API Security at HSBC

HSBC maintains a secure connection to its Corporate APIs through multiple layers of security:

• Transport Level Security - to secure the connection
• Client Credentials or Signed JSON Web token - to identify and authenticate
• Message Level Encryption - to secure the communication and authorise the exchange

To provide a representative test environment the Corporate Sandbox supports PGP encryption and the exchange of public and private keys via the sandbox project workflow.

Sandbox encryption keys

During the sandbox project creation workflow, a set of sandbox PGP encryptions keys is dynamically created and the key exchange procedure takes place automatically. This allows you to begin using our sandbox immediately as it removes any manual setup by the HSBC admin team.

To access the sandbox PGP encryption keys, first create a sandbox project using the create project workflow from the Dev Hub. Further details here: Sandbox Project - User Guide.

After creating a sandbox project for your chosen APIs you will be able to download the sandbox PGP keys by clicking the Download Keys button. This will then provide the following files for use in the sandbox message encryption process:

1. On the Credential and Keys pane, click on the Download Keys button. 
2. A zip file containing the HSBC public key and the clients private and public keys is presented.
3. Save the file to a secure location for use in the message encryption process.

Files provided include:

Related articles

Knowledge article: API Security at HSBC

Knowledge article: Sandbox toolkit

Return to top