TPP Validation — The gatekeeper between your regulated APIs and the world.

§ 01How it works

Four checks per request. Then we keep watching.

01 — Inbound

eIDAS Introspection

Forward any QWAC or QSealC PEM for instant chain-of-trust verification. We validate QTSP signatures and extract all PSD2 attributes in a single atomic pass.

INPUTX.509 + PSD2 ext.

02 — Verify

Chain & revocation

Full-path validation against EU Trust Lists with OCSP and CRL fallback. Zero-cache policy: every check uses live-refreshed anchors (updated hourly).

SOURCESTSL · OCSP · CRL

03 — Confirm

Regulatory standing

Real-time mapping of licenses and cross-border permissions. We bridge the gap between national registers to confirm an entity's standing in your target markets.

REGISTERSEBA · FCA · 30 more

04 — Gate

Deterministic Logic

Cryptographically signed results with hash-chained provenance. Traceable to source records and tamper-evident—providing immutable grounds for your enforcement.

OUTPUTStatus · Auhtorizations · Grounds

v5 · the gate that calls you back

Two modes. Same verdict. One contract.

We have asked us the same thing for years: "why not push, rather than pull" So we built it.

PULL/v5/validate · per request

You ask, we answer.

Submit incoming certificates to ourendpoint and apply your own compliance ruleset on our responses. Simple, synchronous, works today.

BANK — POST /v5/validate → TPPVALIDATION

BANK ← 200 OK · ALLOWED — TPPVALIDATION

{
 "organizationIdentifier": "PSDFR-ACPR-16828",
 "serialNumber": "107134684502035741319485938482960176000",
 "timestamp": 1776614411000
}

200 OK / 422 ERR
Reject Reason(s)
Median 78 ms end-to-end
Every call re-hits latest anchors
No state on your side
Auditable Responses

PUSHv5 · subscribe once

We tell you, the moment something changes.

Simply add a Webhook URL with your initial Certificate request. We then POST a signed event to your webhook immediately when anything changes.

TPPVALIDATION — POST /webhooks/tpp → BANK

{
  "event_type": "cert.status_changed",
  "data": {
    "issuer_hash": "773ddc302ea5b96b",
    "serial": "6145605090800385797785912406225945772",
    "entity_name": "Plaid, B.V.",
    "old_status": "valid",
    "new_status": "invalid",
    "reason": "certificateExpired",
    "checked_at": "2026-04-19T19:58:51.243Z"
  }
}

0 ms at request time — the update is already in your system
Events: cert.revoked · cert.role_changed · cert.expired · cert.passport_dropped
HMAC-signed with a rotating key · defensible in audit

Most customers run both: pull on first handshake, push thereafter. We reconcile the two into one audit trail.

0ms p95

End-to-end verdict

0%

Reproducible · Audit-ready

0%

Uptime — trailing 12 months

<0s

Webhook delivery after status change

§ 02Compliance

Built for what is. Ready for what comes.

PSD2Directive 2015/2366

Every AISP, PISP and CBPII interaction across 27 EU states and the EEA — role checks, passporting and article-compliant verdicts.

● Active

PSD3Proposal 2023/367

Strong Customer Authentication evolves, new liability split, consolidated licensing. Our schema already tracks the draft attributes.

◌ Ready

PSRRegulation (EU) TBD

Harmonises conduct rules across the union. Validation rules are versioned per regime — flip a header, get the right verdict.

◌ Ready

FIDAFinancial Data Access

Beyond payments — mortgages, pensions, investments. Data-holder and data-user roles, permission dashboards, FISP registration.

◌ Ready

eIDAS 2.0Regulation (EU) 2024/1183

EUDI wallet trust anchors, qualified attestations, cross-border identity. Our trust lists refresh every 15 minutes.

● Active

§ 03Agentic AI

Validation, where your team already works.

MCP

ai.tppvalidation.com/mcp

Native MCP endpoint

Plug our validation tools directly into Claude, Cursor or any MCP-capable agent. Every verdict is a tool call, every check a structured resource.

tools/list → validate_tpp, lookup_provider, check_revocation tools/call · validate_tpp ALLOW · AISP + PISP · DE · session 0x8f2c

ai.tppvalidation.com/slack

Slack commands

A slash command away from a verdict. Paste a cert, mention a provider, get a signed response in-channel with full audit link.

@lena /validate · PEM SE,FR,DK ✓ ALLOW · ATLAS BANK AISP · AISP + PISP
cert valid · OCSP valid · jurisdiction SE,FR,DK audit · verdict 0x8f2c.jwt

ai.tppvalidation.com/teams

Microsoft Teams

Adaptive Card responses, SSO through your tenant, and Graph-integrated audit trails. For the compliance team that lives in Teams.

Compliance channel @TPP find OAKRIDGE CAPITAL ✓ ALLOW · FRN 789245
AISP + PISP + CBPII · GB
[ Open verdict ] [ Replay ] shared to Compliance · 14:02 UTC

§ 04Deploy anywhere

Our repo. Any tenant. Your sovereignty.

SaaS · Managed

Hosted by us

Multi-region EU endpoint on Cloudflare + Azure. Fastest path to production, zero ops.

Private · Azure Marketplace

Your Azure tenant

Deploy into your own subscription. Data sovereignty, funded by existing MACC credits.

Source · One-time

Own the code

Buy the source, run it behind your gateway. Optional maintenance contract.

§ 05Pricing

Priced like infrastructure, not like a SaaS.

Explorer

Free/ forever

Free forever for developers and testers — send a cert, get a verdict, ship with confidence.

Rate limited validations
All 31 EU/EEA jurisdictions
Any eIDAS certificate type
Web UI for ad-hoc checks
Self-Service Pre-flight
Community documentation

Validate Now →

Production

€5/ hour × 24×30 or × 24×365×discount

The price of a coffee, the diligence of a full compliance team — always on, always current, always signed.

Unlimited validations · webhook subscriptions
Signed push events on every status change
On-demand audit log · download anytime
Multi-cloud active-active · 99.99% target SLA
P95 latency < 200 ms
Dedicated technical contact
Contract-free monthly · discounted annual

Request trial →

Institution

Custom/ annual

The gravity of institutional compliance, the agility of modern infrastructure — your policy, logs and now code.

Everything in Production
On-prem deployment or private VPC
Custom audit log retention (up to 7Y)
Source code access via private GitHub
24/7 incident support · dedicated Slack
Relying party architecture · no customer data stored
Custom MSA, DPA, contract terms

Request Technical Briefing →

§ 06API

One gate. Two doors. Same answer.

VALIDATEpull · synchronous

You ask. We verify.

POST the raw PEM to /v5/validate with an Authorization header and optional ?cc= country filter. Deterministic, auditable JSON back.

POST /v5/validate?cc=DE,FR,NL HTTP/3
Host: api.tppvalidation.com
Authorization: Bearer <token>
Content-Type: text/plain

-----BEGIN CERTIFICATE-----
MIIGkTCCBHmgAwIBAgIUEh...
-----END CERTIFICATE-----

HTTP/3 200 OK
Content-Type: application/json
X-TPP-Passports: DE=PSP_PI,PSP_AI;FR=PSP_PI,PSP_AI;NL=PSP_PI,PSP_AI
X-TPP-Identifier: a8f2c9d1...
X-TPP-Entity: PSP

{
  "result": {
    "serialNumber": "107134684502035741319485938482960176000",
    "organizationIdentifier": "PSDFR-ACPR-16828",
    "timestamp": 1776614411000
  },
  "webhookRegistered": false
}

200 valid — entity authorized for all requested jurisdictions
422 denied — same structured res + reject reasons in X-TPP-Reason
Active passports returned in X-TPP-Passports header
Now Accepts raw PEM or JSON — to fit existing pipelines

Gateway integration

Implementation for ▾

Review before deploying Copy

Former /v4 now deprecated, to be EOL EOY.

WEBHOOKpush · event-driven

We verify. You're told.

Add a webhook_url to any /v5/validate call and we POST signed events to your endpoint whenever that certificate's status changes.

POST /v5/validate?cc=DE HTTP/3
Host: api.tppvalidation.com
Authorization: Bearer <token>
Content-Type: application/json

{
  "pem": "-----BEGIN CERTIFICATE-----\n...",
  "webhook_url": "https://bank.eu/hooks/tpp"
}

# Your endpoint receives:
POST /hooks/tpp HTTP/3
Content-Type: application/json
X-Webhook-Signature: t=1776756250,v1=50666a0d107f69bd914017e55e2250d40ce69875...
X-Webhook-Event-Id: 01KPQESF7DNJW5JAZ2PTC5GRKV
X-Webhook-Delivery-Id: 1d7b77e4-7c00-4dce-ba36-ab39a9de09f9
User-Agent: tpp-validator-webhooks/5.0

{
  "event_id": "01KPQESF7DNJW5JAZ2PTC5GRKV",
  "event_type": "cert.status_changed",
  "created_at": "2026-04-21T07:24:03.693Z",
  "data": {
    "issuer_hash": "34b00ae80ada1f90",
    "serial": "107134684502035741319485938482960176000",
    "entity_name": "Plaid, B.V.",
    "old_status": "valid",
    "new_status": "invalid",
    "reason": "certificateRevoked",
    "checked_at": "2026-04-21T07:24:03.611Z"
  }
}

Events: cert.status_changed · webhook.subscription_created · .updated · .deleted
HMAC-SHA256: hmac(secret, "{t}.{body}") — header format t=…,v1=…
Dedupe on event_id (ULID) · retry on non-2xx · DLQ after 5 fails

Webhook verification

Verify signature in ▾

Review before deploying Copy

PRO TIP: Run both, pull on first handshake, push thereafter.

LIFECYCLEmanage subscriptions

Your subscription, your rules.

Every webhook subscription emits its own lifecycle event. You always know whether your endpoint is live, whether a URL change landed, and when an unsubscribe takes effect — confirmed by a signed callback, not a silent KV write.

CREATEor heartbeat

POST a cert with a webhook_url. First time registers the subscription. Same URL again = heartbeat ping that confirms your endpoint still works end-to-end.

{
  "event_type": "webhook.subscription_created",
  "data": {
    "webhook_url": "https://bank.eu/hooks/tpp",
    "issuer_hash": "34b00ae80ada1f90",
    "serial": "107134...",
    "entity_name": "Plaid, B.V."
  }
}

UPDATEchange URL

POST the same cert with a different webhook_url. We swap the destination atomically and deliver one confirmation event to the new URL with the previous one in the payload.

{
  "event_type": "webhook.subscription_updated",
  "data": {
    "webhook_url": "https://bank.eu/hooks/tpp-v2",
    "previous_webhook_url": "https://bank.eu/hooks/tpp",
    "issuer_hash": "34b00ae80ada1f90",
    "serial": "107134..."
  }
}

DELETEunsubscribe

Send DELETE /v5/subscriptions/{issuer_hash}/{serial} with your bearer token. We remove the subscription and deliver one final goodbye event to the URL that was registered.

{
  "event_type": "webhook.subscription_deleted",
  "data": {
    "webhook_url": "https://bank.eu/hooks/tpp-v2",
    "issuer_hash": "34b00ae80ada1f90",
    "serial": "107134..."
  }
}

List all your active subscriptions: GET /v5/subscriptions — returns lastDeliveredAt and lastDeliveryStatus per entry.

The gatekeeper
between your regulated APIs and the world.

Four checks per request. Then we keep watching.

eIDAS Introspection

Chain & revocation

Regulatory standing

Deterministic Logic

Two modes. Same verdict. One contract.

You ask, we answer.

We tell you, the moment something changes.

Built for what is. Ready for what comes.

Validation, where your team already works.

Native MCP endpoint

Slack commands

Microsoft Teams

Our repo. Any tenant. Your sovereignty.

Hosted by us

Your Azure tenant

Own the code

Priced like infrastructure, not like a SaaS.

One gate. Two doors. Same answer.

You ask. We verify.

We verify. You're told.

Your subscription, your rules.

Every regulated API
deserves someone that calls you back.

Preferences ✕

Four checks per request. Then we keep watching.

eIDAS Introspection

Chain & revocation

Regulatory standing

Deterministic Logic

Two modes. Same verdict. One contract.

You ask, we answer.

We tell you, the moment something changes.

Built for what is. Ready for what comes.

Validation, where your team already works.

Native MCP endpoint

Slack commands

Microsoft Teams

Our repo. Any tenant. Your sovereignty.

Hosted by us

Your Azure tenant

Own the code

Priced like infrastructure, not like a SaaS.

One gate. Two doors. Same answer.

You ask. We verify.

We verify. You're told.

Your subscription, your rules.

Every regulated APIdeserves someone that calls you back.

Preferences ✕

Every regulated API
deserves someone that calls you back.