PSD2 · PSD3 · PSR · FIDA VERSION 5 push + pull · European Union Flag

The gatekeeper
between your regulated APIs and the world.

We provide the authoritative trust anchor between your regulated APIs and the TPP ecosystem. Our service engine automates the complex verification of eIDAS certificates and regulatory roles, giving you the real-time clarity needed to grant or deny access — instantly.

New in v5 — stop polling.
Subscribe once and we push every status change directly to your stack, signed and verifiable. Push vs pull ↓

Request trial → Read the docs
Qualified TSPs
--
Jurisdictions
31
OB flavours
12+
Open Trust anchors
100%
POST api.tppvalidation.com/v5/validate [for all jurisdictions] ● TLS 1.3 · mTLS
Drop .pem / .cer / .crt here, or paste PEM
Upload file Run demo cycle
Verdict →
Awaiting handshake…
§ 01How it works

Automated Audits with Event-Driven Callbacks.

01 — Inbound

eIDAS Introspection

Forward any QWAC or QSealC PEM for instant chain-of-trust verification. We validate QTSP signatures and extract all PSD2 attributes in a single atomic pass.

INPUTX.509 + PSD2 ext.
02 — Verify

Chain & Revocation

Full-path validation against EU Trust Lists with OCSP and CRL fallback. Zero-cache policy: every check uses live-refreshed anchors (updated hourly).

SOURCESTSL · OCSP · CRL
03 — Confirm

Regulatory Standing

Real-time mapping of licenses and cross-border permissions. We bridge the gap between national registers to confirm an entity's standing in your target markets.

REGISTERSEBA · FCA · NCA
04 — Gate

Deterministic Enforcement

Cryptographically signed results with hash-chained provenance. Traceable to source records and tamper-evident—providing immutable grounds for your enforcement.

OUTPUTStatus · Auhtorizations · Grounds
v5 · the gate that calls you back

Two modes. Same answer. One contract.

Pull was the standard. Push is the answer. We've rebuilt the layer between.

PULL/v5/validate · per request

You ask, we answer.

Submit incoming certificates to ourendpoint and apply your own compliance ruleset on our responses. Simple, synchronous, works today.

BANK — POST /v5/validate → TPPVALIDATION
BANK ← 200 OK · ALLOWED — TPPVALIDATION 
{
 "organizationIdentifier": "PSDFR-ACPR-16828",
 "serialNumber": "107134684502035741319485938482960176000",
 "timestamp": 1776614411000
}
  • 200 OK / 422 ERR
  • Reject Reason(s)
  • Median 78 ms end-to-end
  • Every call re-hits latest anchors
  • No state on your side
  • Auditable Responses
PUSHv5 · subscribe once

We tell you, the moment something changes.

Simply add a Webhook URL with your initial Certificate request. We then POST a signed event to your webhook immediately when anything changes.

TPPVALIDATION — POST /webhooks/tpp → BANK 
{
  "event_type": "cert.status_changed",
  "data": {
    "issuer_hash": "773ddc302ea5b96b",
    "serial": "6145605090800385797785912406225945772",
    "entity_name": "Plaid, B.V.",
    "old_status": "valid",
    "new_status": "invalid",
    "reason": "certificateExpired",
    "checked_at": "2026-04-19T19:58:51.243Z"
  }
}
  • 0 ms at request time — the update is already in your system
  • Events: cert.revoked · cert.role_changed · cert.expired · cert.passport_dropped
  • HMAC-signed with a rotating key · defensible in audit
Most customers run both: pull on first handshake, push thereafter. We reconcile the two into one audit trail.
0ms p95
End-to-end verdict
0%
Reproducible · Audit-ready
0%
Uptime — trailing 12 months
<0s
Webhook delivery after status change
§ 02Compliance

Built for what is. Ready for what comes. The day it comes

PSD2Directive 2015/2366
Every AISP, PISP and CBPII interaction across 31 EU/EEA jurisdictions. We validate Article 34 attributes — authorization number, PSD2 role, NCA — against live EBA and national registers on every request. Because a cert issued 18 months ago doesn't prove the license is still active today.
● Active
PSD3Proposal 2023/367
PSD3 folds EMIs into payment institutions as a sub-category. Thousands of re-authorized entities, new role combinations, updated capital thresholds. Our validation schema is already parameterized per regime — flip the version header, get the PSD3 verdict. No code change on your side, no waiting for your vendor to catch up.
◌ Ready
PSRRegulation (EU) TBD
The PSR harmonises conduct rules across the union — same API access requirements, same fraud reporting, same liability. But your stack was built for 27 national flavours of PSD2. We run the single harmonised ruleset, returning one consistent verdict regardless of which member state the TPP is passporting from. Swap the header, swap regimes.
◌ Ready
FIDAFinancial Data Access
Beyond payments: mortgages, pensions, investments. FIDA makes you a data holder for every authorized FISP — continuously, in real time. With no single EU-wide register for FISP authorization across schemes, jurisdictions and permissions, you need a trusted layer that does the lookup on every call. That's us. Signed verdict, cached briefly, refreshed the moment anything changes.
◌ Ready
eIDAS 2.0Regulation (EU) 2024/1183
EUDI Wallet trust anchors, qualified attestations, cross-border identity. eIDAS 2.0 isn't replacing QWACs — it's extending the trust framework around them. We refresh every EU/EEA trust list every 15 minutes, verify the LOTL integrity on every pull, and surface the underlying QTSP chain so your compliance team can audit any verdict back to its regulatory source.
● Active
§ 03Agent-ready

Machine-readable. Agent-callable. Embedded Auditing.

ai.tppvalidation.com/mcp

Native MCP Server

Plug our validation tools directly into Claude, Cursor or any MCP-capable agent. Every verdict is a tool call, every check a structured resource.

tools/list → validate_tpp, lookup_provider, check_revocation tools/call · validate_tpp ALLOW · AISP + PISP · DE · session 0x8f2c
ai.tppvalidation.com/slack

Slack /commands

A slash command away from a verdict. Paste a cert, mention a provider, get a signed response in-channel with full audit link.

@lena /validate · PEM SE,FR,DK ✓ ALLOW · ATLAS BANK AISP · AISP + PISP
cert valid · OCSP valid · jurisdiction SE,FR,DK audit · verdict 0x8f2c.jwt
ai.tppvalidation.com/teams

Microsoft Teams Bot

Adaptive Card responses, SSO through your tenant, and Graph-integrated audit trails. For the compliance team that lives in Teams.

Compliance channel @TPP find OAKRIDGE CAPITAL ✓ ALLOW · FRN 789245
AISP + PISP + CBPII · GB
[ Open verdict ] [ Replay ] shared to Compliance · 14:02 UTC
§ 04Deploy anywhere

Our repo. Any tenant. Your sovereignty.

SaaS · Managed

Hosted by us

Multi-region EU endpoint on multiple large cloud vendors. Fastest path to production, zero ops.

Latency · Uptime · Updates · Support — all on by us. Try it out Now →
Private · Azure Marketplace

Your Azure tenant

Deploy into your own subscription. Data sovereignty, funded by existing MACC credits.

For institutions with Azure enterprise agreements. Discuss Azure deployment →
Source · One-time

Own the code

Buy the source, run it behind your gateway. Optional maintenance contract.

Air-gapped environments, full code audit rights. Inquire about source licensing →
§ 05Pricing

Priced like infrastructure, not like a SaaS.

Explorer
Free/ forever

Free forever for developers and testers — send a cert, get a verdict, ship with confidence.

  • Rate limited validations
  • All 31 EU/EEA jurisdictions
  • Any eIDAS certificate type
  • Web UI for ad-hoc checks
  • Self-Service Pre-flight
  • Community documentation
Validate Now →
Production
€5/ hour × 24×30 / × 24×365×discount

The price of a coffee, the diligence of a full compliance team — always on, always current, always signed.

  • Unlimited validations · webhook subscriptions
  • Signed push events on every status change
  • On-demand audit log · access 24/7
  • Multi-cloud active-active · 99.99% target SLA
  • P95 latency < 200 ms
  • Dedicated technical contact
  • Contract-free monthly · discounted annual
Request trial →
Institution
Custom/ contract

The gravity of institutional compliance, the agility of modern infrastructure — your policy, logs and now code.

  • Everything in Production
  • On-prem deployment or private VPC
  • Custom audit log retention (up to 7Y)
  • Source code access via private GitHub
  • 24/7 incident support · dedicated Slack
  • Relying party architecture · no customer data stored
  • Custom MSA, DPA, contract terms
Request Technical Briefing →
§ 06API

One gate. Two doors. Same answer.

VALIDATEpull · synchronous

Request validation. Receive verdict. Enforce it.

POST the raw PEM to /v5/validate. Scope the verdict to specific jurisdictions with?cc=se,fr,.. Get deterministic, auditable JSON back.

POST /v5/validate?cc=DE,FR,NL HTTP/1.1
Host: api.tppvalidation.com
Authorization: Bearer <token>
Content-Type: text/plain

-----BEGIN CERTIFICATE-----
MIIGkTCCBHmgAwIBAgIUEh...
-----END CERTIFICATE-----
HTTP/3 200 OK
Content-Type: application/json
X-TPP-Passports: DE=PSP_PI,PSP_AI;FR=PSP_PI,PSP_AI;NL=PSP_PI,PSP_AI
X-TPP-Identifier: a8f2c9d1...
X-TPP-Entity: PSP

{
  "result": {
    "serialNumber": "107134684502035741319485938482960176000",
    "organizationIdentifier": "PSDFR-ACPR-16828",
    "timestamp": 1776614411000
  },
  "webhookRegistered": false
}
  • 200 OK — entity authorized · active passporting in X-TPP-Passports
  • 422 Denied — structured response + reject reasons in X-TPP-Reason
  • Now Accepts raw PEM or JSON — to fit existing pipelines 🙌
Gateway integration
Implementation for 

          

          

            Review before deploying
            Copy
          

        


        

          
          Former /v4 now deprecated, to be RETIRED 💔 EOY.
        

      


      
      

        
WEBHOOKpush · event-driven

        
Call us once. We monitor. We call back.

        
Add a webhook_url to any /v5/validate call. We POST signed events when status changes. No polling required. POST the same PEM again — for a heartbeat. ❤️


        
POST /v5/validate?cc=DE HTTP/3
Host: api.tppvalidation.com
Authorization: Bearer <token>
Content-Type: application/json

{
  "pem": "-----BEGIN CERTIFICATE-----\n...",
  "webhook_url": "https://bank.eu/hooks/tpp"
}


        
# Your endpoint receives:
POST /hooks/tpp HTTP/1.1
Content-Type: application/json
X-Webhook-Signature: t=1776756250,v1=50666a0d107f69bd914017e55e2250d40ce69875...
X-Webhook-Event-Id: 01KPQESF7DNJW5JAZ2PTC5GRKV
X-Webhook-Delivery-Id: 1d7b77e4-7c00-4dce-ba36-ab39a9de09f9
User-Agent: tpp-validator-webhooks/5.0

{
  "event_id": "01KPQESF7DNJW5JAZ2PTC5GRKV",
  "event_type": "cert.status_changed",
  "created_at": "2026-04-21T07:24:03.693Z",
  "data": {
    "issuer_hash": "34b00ae80ada1f90",
    "serial": "107134684502035741319485938482960176000",
    "entity_name": "Plaid, B.V.",
    "old_status": "valid",
    "new_status": "invalid",
    "reason": "certificateRevoked",
    "checked_at": "2026-04-21T07:24:03.611Z"
  }
}


        
    
          
  • WHcert.status_changed · webhook.subscription_*(register/update/delete)
    • 
          
  • HMAC-SHA256 signed hmac(secret, "{t}.{body}") with Header t=…,v1=…
    • 
          
  • Idempotent dedupe on event_id (ULID) · Retry on non-2xx · DLQ after 5 fails
    • 
        


        
        

          

            
            Webhook verification
          

          

            

              Verify signature in
              
            

            

          

          

            Review before deploying
            Copy
          

        

        

          
          PRO TIP: Run both, pull on first handshake, push thereafter. 🚀
        

      

    


    
    

      

        
LIFECYCLEmanage subscriptions

        
Your subscription, your rules.

        
Every webhook subscription emits its own lifecycle event. You always know whether your endpoint is live, whether a URL change landed, and when an unsubscribe takes effect — confirmed by a signed callback, not a silent KV write.

      


      


        
        

          
CREATEor heartbeat

          
POST a cert with a webhook_url. First time registers the subscription. Same URL again = heartbeat ping that confirms your endpoint still works end-to-end.

          
{
  "event_type": "webhook.subscription_created",
  "data": {
    "webhook_url": "https://bank.eu/hooks/tpp",
    "issuer_hash": "34b00ae80ada1f90",
    "serial": "107134...",
    "entity_name": "Plaid, B.V."
  }
}

        


        
        

          
UPDATEchange URL

          
POST the same cert with a different webhook_url. We swap the destination atomically and deliver one confirmation event to the new URL with the previous one in the payload.

          
{
  "event_type": "webhook.subscription_updated",
  "data": {
    "webhook_url": "https://bank.eu/hooks/tpp-v2",
    "previous_webhook_url": "https://bank.eu/hooks/tpp",
    "issuer_hash": "34b00ae80ada1f90",
    "serial": "107134..."
  }
}

        


        
        

          
DELETEunsubscribe

          
Send DELETE /v5/subscriptions/{issuer_hash}/{serial} with your bearer token. We remove the subscription and deliver one final goodbye event to the URL that was registered.

          
{
  "event_type": "webhook.subscription_deleted",
  "data": {
    "webhook_url": "https://bank.eu/hooks/tpp-v2",
    "issuer_hash": "34b00ae80ada1f90",
    "serial": "107134..."
  }
}

        


      


      

        
        List all your active subscriptions: GET /v5/subscriptions — returns lastDeliveredAt and lastDeliveryStatus per entry.
      

    


  

  






  

    
Every regulated API
deserves someone that calls you back.

    
    

      
      
      
      
    

    
    
  
















  
Preferences 

  

    Theme
    

      
      
    

  

  

    Density
    

      
      
      
    

  

  

    Motion