register the client application as it simply initiates a request to the server's oauth /authorisation or /par (pushed authorisation request) endpoint setting the client id (client identifier) to the organisation's (entity) identifier within both frameworks, the responsibility for maintaining an up to date list of active applications lies on the data providers docid\ apm ilivcfpfft1ld0puc ' side register application using oauth dcr while getting a list of authorisation servers during the process described in the find data providers and authorisation servers section, you receive configuration of an authorisation server registered within the trust framework docid\ orq fx71kdupt8j17ckkd such configuration contains useful information you can use in the future sample authorisation server configuration in raidiam connect { "authorisationserverid" "east credit union as", "autoregistrationnotificationwebhook" "https //east credit union com/app/webhooks/", "autoregistrationsupported" false, "createdat" "2024 05 04t09 42 00+00 00", "customerfriendlydescription" "east credit union authorisation server", "customerfriendlylogouri" "https //east credit union com/logo svg", "customerfriendlyname" "east credit union", "deprecateddate" "2025 01 30", "developerportaluri" "https //east credit union com/app/devs/", "federationendpoint" "https //east credit union com/app/federation/", "federationid" "string", "issuer" "https //east credit union com", "notificationwebhook" "https //example com", "notificationwebhookaddeddate" "2025 01 30", "notificationwebhookstatus" "pending", "openiddiscoverydocument" "https //east credit union com/app/api/ well known/", "organisationid" "east credit union", "parentauthorisationserverid" "east credit union as", "payloadsigningcertlocationuri" "https //east credit union com/app/jwksuri/", "retirementdate" "2025 12 30", "supersededbyauthorisationserverid" "f81d4fae 7dec 11d0 a765 00a0c91e6bf6", "supportsciba" false, "supportsdcr" true, "supportsredirect" true, "termsofserviceuri" "https //east credit union com/tos/" } most importantly, the configuration of a server in raidiam connect includes the openiddiscoverydocument uri you can use to pull a detailed configuration of the authorisation server itself including the dynamic client registration endpoint for an example of the openid dicovery document, reference the raidiam's authorisation server / well known endpoint it contains the "registration endpoint" "https //auth sandbox raidiam io/reg" dcr endpoint where dynamic client registration requests could be posted sequencediagram autonumber participant tpp as data receiver (client application) participant das as raidiam authorisation server participant dapi as raidiam connect's apis participant jwks as raidiam jwks participant dpas as data provider's authorisation server tpp >>dpas / well known note over tpp, dpas retrieve openid configuration dpas >>tpp json openid discovery document tpp >>tpp extract desired metadata tpp >>das /token note over tpp,das grant type=client credentials\<br/>oauth 2 0 tls client auth for authentication \<br/> scope directory\ software\<br/>client id=$client id das >>das validate certificate das >>tpp access token tpp >>dapi retrieve software statement assertion (ssa) note over tpp, dapi the request contains the token the client received from raidiam's authorisation server dapi >>tpp ssa jwt tpp >>dpas post /register note over tpp,dpas the client requests dynamic client registration at the authorisation server note over tpp,dpas the request contains the ssa jwt as value of the `software statement` request parameter dpas >>jwks retrieve key set jwks >>dpas return key set dpas >>dpas validate ssa in the client's dcr request dpas >>dpas validate client's dcr request dpas >>tpp return client configuration utilize the openid discovery endpoint ( / well known ) to discover the authorisation server's configuration the data provider's authorisation server returns a json openid discovery document containing its configuration extract the desired metadata, particularly the dynamic client registration uri get an access token (read only) docid\ psoqdln1ie6dtn12rzn3r use the oauth client credentials flow as the grant type and tls client auth as client authentication method request the directory\ software access token scope raidiam connect's authorisation server validates the certificate as part of the tls client auth client authentication process raidiam connect's authorisation server validates the certificate as part of the tls client auth client authentication process if validation is successful, the server returns an access token you can use to call raidiam's apis and retrieve information about the authorisation servers and their configuration retrieve software statement assertion docid\ gqktwpb7 8uwzz ua nqw (ssa) from raidiam using the get software statement assertion for given softwarestatementid api utilize the access token you got from raidiam connect's authorisation server to authenticate your request the platform returns a json web token containing the software statement assertion request dynamic client registration at the authorisation server's dcr api provide the details of your client along with the jwt ssa as a value of the software statement request parameter see example below post /register http/1 1 host auth east credit union com content type application/json { "application type" "web", "grant types" \[ "client credentials", "authorization code", "refresh token", "implicit" ], "id token signed response alg" "ps256", "require auth time" false, "response types" \[ "code id token", "id token" ], "software statement" "eyjrawqioijzawduzxiilcj0exaioijkv1qilcjhbgcioijquzi1nij9 eyjzb2z0d2fyzv9tb2rlijoitgl2zsisinnvznr3yxjlx3jlzglyzwn0x3vyaxmiolsiahr0chm6xc9cl3d3dy5yywlkawftlmnvbvwvywnjb3vudgluz1wvy2iixswic29mdhdhcmvfc3rhdgvtzw50x3jvbgvzijpbeyjyb2xlijoirefet1milcjhdxrob3jpc2f0aw9ux2rvbwfpbii6ik9wzw4gqmfua2luzyisinn0yxr1cyi6ikfjdgl2zsj9lhsicm9szsi6ilbbr1rpiiwiyxv0ag9yaxnhdglvbl9kb21haw4ioijpcgvuiejhbmtpbmcilcjzdgf0dxmioijby3rpdmuifv0sinnvznr3yxjlx2nsawvudf9uyw1lijoiumfpzglhbsbby2nvdw50aw5niiwib3jnx3n0yxr1cyi6ikfjdgl2zsisinnvznr3yxjlx2nsawvudf9pzci6iknratffynzqd3loueixmk5htgx6miisimlzcyi6ik9wzw4gqmfua2luzybpcgvuiejhbmtpbmcgqnjhc2lsihbyb2qgu1nbiglzc3vlciisinnvznr3yxjlx3rvc191cmkioijodhrwczpcl1wvd3d3lnjhawrpyw0uy29txc9hy2nvdw50aw5nxc90b3muahrtbcisinnvznr3yxjlx2nsawvudf9kzxnjcmlwdglvbii6iljhawrpyw0gqwnjb3vudgluzybszxzlcmfnzsbjdxr0aw5nigvkz2ugb3blbibiyw5raw5nigfjy2vzcyb0bybicmluzyb5b3ugcmvhbcb0aw1lihvwihrvigrhdgugdmlld3mgb2ygew91cibmaw5hbmnlcyisinnvznr3yxjlx2p3a3nfzw5kcg9pbnqioijodhrwczpcl1wva2v5c3rvcmuuzglyzwn0b3j5lm9wzw5iyw5raw5nynjhc2lslm9yzy5iclwvyjk2mwm0zwitnta5zc00zwrmlwfmzwitmzu2ndjimzgxodvkxc8yntu1nmq1ys1iowrkltrlmjctywexys1jy2u3mzjmztc0zgvcl2fwcgxpy2f0aw9ulmp3a3milcjzb2z0d2fyzv9wb2xpy3lfdxjpijoiahr0chm6xc9cl3d3dy5yywlkawftlmnvbvwvywnjb3vudgluz1wvcg9sawn5lmh0bwwilcjzb2z0d2fyzv9pzci6iji1ntu2zdvhlwi5zgqtnguyny1hytfhlwnjztczmmzlnzrkzsisinnvznr3yxjlx2nsawvudf91cmkioijodhrwczpcl1wvd3d3lnjhawrpyw0uy29txc9hy2nvdw50aw5nlmh0bwwilcjzb2z0d2fyzv9qd2tzx2luywn0axzlx2vuzhbvaw50ijoiahr0chm6xc9cl2tlexn0b3jllmrpcmvjdg9yes5vcgvuymfua2luz2jyyxnpbc5vcmcuynjcl2i5njfjngviltuwowqtngvkzi1hzmviltm1njqyyjm4mtg1zfwvmju1ntzknwetyjlkzc00zti3lwfhmwety2nlnzmyzmu3ngrlxc9pbmfjdgl2zvwvyxbwbgljyxrpb24uandrcyisinnvznr3yxjlx2p3a3nfdhjhbnnwb3j0x2luywn0axzlx2vuzhbvaw50ijoiahr0chm6xc9cl2tlexn0b3jllmrpcmvjdg9yes5vcgvuymfua2luz2jyyxnpbc5vcmcuynjcl2i5njfjngviltuwowqtngvkzi1hzmviltm1njqyyjm4mtg1zfwvmju1ntzknwetyjlkzc00zti3lwfhmwety2nlnzmyzmu3ngrlxc9pbmfjdgl2zvwvdhjhbnnwb3j0lmp3a3milcjzb2z0d2fyzv9qd2tzx3ryyw5zcg9ydf9lbmrwb2ludci6imh0dhbzolwvxc9rzxlzdg9yzs5kaxjly3rvcnkub3blbmjhbmtpbmdicmfzawwub3jnlmjyxc9iotyxyzrlyi01mdlkltrlzgytywzlyi0znty0mmizode4nwrclzi1ntu2zdvhlwi5zgqtnguyny1hytfhlwnjztczmmzlnzrkzvwvdhjhbnnwb3j0lmp3a3milcjzb2z0d2fyzv9sb2dvx3vyasi6imh0dhbzolwvxc93d3cucmfpzglhbs5jb21cl2fjy291bnrpbmdcl2xvz28ucg5niiwib3jnx2lkijoiyjk2mwm0zwitnta5zc00zwrmlwfmzwitmzu2ndjimzgxodvkiiwic29mdhdhcmvfzw52axjvbm1lbnqioijwcm9kdwn0aw9uiiwic29mdhdhcmvfdmvyc2lvbii6ms4xmcwic29mdhdhcmvfcm9szxmiolsirefet1milcjqqudutyjdlcjvcmdfbmftzsi6ik9wzw4gqmfua2luzybccmfzawwilcjpyxqioje2mtgzmzyynjisim9yz2fuaxnhdglvbl9jb21wzxrlbnrfyxv0ag9yaxr5x2nsywltcyi6w3siyxv0ag9yaxnhdglvbl9kb21haw4ioijpcgvuiejhbmtpbmcilcjhdxrob3jpc2f0aw9ucyi6w10sinjlz2lzdhjhdglvbl9pzci6ijezmzuzmjm2lu9cqi1dt05uqsisimf1dghvcml0ev9pzci6ijy4n2exyzk0lwiznjatnguwnc05ntg5ltbmytvjyje2nduxyiisimf1dghvcmlzyxrpb25fcm9szsi6iknptlrbiiwiyxv0ag9yaxr5x2nvzguioijcq0iilcjzdgf0dxmioijby3rpdmuifsx7imf1dghvcmlzyxrpb25fzg9tywluijoit3blbibcyw5raw5niiwiyxv0ag9yaxnhdglvbnmioltdlcjyzwdpc3ryyxrpb25fawqioiixmzm1mzizni1pqkitrefet1milcjhdxrob3jpdhlfawqioii2oddhmwm5nc1imzywltrlmdqtotu4os0wzme1y2ixnjq1mwiilcjhdxrob3jpc2f0aw9ux3jvbguioijequrpuyisimf1dghvcml0ev9jb2rlijoiqknciiwic3rhdhvzijoiqwn0axzlin0seyjhdxrob3jpc2f0aw9ux2rvbwfpbii6ik9wzw4gqmfua2luzyisimf1dghvcmlzyxrpb25zijpbxswicmvnaxn0cmf0aw9ux2lkijoimtmzntmymzytt0jclvbbr1rpiiwiyxv0ag9yaxr5x2lkijoinjg3ytfjotqtyjm2mc00zta0ltk1odktmgzhnwnimty0ntfiiiwiyxv0ag9yaxnhdglvbl9yb2xlijoiuefhve8ilcjhdxrob3jpdhlfy29kzsi6ikjdqiisinn0yxr1cyi6ikfjdgl2zsj9xx0 w6huayhjt6i61rxeivmkykre93ltbrdzknk9djvudzvgaz5b9kxznutf27oo3k0hrjyvwbdwq23o e4y aakdps9 rtu84jihtmqv0wcfyim8nqcuvwqq ux6nq9l2g s2ynd3pcj1e3ygg9h8553gr7ijuskegapzxupkm2rbelquumktue jbiuikxmwxorno1cw osbk3mt3bxg43spcxii07q5s8qxi6pjcpa3fylnauaygwzm3o0oa7jqmsr7d9ushudmjfyhikdq2wyqqkorcn d2uopmmx lhmvavkkrao08t0 7odjr4pjk prwuocxeafa7440zdorlmq", "subject type" "public", "token endpoint auth method" "private key jwt", "request object signing alg" "ps256", "require signed request object" true, "require pushed authorization requests" false, "tls client certificate bound access tokens" true, "client id" "acnbhjzbvd6ku3kvbasll", "client name" "sample fintech app", "client uri" "https //www sample fintech app com/", "request object encryption alg" "rsa oaep", "request object encryption enc" "a256gcm", "jwks uri" "https //keystore directory openbankingbrasil org br/b961c4eb 509d 4edf afeb 35642b38185d/25556d5a b9dd 4e27 aa1a cce732fe74de/application jwks", "redirect uris" \[ "https //www sample fintech app com/app/" ], "webhook uris" \[ "https //www sample fintech app com/app/webhooks/" ] } the data provider's authorisation server requests the key set from the raidiam connect's jwks uri raidiam connect returns the key set the returned key set is used to validate the software statement assertion provided by your client the dcr request is validated by the data provider's authorisation server the authorisation server returns the configuration of your dynamically registered client discover published apis discover data provider's apis in order to integrate with them api discovery process can differ between open data ecosystems where the participants api docid\ odlwcbfq2 hurdrzotlaq returns a list of organisations and all their technical resoruces, and other ecosystems or federations where the data about an organisation can be accessed only through connect's data apis open data ecosystems if your framework is an open data ecosystem, client application's can utilize the participants api docid\ odlwcbfq2 hurdrzotlaq to receive a json document containing a list of all participants and their technical resources, including the published apis { "authorisationserverid" "c8f0bf49 4744 4933 8960 7add6e590841", "autoregistrationnotificationwebhook" null, "autoregistrationsupported" true, "createdat" "2021 06 03t12 25 26z", "customerfriendlydescription" "mock bank by raidiam", "customerfriendlylogouri" "https //cdn raidiam io/directory ui/brand/obbrazil/0 2 0 112/favicon svg", "customerfriendlyname" "mock bank", "deprecateddate" null, "developerportaluri" "https //mockbank com/dev", "federationendpoint" null, "federationid" null, "issuer" "https //auth mockbank poc raidiam io", "notificationwebhook" null, "notificationwebhookaddeddate" null, "notificationwebhookstatus" null, "openiddiscoverydocument" "https //auth mockbank poc raidiam io/ well known/openid configuration", "organisationid" "74e929d9 33b6 4d85 8ba7 c146c867a817", "parentauthorisationserverid" null, "payloadsigningcertlocationuri" "https //mockbank com/payload pem", "retirementdate" null, "supersededbyauthorisationserverid" null, "supportsciba" false, "supportsdcr" false, "supportsredirect" true, "termsofserviceuri" "https //mockbank com/tos", "apiresources" \[ { "apiresourceid" "7aea412d 40e4 4f79 a9b2 84b18a699be6", "apiversion" "1", "familycomplete" false, "apicertificationuri" null, "certificationstatus" null, "certificationstartdate" null, "certificationexpirationdate" null, "apifamilytype" "consents", "apidiscoveryendpoints" \[] }, { "apiresourceid" "441f5d3d 385e 4b06 8a34 5b7c4dfcb125", "apiversion" "1", "familycomplete" true, "apicertificationuri" null, "certificationstatus" null, "certificationstartdate" null, "certificationexpirationdate" null, "apifamilytype" "accounts", "apidiscoveryendpoints" \[ { "apidiscoveryid" "fb1a47cd 0620 4a91 b3a9 c5bffb38bd2d", "apiendpoint" "https //matls api mockbank poc raidiam io/open banking/accounts/v1/accounts" }, { "apidiscoveryid" "2191da36 e03c 4802 a44a 66a56a48516e", "apiendpoint" "https //matls api mockbank poc raidiam io/open banking/accounts/v1/accounts/{accountid}" }, { "apidiscoveryid" "1940e9f0 0aea 4164 8f02 f5a1bc72e87d", "apiendpoint" "https //matls api mockbank poc raidiam io/open banking/accounts/v1/accounts/{accountid}/transactions" }, { "apidiscoveryid" "3f29155c dad9 4818 87b6 059606157558", "apiendpoint" "https //matls api mockbank poc raidiam io/open banking/accounts/v1/accounts/{accountid}/balances" }, { "apidiscoveryid" "636f8f95 f5f0 42c1 84d3 2c4d85ea7bc3", "apiendpoint" "https //matls api mockbank poc raidiam io/open banking/accounts/v1/accounts/{accountid}/transactions current" }, { "apidiscoveryid" "bb7f64f0 675d 4d23 a8c7 ffad45e7dbc0", "apiendpoint" "https //matls api mockbank poc raidiam io/open banking/accounts/v1/accounts/{accountid}/overdraft limits" } ] }, { "apiresourceid" "c60a1787 20dd 4a0a 9a2d 3fcf4819ded8", "apiversion" "1", "familycomplete" true, "apicertificationuri" null, "certificationstatus" null, "certificationstartdate" null, "certificationexpirationdate" null, "apifamilytype" "credit cards accounts", "apidiscoveryendpoints" \[ { "apidiscoveryid" "0c0eb910 4fd4 4298 976d 0540e00833de", "apiendpoint" "https //matls api mockbank poc raidiam io/open banking/credit cards accounts/v1/accounts" }, { "apidiscoveryid" "58d0de32 a118 41a6 9fa1 b07fe3656bf7", "apiendpoint" "https //matls api mockbank poc raidiam io/open banking/credit cards accounts/v1/accounts/{creditcardaccountid}" }, { "apidiscoveryid" "72afda1a 7955 4f2d 9bc6 4884d1adfc41", "apiendpoint" "https //matls api mockbank poc raidiam io/open banking/credit cards accounts/v1/accounts/{creditcardaccountid}/limits" }, { "apidiscoveryid" "5a321b7e 4ca3 4103 8ba1 d3fd416f1b76", "apiendpoint" "https //matls api mockbank poc raidiam io/open banking/credit cards accounts/v1/accounts/{creditcardaccountid}/transactions" }, { "apidiscoveryid" "f97d1ee9 696e 482d b56e 2899fb464606", "apiendpoint" "https //matls api mockbank poc raidiam io/open banking/credit cards accounts/v1/accounts/{creditcardaccountid}/transactions current" }, { "apidiscoveryid" "2e8bcf54 27ea 4e46 a49b 5215c5cf1a5c", "apiendpoint" "https //matls api mockbank poc raidiam io/open banking/credit cards accounts/v1/accounts/{creditcardaccountid}/bills/{billid}/transactions" }, { "apidiscoveryid" "7d7dd9ac 2a8f 40da 8b1f 624884a55f54", "apiendpoint" "https //matls api mockbank poc raidiam io/open banking/credit cards accounts/v1/accounts/{creditcardaccountid}/bills" } ] } ]} within the json payload above, you can see the apiresources object which is a list of all the apis and their endpoints you can integrate with other ecosystems in order to get information about the published apis for an organisation, utilize the below connect apis since all apis published within connect are tied to an authorisation server, you need to first check all authorisation servers added for an organisation and then check the published apis get all organisations lists all organisations the user is authorised to retrieve get all authorisation servers for given organisation lists all authorisation servers registered within an organisation along with their configuration get authorisation server by identifier returns a selected authorisation server along with its configuration get all api resources published for authorisation server sequencediagram autonumber participant tpp as data receiver (client application) participant das as raidiam authorisation server participant dapi as raidiam connect's apis tpp >>das /token note over tpp,das grant type=client credentials\<br/>oauth 2 0 tls client auth for authentication \<br/> scope directory\ software\<br/>client id=$client id das >>das validate certificate das >>tpp access token tpp >>dapi retrieve authorisation servers note over tpp, dapi the request contains the received access token dapi >>tpp authorisation servers get an access token (read only) docid\ psoqdln1ie6dtn12rzn3r use the oauth client credentials flow as the grant type and tls client auth as client authentication method request the directory\ software access token scope raidiam connect's authorisation server validates the certificate as part of the tls client auth client authentication process if validation is successful, the server returns an access token you can use to call raidiam's apis and retrieve information about the authorisation servers and their configuration retrieve authorisation servers using one of the apis listed above include the access token you got in the step #1 to authenticate your client application's request retrieve a list of all api resources published for an authorisation server once you have its authorisation server identifier integrate with data provider's apis utilize oauth and any oauth library you want to integrate with the data provider's apis depending on your needs and the data provider's authorisation servers docid\ aw0rfr 6i9dbui8sh7hkd configuration, you need to utilize oauth & oidc grant types (flows) to get an access token a proof your application is what it states it is you can check which grant types are allowed by checking the server's oidc discovery endpoint ( / well known ) to check where to get the endpoint's url, go back to the receive data docid\ de7d6t3s kbkp2ngddb8l section allowed grant types may include but are not limited to authorization code flow for scenarios where there is a user that needs to be authenticated and provide their consent for third party access to their resources client credentials flow for machine to machine scenarios and more establish secure connection while accesing any of the data provider's apis, utilize a transport certificate for establishing a secure connection using mtls to see how to get one, go back to the receive data docid\ de7d6t3s kbkp2ngddb8l section using your transport certificate naturally implies the authorisation server will use theirs as well to establish a secure connection validate certificates docid 2mlzctr5yppue8lgo3pxd for production scenarios authenticate at data provider's authorisation server to access non public apis published by any data provider, you need to authenticate your client application at the data provider's authorisation servers docid\ aw0rfr 6i9dbui8sh7hkd depending on the server's and your client application configuration, it happens using tls client auth client authentication private key jwt client authentication (described in rfc7521 assertion framework specification and rfc7523 jwt profile for client authentication specification) using the authorisation servers oidc discovery endpoint ( / well known ) get the /token endpoint url once you have this, request security tokens you need (access tokens, refresh tokens, or id tokens) next steps organisations docid\ fzu1lra3zs plig6pgjpv applications docid\ tsf4xy7m 2ee6 u183t17 certificates docid\ vsjypzhvtxr to0eglujt