Instantor identification in Finland.

Identification documentation

Banks in Finland have requested Instantor to identify in order to properly scrape internet banking.

Instantor decided to add query parameters to initial request. All parameters are signed and the signature is added to the request as well. Banks can extract the parameters and verify they are not tampered with. That ensures that Instantor is indeed the one sending the request.

Identification example

If we have online banking at, an example identification request would be



The verification procedure comes down to:

  1. Check URL parameters to see that Instantor is the one trying to log-in
  2. Combine URL parameters into a single value that will be verified
  3. Verify the value by using Instantors public key and signature

Verification example

This example will use files to store the data and then use openssl to verify the provided data.
Example URL is


Get Instantor public key
Download Instantor public key for decryption from here

Create a file with data to verify
Create contentFile.txt file with contents of X-AISP-NAME, X-AISP-ORGNUMBER, X-AISP-COUNTRY and X-AISP-TIMESTAMP separated with semicolons.

File name: contentFile.txt
File content: Instantor AB;556818-2835;Sweden;12312341234

Create a file with the signature
Create signature.sha256 file with contents of X-AISP-SIGNATURE.

File name: signature.sha256
File content: ILQVHqWYD1Ct5sm7VeHz7JNPgR3v89H4mleVpV2h2sk7Ryt+X6iDOrCWX5YLYQ/8Ud7Ns7ORpAfkzEamplhbFoyE33LOJvLHKouEVXPqWBNED3yXeJfcPqfpgu2LXi2l588kMqM8LVg25HqaoPS9AfzmbLM4m15lRWUfkqQw3gon55bVoS6DTBOLeqAMQ+4iLHfENlzcqPWtYscCaFmScuakEcPc3vfsIir1fol7Gzc0gzrpcAL3bBi0UWBiUN4b/yyqvzaKE44QllkK5vFWGr8XA66I+UPp515Ma1AcvXBf4tfwyp4oGkxXWgileT3z0moyqu/Ekx41u4xn3VTVcA==

Verify the data
Use openssl command (linux) that can be downloaded at

openssl base64 -d -in {path_to_signature.sha256} -out /tmp/temp.sha256

openssl dgst -sha256 -verify {path_to_public_key} -signature /tmp/temp.sha256 {path_to_contentFile.txt}

As result of the second command you will get:
Verified OK - if text is valid
Verified Failed - if text is changed and not valid.