Welcome to Woohoo Pay

Open Banking PSD2

PSD2 – Open Banking for Third Party Providers

The second EU Payment Services Directive (PSD2) introduces some changes to payment services within the European Union. The objective of PSD2 is to create a more uniform, transparent and open EU payment market and bring innovation, competition and security to all the market players.

If you are a third-party service provider seeking access to N26 PSD2 interfaces, you must be licensed by a national regulatory authority. In Germany, this is the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) in Bonn. You’ll also need a qualified certificate (QWAC). Such certificates can be obtained from Qualified Trusted Service Providers (QTSP


Our dedicated interface is the REST API which conforms to Dublin Group Implementation Guidelines version 1.3.6

Authorisation protocol: oAuth 2.0

Note: A valid QWAC Certificate is required to access the Dublin Group API. The official list of QTSP is available on the European Commission eIDAS Trusted List. For the Woohoo Pay PSD2 Dedicated Interface API, the QWAC Certificate must be issued from a production certificate authority.

Woohoo Pay PSD2 – Sandbox – Dublin Group – API Documentation

Contingency Mechanism 

As part of its legal obligations under PSD2, Woohoo Pay has implemented a contingency mechanism, which provides the following:

  1. Reliable identification of a TPP via possession of a valid Qualified Website Authentication Certificate (QWAC);
  2. Secure and authorised access to an account

TPPs may access our contingency mechanism via the following URLs:

Access to the above URL and establishing the TLS connection requires implementation of a qualified certificate.

Please find the detailed technical documentation for the fallback interface below:

AISP Fallback Documentation

PISP Fallback Documentation

TPPs may contact Woohoo Pay by using this form


The reports below compare the availability and performance of our PSD2 dedicated interface with the Woohoo Pay user interface:

Q3 2019 / Q4 2019 Q1 2020 / Q2 2020 / Q3 2020 / Q4 2020

  • Feb 3, 2021 token.io interface (deprecated from Nov 4, 2020) will be fully disabled from Mar 1st, 2021
  • Nov 4, 2020 The N26 PSD2 PISP Open Banking API has been released (Dublin Group 1.3.6 conformity). Token.io interface is deprecated.
  • Oct 22, 2020 We’ve just released the brand-new version of our PSD2 AISP Open Banking API, compliant with the Dublin Group 1.3.6 specification.

PSD2 – Secure Open Banking


What is PSD2?


Payment Services Directive 2 (“PSD2”) is a revised European directive allowing you to access your account information and initiate payments through regulated third-party providers in a safe and secure manner. This means that you can permit regulated Third Party Providers to access your account information through a dedicated interface:

  • You can enable an Account Information Service (AIS) to pull together data from different bank accounts you may have, and then aggregate and manage their details in the same place through certified third-party providers.
  • You can securely pay at the checkout of any website that offers Payment Initiation Services (PIS).

The data exchange is handled in the background via our partner – Token.io.


How does it work?


If you begin using a third-party payment service like an Account Information Service or a Payment Initiation Service, you’ll be redirected to your Woohoo Pay app via Token.io to confirm the access request.

In our Privacy Policy  we inform you about the purposes, involved parties and legal bases of the necessary data processing involved to fulfil our obligations as part of the revised European Payment Services Directive.




Why can’t I link any Third Party Provider to my account?

If a third party provider has not integrated with our dedicated interface, the third party provider will need to integrate with our dedicated interface via our partner Token.io.

How can I revoke an individual access permission I have granted to a third party provider?

You need to contact the respective Third Party Provider and revoke the access permission directly with them. 

*applies to all countries in the EEA.