How are Open Banking Key Ids (
kid) Generated? (1 mins read).
Sharing insight into how Open Banking has generated their
kids for use with JWTs.
I work on Open Banking APIs for a UK credit card provider.
A large reason I see that the data isn't made directly available to the customer is because if the customer were to accidentally leak / lose their own data, the provider (HSBC, Barclays etc) would be liable, not you. That means lots of hefty fines.
You'd also likely be touching some PCI data, so you'd need to be cleared / set up to handle that safely (or having some way to filter it before you received it).
Also, it requires a fair bit of extra setup and the use of certificate-based authentication (MTLS + signing request objects) means that as it currently sits you'd be need one of those, which aren't cheap as they're all EV certs.
Its a shame, because the customer should get their data. But you may be able to work with intermediaries that may provide an interface for that data, who can do the hard work for you, ie https://www.openwrks.com/
Recommended read: The Future of Monzo - What Does Open Banking Mean for Monzo? https://youtu.be/t_oAsDWYjM8