The communication between the TPP and production API is always secured by using a TLS-connection Mutual authentication using TLS version 1.2. This TLS-connection is initiated by the TPP and has to be established always including client (i.e. TPP) authentication.
For this authentication the TPP has to use a qualified certificate for website authentication (QWAC). This qualified certificate has to be issued by a qualified trust service provider according to the eIDAS regulation. The content of the certificate has to be compliant with the requirements of the EBA-RTS.
The certificate of the TPP has to indicate all the roles the TPP is authorized to use. During the first connection setup, the TPP will be automatically on-boarded and registered (enrolled) in the bank database. However, for security purpose, the bank requires the client certificate to be presented within each request.