PSD2 and Business Account APIs – Maintenance (31.05.2026)
On May 31st, planned maintenance for the PSD2 and Business Account APIs took take place between 01:00-06:00 AM. During this time period the APIs could have been temporary unavailable.
Public SSL/TLS Certificate update
Find more information about the public SSL/TLS Certificate update below.
Environments
In this section, we provide information on the availability of our environments.
Operational
Production
Operational
Sandbox
Operational
Development
API Products
In this section, we provide information on availability per API. We show our availability with the following terms: Operational, Outage, or Maintenance.
Go to this reportfor PSD2 API availability per month (Dutch only).
Public SSL/TLS Certificate update: Action might be required
This notice applies to developer portal users who use a public SSL/TLS certificate for client authentication (mutual TLS) when connecting to the ABN AMRO APIs. Please find information below on what is changing, the deadlines, and what you need to do. For questions, contact support.
What is changing? Public CAs will stop including Client Authentication (id-kp-clientAuth) in the Extended Key Usage (EKU) of newly issued public SSL/TLS certificates. This change is driven by browser and root program security requirements (led by Google Chrome). Public SSL/TLS certificates previously included both Server Authentication and Client Authentication EKUs. Client Authentication is now being phased out for public certificates.
Which certificates are affected? Only newly issued, renewed, or reissued public SSL/TLS certificates (DV, OV, EV). Existing certificates remain valid until expiry.
What is the timeline?
Below you can find the timelines for DigiCert and Sectigo CAs. Both have a soft and hard deadline.
Soft deadline After the soft deadline, Client Authentication EKU is no longer included by default. It may still be available if explicitly requested (CA‑dependent)
Hard deadline After the hard deadline, the Client Authentication EKU will no longer be issued at all. Public certificates can no longer be used for client authentication.
Deadlines (DigiCert and Sectigo): DigiCert
Soft deadline: 1st of October 2025
Hard deadline: 1st of March 2027
Sectigo
Soft deadline: 14th of October 2025
Hard deadline: 10th of February 2027
Note: If you use another CA, check their published timelines.
What do you need to do? If you use mutual TLS with our APIs, please check the applicable timelines. Until your CAs hard deadline, renew or request new public SSL/TLS certificates with the Client Authentication EKU. This may require an explicit request with your CA. How to include the Client Authentication EKU depends on your CA, for example:
Some CAs keep including it by default until their hard deadline.
Some CAs provide an option (for example, a checkbox) to include it.
Some CAs require a support ticket.
Some CAs require a special account or software package to request the certificate with the Client Authentication EKU
If you are unsure, check with your CA.
How will we provide access to our APIs in the future? Public SSL/TLS certificates will no longer be usable for client authentication. Client authentication will require a separate, non‑publicly trusted certificate type.
We are implementing alternatives to maintain secure TLS connections. The approach may vary per API product, check the API product requirements page on the developer portal for updates.
More information Check the requirements for your specific API Product and for any questions, contact support.
Report bug or issue
Security is a top priority for ABN AMRO. To ensure secure banking for our customers, we are continuously improving our systems and processes to maintain their reliability. However, if you notice anything we would appreciate it if you would report it to us. Any vulnerabilities, bugs, or errors regarding APIs, please report it by contacting us via support. If you want to pro-actively help, view our HackerOne page to see how you can help by becoming a bug hunter.
Need help?