Important : Security Policy update !
What is changing ?
Users connecting to the below URLs should now trust the following certificate authorities : Entrust Certification Authority - L1J and Entrust Root Certification Authority - EC1
- https://api-mtls.cib.bnpparibas.com
- https://api.cib.bnpparibas.com
Trusting the new authorities means adding both certificates to your application's truststore.
Why ?
Certificates are delivered by the new authorities based on the latest security baselines :
- Extended Validation (EV) Certificates (trusted by all modern browsers)
- ECSDA algorithm for encryption instead of RSA
How to test ?
You can already test the new certificates by calling the test environements commonly called sandbox. In order to get the full testing url of your API, you can check with your BNP API contact. Or simply try calling the following sandbox APIs from your application. The result should be code 200.
- https://api-mtls.sandbox.cib.bnpparibas.com/healthcheck
- https://api.sandbox.cib.bnpparibas.com/healthcheck
When ?
You can already trust the new certificates at any time. The previsional date for the production switch is in the first table below.
Access points to send traffic to BNPP CIB apis
BNPP CIB API platform is available at the following access points:
Customers and partners accessing BNPP CIB APIs
Urls | Server Certificate | Certificate Authority (CA) | Expires |
https://api-mtls.sandbox.cib.bnpparibas.com | CRT Format | September 02, 2025 | |
https://api-mtls.cib.bnpparibas.com | CRT Format - To be Installed on November 2nd (previsonal date) P7B Format | New Certificate Authorities ! | September 05, 2025 |
https://api.sandbox.cib.bnpparibas.com | CRT Format | September 02, 2025 | |
https://api.cib.bnpparibas.com | CRT Format - To be Installed on November 2nd (previsonal date) P7B Format | New Certificate Authorities ! | September 05, 2025 |
EU TPP accessing PSD2 APIs with a QWAC issued by a QTSP
Urls | Server Certificate | Expires |
https://psd2.api.cib.bnpparibas.com | CRT Format, P7B Format | March 22, 2026 |
https://api-mtls.sandbox.cib.bnpparibas.com | same as first section above |
UK TPP accessing PSD2 API with an OBWAC issued by OBIE
Urls | Server Certificate | Expires |
https://ob-uk.api.cib.bnpparibas.com | CRT Format, P7B Format | July 30, 2023 |
https://api-mtls.sandbox.cib.bnpparibas.com | same as first section above |
Traffic from BNPP CIB API Platform (JWT)
BNPP CIB API Platform is generating traffic for third-parties with signed JWT. Each third-party receiving JWT must check
1) it has been signed by CIB API Platform using the public key bellow,
2) the JWT did not expire,
3) the audience contains their URL.
- traffic from staging
- API Platform public key: CRT Format (expire February 07, 2024)
- traffic from sandbox
- API Platform public key: CRT Format (expire February 07, 2024)
- traffic from production
- API Platform public key: CRT Format (expire February 07, 2024)
Traffic from BNPP CIB API Platform (MTLS)
Alternatively, mTLS can be used in some scenarios when BNPP CIB API Platform authenticate to a third-party API using a client certificate. The client certificates used are:
- traffic from non prod
- Client Certificate: api-mtls-global.sandbox.cib.bnpparibas.com.crt
- Intermediate : Entrust Certification Authority - L1M.crt
- Root : Entrust Root Certification Authority - G2.crt
- traffic from production
- Client Certificate: api-mtls-global.cib.bnpparibas.com.crt
- Intermediate : Entrust Certification Authority - L1M.crt
- Root : Entrust Root Certification Authority - G2.crt