PSD2 · PSD3 · PSR · FIDA VERSION 5 push + pull · European Union Flag

The gatekeeper
between your regulated APIs and the world.

We provide the authoritative trust anchor between your regulated APIs and the TPP ecosystem. Our engine automates the complex verification of eIDAS certificates and regulatory roles, giving you the real-time clarity needed to grant or deny access — instantly.

New in v5 — subscribe once and we push signed webhook events the moment a certificate is revoked, a role is withdrawn, or a passport is dropped. Push vs pull ↓

Request trial → Read the docs
Qualified TSPs
48
Jurisdictions
31
p95 latency
78ms
Uptime · 12mo
99.99%
POST api.tppvalidation.com/v5 [for all jurisdictions] ● TLS 1.3 · mTLS
Drop .pem / .cer / .crt here, or paste PEM
Upload file Run demo cycle
Verdict →
Awaiting handshake…
§ 01How it works

Four checks per request. Then we keep watching.

01 — Inbound

eIDAS Introspection

Forward any QWAC or QSealC PEM for instant chain-of-trust verification. We validate QTSP signatures and extract all PSD2 attributes in a single atomic pass.

INPUTX.509 + PSD2 ext.
02 — Verify

Chain & revocation

Full-path validation against EU Trust Lists with OCSP and CRL fallback. Zero-cache policy: every check uses live-refreshed anchors (updated hourly).

SOURCESTSL · OCSP · CRL
03 — Confirm

Regulatory standing

Real-time mapping of licenses and cross-border permissions. We bridge the gap between national registers to confirm an entity's standing in your target markets.

REGISTERSEBA · FCA · 30 more
04 — Gate

Deterministic Logic

Cryptographically signed results with hash-chained provenance. Traceable to source records and tamper-evident—providing immutable grounds for your enforcement.

OUTPUTStatus · Auhtorizations · Grounds
v5 · the gate that calls you back

Two modes. Same verdict. One contract.

We have asked us the same thing for years: "why not push, rather than pull" So we built it.

PULLv4/v5 · per request

You ask, we answer.

Submit incoming certificates to ourendpoint and apply your own compliance ruleset on our responses. Simple, synchronous, works today.

BANK — POST /v5 → TPPVALIDATION
BANK ← 200 OK · ALLOWED — TPPVALIDATION 
{
 "organizationIdentifier": "PSDFR-ACPR-16828",
 "serialNumber": "107134684502035741319485938482960176000",
 "timestamp": 1776614411000
}
  • 200 OK / 422 ERR
  • Reject Reason(s)
  • Median 78 ms end-to-end
  • Every call re-hits latest anchors
  • No state on your side
  • Auditable Responses
PUSHv5 · subscribe once

We tell you, the moment something changes.

Simply add a Webhook URL with your initial Certificate request. We then POST a signed event to your webhook immediately when anything changes.

TPPVALIDATION — POST /webhooks/tpp → BANK 
{
  "event_type": "cert.status_changed",
  "data": {
    "issuer_hash": "773ddc302ea5b96b",
    "serial": "6145605090800385797785912406225945772",
    "entity_name": "Plaid, B.V.",
    "old_status": "valid",
    "new_status": "invalid",
    "reason": "certificateExpired",
    "checked_at": "2026-04-19T19:58:51.243Z"
  }
}
  • 0 ms at request time — the update is already in your system
  • Events: cert.revoked · cert.role_changed · cert.expired · cert.passport_dropped
  • HMAC-signed with a rotating key · defensible in audit
Most customers run both: pull on first handshake, push thereafter. We reconcile the two into one audit trail.
0ms p95
End-to-end verdict
0M / mo
Validations processed
0%
Uptime — trailing 12 months
0+
API "Standards" supported
§ 02Compliance

Built for what is, ready for what is next.

PSD2Directive 2015/2366
Every AISP, PISP and CBPII interaction across 27 EU states and the EEA — role checks, passporting and article-compliant verdicts.
● Active
PSD3Proposal 2023/367
Strong Customer Authentication evolves, new liability split, consolidated licensing. Our schema already tracks the draft attributes.
◌ Ready
PSRRegulation (EU) TBD
Harmonises conduct rules across the union. Validation rules are versioned per regime — flip a header, get the right verdict.
◌ Ready
FIDAFinancial Data Access
Beyond payments — mortgages, pensions, investments. Data-holder and data-user roles, permission dashboards, FISP registration.
◌ Ready
eIDAS 2.0Regulation (EU) 2024/1183
EUDI wallet trust anchors, qualified attestations, cross-border identity. Our trust lists refresh every 15 minutes.
● Active
§ 03Agentic AI

Validation, where your team already works.

ai.tppvalidation.com/mcp

Native MCP endpoint

Plug our validation tools directly into Claude, Cursor or any MCP-capable agent. Every verdict is a tool call, every check a structured resource.

tools/list → validate_tpp, lookup_provider, check_revocation tools/call · validate_tpp ALLOW · AISP + PISP · DE · session 0x8f2c
ai.tppvalidation.com/slack

Slack commands

A slash command away from a verdict. Paste a cert, mention a provider, get a signed response in-channel with full audit link.

@lena /validate · PEM SE,FR,DK ✓ ALLOW · ATLAS BANK AISP · AISP + PISP
cert valid · OCSP valid · jurisdiction SE,FR,DK audit · verdict 0x8f2c.jwt
ai.tppvalidation.com/teams

Microsoft Teams

Adaptive Card responses, SSO through your tenant, and Graph-integrated audit trails. For the compliance team that lives in Teams.

Compliance channel @TPP find OAKRIDGE CAPITAL ✓ ALLOW · FRN 789245
AISP + PISP + CBPII · GB
[ Open verdict ] [ Replay ] shared to Compliance · 14:02 UTC
§ 04Deploy anywhere

Our repo. Any tenant. Your sovereignty.

SaaS · Managed

Hosted by us

Multi-region EU endpoint on Cloudflare + Azure. Fastest path to production, zero ops.

Private · Azure Marketplace

Your Azure tenant

Deploy into your own subscription. Data sovereignty, funded by existing MACC credits.

Source · One-time

Own the code

Buy the source, run it behind your gateway. Optional maintenance contract.

§ 05Pricing

Priced like infrastructure, not like a SaaS.

Explorer
Free/ forever

Everything you need to test validation during integration and CI.

  • Rate limited validations
  • All EU + UK registers
  • Test eIDAS certificates
  • Webhook sandbox · dry-run events
  • Chat support
  • Self-Service Pre-flight
Validate Now →
Production
€5/ hour

Secures your regulated APIs 24/7/365. Scales from first flows to peak traffic.

  • Note Rate Limitations
  • Webhook events · Classic Req/Res
  • HMAC-signed audit trail
  • 99.99% SLA · Multi-cloud
  • Personal technical contact
  • Annual plans · Contract free monthlys
Request trial →
Institution
Custom/ annual

Dedicated environment, private trust anchors, deployment beside your core.

  • On-prem or private VPC
  • Private webhook delivery mesh
  • GitHub Repository access
  • Custom policy DSL
  • None exclusive, none competitive license
  • Custom contract terms
Request Technical Briefing →
§ 06Endpoints

Quick Setup. Simple Customization. GO!

CONTROL AND MANAGE DIRECTLY WITHIN YOUR CURRENT CONTROL PLANE

Simple Integration by "low-code" gateway integration + hmac event notifications.

We abstract the regulatory plumbing so your engineers write business logic, not X.509 parsers.

POST/v4Submit PEM
POST/v5Submit PEM + opt WH_URL
GET/audit/{id}/{hash}View Audit Log
GETPOST/v5/mcpAgentic Tool-call
POST/v5/slackSlack Cmd (Available in Slack Store)
POST/v5/teamsTeams Bot (Available in Azure Marketplace)
Full OpenAPI spec →
Claude config assistant
Let me write the implementation for 

        

        

          Example configuration — review before deploying
          Copy
        

      

    

  







  

    
Every regulated API
deserves someone that calls you back.

    
    

      
      
      
    

    
    
  











  
Preferences 

  

    Theme
    

      
      
    

  

  

    Density
    

      
      
      
    

  

  

    Motion