Skip to main content

API Platform

Important : Security Policy update !

What is changing ?

Users connecting to the below URLs should now trust the following certificate authorities : Entrust Certification Authority - L1J and  Entrust Root Certification Authority - EC1

  • https://api-mtls.cib.bnpparibas.com
  • https://api.cib.bnpparibas.com

Trusting the new authorities means adding both certificates to your application's truststore.

Why ?

Certificates are delivered by the new authorities based on the latest security baselines :

  • Extended Validation (EV) Certificates (trusted by all modern browsers)
  • ECSDA algorithm for encryption instead of RSA

How to test  ?

You can already test the new certificates by calling the test environements commonly called sandbox. In order to get the full testing url of your API, you can check with your BNP API contact. Or simply try calling the following sandbox APIs from your application. The result should be code 200.

  • https://api-mtls.sandbox.cib.bnpparibas.com/healthcheck
  • https://api.sandbox.cib.bnpparibas.com/healthcheck

When ?

You can already trust the new certificates at any time. The previsional date for the production switch is in the first table below.

 

Access points to send traffic to BNPP CIB apis

BNPP CIB API platform is available at the following access points:

Customers and partners accessing BNPP CIB APIs

UrlsServer CertificateCertificate Authority (CA)Expires
https://api-mtls.sandbox.cib.bnpparibas.comCRT Format

intermediate

Root

September 02, 2025
https://api-mtls.cib.bnpparibas.comCRT Format - To be Installed on November 2nd (previsonal date)
P7B Format 

New Certificate Authorities !
intermediate

Root

September 05, 2025
https://api.sandbox.cib.bnpparibas.comCRT Format

intermediate

Root

September 02, 2025
https://api.cib.bnpparibas.comCRT Format - To be Installed on November 2nd (previsonal date)
P7B Format

New Certificate Authorities !
intermediate

Root

September 05, 2025

EU TPP accessing PSD2 APIs with a QWAC issued by a QTSP

UrlsServer CertificateExpires
https://psd2.api.cib.bnpparibas.comCRT Format, P7B FormatMarch 22, 2026
https://api-mtls.sandbox.cib.bnpparibas.comsame as first section above 

UK TPP accessing PSD2 API with an OBWAC issued by OBIE

UrlsServer CertificateExpires
https://ob-uk.api.cib.bnpparibas.comCRT FormatP7B FormatJuly 30, 2023
https://api-mtls.sandbox.cib.bnpparibas.comsame as first section above 

 

Traffic from BNPP CIB API Platform (JWT)

BNPP CIB API Platform is generating traffic for third-parties with signed JWT. Each third-party receiving JWT must check
1) it has been signed by CIB API Platform using the public key bellow,
2) the JWT did not expire,
3) the audience contains their URL.

  • traffic from staging
    • API Platform public key: CRT Format (expire February 07, 2024)
  • traffic from sandbox
    • API Platform public key: CRT Format (expire February 07, 2024)
  • traffic from production
    • API Platform public key: CRT Format (expire February 07, 2024)

 

Traffic from BNPP CIB API Platform (MTLS)

Alternatively, mTLS can be used in some scenarios when BNPP CIB API Platform authenticate to a third-party API using a client certificate. The client certificates used are:

About us

BNP Paribas CIB is a leading global financial services firm, offering you solutions in capital markets, securities services, advisory, finance and treasury

 

group2