Section 1: Before You Begin - Prerequisites

Before you can interact with the PayNet Open Finance Platform (OFP) API, you need to ensure you have the necessary credentials, certificates, and tools in place. This section outlines everything required to get started.

Overview

As a Data Consumer (DC), you'll be communicating with the OFP through a secure, standards-based OpenID Connect (OIDC) and OAuth 2.0 implementation. This requires several types of cryptographic material and configurations.

Prerequisites for OIDC Client Registration

To access the PayNet OFP, you need to obtain and configure the following items. The table below clarifies which party is responsible for providing each component in production and sandbox environments:

1. Client Registration

• Your organization must be registered as a Data Consumer (DC) with the OFP
• You will receive two identifiers:
  • dc_id (Data Consumer ID): Your legal/organizational identifier issued by PayNet. This represents your company or entity in the ecosystem.
  • client_id (OIDC Client ID): The technical identifier for your application. Used in OIDC protocol flows and API requests.
• You must provide and register a redirect_uri with PayNet during setup
  • This is the URL in your application where users will be returned after granting consent
  • Must be HTTPS in production, can be HTTP (localhost) in sandbox
  • Must be accessible from user browsers (e.g., https://your-app.com/oauth/callback)
• Store credentials securely; you'll use them throughout API communication

2. Transport Layer Security (TLS)

• Client Transport Certificate & Key: Used for mTLS (mutual TLS) authentication
  • Certificate in PEM format (.pem or .crt)
  • Private key in PEM format (.key or .pem)
  • Used to establish secure connections to the OFP endpoints
  • Verifies your client's identity at the network layer

3. Message Signing

• Signing Certificate & Key: Used to digitally sign requests (JWS - JSON Web Signature)
  • Certificate in PEM format (.pem or .crt)
  • Private key in PEM format (.key or .pem)
  • Ensures API requests cannot be tampered with in transit
  • Required for signing PAR (Pushed Authorization Request) and other sensitive operations

4. Message Encryption

• Encryption Key Pair: Used to decrypt encrypted responses (JWE - JSON Web Encryption)
  • Private key kept securely with your application
  • OFP uses your public key to encrypt sensitive response data
  • Your application uses your private key to decrypt

5. JWKS (JSON Web Key Set)

• All public keys (transport certificate, signing certificate, encryption public key) must be hosted on a publicly accessible JWKS endpoint
• The JWKS endpoint URL is registered with OFP during client setup
• OFP uses this to verify your request signatures and encrypt responses destined for you

Sandbox Environment Setup

For development and testing, PayNet provides a fully managed sandbox environment that simplifies the setup process.

What PayNet Provides

When you register for sandbox access, PayNet will supply:

1. Pre-configured JWKS

   • A JWKS endpoint hosted by PayNet containing all your public keys
   • No need to host your own JWKS initially
   • Simplifies development environment setup

2. Complete Key Material

   • Client transport certificate & key files
   • Signing certificate & key files
   • Encryption key pair files

3. Postman Collection

   • Pre-built Postman collection with all OFP endpoints
   • Environment-specific variables pre-configured

4. Postman Environment

   • Pre-configured environment file for sandbox that can be used with Postman

Obtaining Sandbox Credentials

Contact PayNet's Developer Support to request:

• Access to the sandbox environment
• Your client_id
• Certificate files (in a secure manner)
• Postman collection and environment exports

Setting Up Postman for Sandbox Testing

Postman is the recommended starting point for testing the OFP API. Follow these steps to get up and running.

Step 1: Import the Postman Collection

1. Open Postman (download from postman.com if you haven't already)
2. Click the Import button (top-left corner)
3. Select File tab
4. Choose the .json collection file provided by PayNet
5. Click Import
6. You should now see the PayNet OFP API collection in your left sidebar with organized folders for each API section

Step 2: Import the Postman Environment

1. Open Postman
2. Click the Import button (top-left corner, same as you did for the collection)
3. Select File tab
4. Choose the .json environment file provided by PayNet
5. Click Import
6. The environment is now available; select it from the Environment dropdown (top-right) to activate it

Step 3: Configure Transport Certificates (mTLS)

Transport certificates enable secure mutual authentication between your client and the OFP.

For Postman:

1. Open Settings

   • Click the Settings icon (⚙️) in the top-right corner
   • Select Certificates tab

2. Add Client Certificate

   • Click Add Certificate
   • In the Host field, enter the OFP domain (e.g., *.sandbox.paynetopenfinance.my)
   • Under CRT file, browse and select your transport certificate (.pem)
   • Under KEY file, browse and select your transport private key (.key or .pem)
   • Leave Passphrase empty (unless your key is encrypted)
   • Click Add

Next Steps

Once you've completed these prerequisites, proceed to:

• Section 2: Discovering OFP Endpoints via Well-Known - Learn how to discover the OFP's authorization and resource server URLs
• Section 3: Obtaining Access Tokens via Client Credentials Grant - Authenticate your application
• Section 4: Discovering Data Providers - Find available Data Providers in the ecosystem

Related Documentation

• FAPI 2.0 Security Profile
• Section 2: Discovering OFP Endpoints via Well-Known
• Section 3: Obtaining Access Tokens via Client Credentials Grant
• Section 4: Discovering Data Providers