obOpen Banking Lab
GlossarySTETBlogContact
Security

QWAC

Qualified Website Authentication Certificate

The eIDAS certificate that proves a TPP's identity at the transport level (mTLS). It is the passport every fintech must present on each call to a banking API.

See also:QSealCmTLSeIDAS TSPSCATPPASPSP

Definition

The QWAC (Qualified Website Authentication Certificate) is a qualified eIDAS certificate that proves, at the transport level, a TPP's identity to banks.

In practice, it is the certificate that, via mTLS, tells the bank "I really am Bridge, Fintecture or Pennylane, and here is my ACPR authorisation."

QWAC vs QSealC: transport vs application

Two complementary certificates:

  • QWAC — security at the transport level (TLS): authenticates the TPP when the mTLS connection is established, then is no longer used.
  • QSealC — security at the application level: signs each HTTP request individually, with a signature that survives intermediaries and serves as legal proof.

A TPP needs both: the QWAC to connect, the QSealC to sign what it sends.

What a QWAC contains (PSD2-specific)

Beyond the classic X.509 fields, a PSD2 QWAC carries extensions:

  • NCAName + NCAId: the national authorising authority (e.g. "FR-ACPR").
  • AuthorisationNumber: the TPP's authorisation number.
  • PSD2 Roles: the authorised roles (PSP_AS, PSP_PI, PSP_AI, PSP_IC).

On each mTLS call, the ASPSP inspects these fields: a TPP that calls an AIS endpoint without the PSP_AI role is rejected.

What a QWAC does not do

  • Does not sign requests at the application level (the QSealC's role).
  • Does not survive the TLS layer: a proxy that terminates TLS loses the QWAC.
  • Is not reusable across environments: one QWAC per environment (sandbox, pre-prod, prod).
  • Does not exempt from SCA: it authenticates the TPP, not the PSU.

Within the PSD2 ecosystem

The QWAC is the first filter on the ASPSP side: before even looking at the request, the bank verifies via mTLS that it is talking to an authorised and identified player. Without a valid QWAC, no request gets through.

Real-world examples

  • Issuers in France: Certigna (DhiMyOtis) and Certinomis (La Poste / Docaposte), the most used for ACPR compliance.
  • Issuers in Europe: D-Trust (very common among DACH banks), Buypass (Norway), InfoCert (Italy) for the Berlin Group market.
  • Typical error: placing the QWAC behind a load balancer or a WAF that terminates TLS loses the mTLS authentication — the fix is TLS passthrough all the way to the backend.
  • Rotation: a QWAC lasts 1 to 2 years; automating rotation (via the TSP's API) avoids an outage on a Sunday night.
  • Cost: €300 to €1,500/year per certificate, which can quickly add up for a multi-TPP white-label platform.

See also: STET handbook

Sources

Back to glossary