Skip to content


Please note

The RSS API feature has been temporarily discontinued by the SERMI organisation. For more information, please see our changelog

This page contains information for RSSs generating chain authorisation requests via the RSS API. For information about the authorisation process, please see Chain authorisation.


CAB invitation

Before a chain authorisation request can be generated on behalf of an RSSE, they must first have registered with the CAB and created their certificate in the Digidentity app. For more information about the invitation and registration process, please see: Test Accounts.

RSS Onboarding

RSS onboarding can begin in Digidentity's pre-production environment as soon as a mutual NDA has been signed between the RSS and Digidentity.

Once this is complete, an internal request will be made to our Implementation team to provide your OAuth client credentials (client_id, client_secret, API key, and scope). These will be sent securely via email to the RSS's elected technical contact.

Employee UIDs

In order to generate a chain authorisation request, the RSS must first obtain UIDs for the RSSE (CABUID, RSSUID, and RSSEUID). There are two methods the RSS can use to retrieve these UIDs:

Employee certificate

After receiving CAB authorisation and creating a certificate, RSSEs can share their UIDs by tapping the 'Need help with this service?' link in the Digidentity app (click here for a video guide).

Once the RSSE has been authorised by a CAB, the UIDs they have been assigned will not change, so the values shared should not require updating.

Login portal

If the RSS has a large number of employees, or wishes to automate the process of retrieving employee UIDs, they may choose to implement a login portal in the same method as a VM (more information here).

Once logged in, the RSSE's UIDs will be returned in the user_info response as follows:

    "sub": "e2x0a6mp-37l0-42ps-94ef-u69755438d3o",
    "cabuid": "EXA/NL/1234/1EXA2MP34LE5",
    "rsseuid": "NL/EXAMPLECAB/9876543210D"

Please note

The RSS will not require any UIDs from the IOE to create a chain authorisation request. Once a request has been created on behalf of an RSSE, it can be accepted by any IOE.

API specification

Once the RSSE's UIDs have been retrieved, a chain authorisation request can be created via our RSS API (documented in our full API specification at