Skip to content

Overview

The B2B CSC (Cloud Signature Consortium) API provides a synchronous implementation of the CSC v2.1 specification tailored for remote BankID B2B merchant certificate signing.

It enables clients to request digital signatures over precomputed hash values using signing credentials associated with their OIDC client.

Features

  • Remote signing of one or more Base64-encoded hash values, returning PKCS#1 signatures.
  • Returns OCSP validation data for the leaf certificate to support signature validation.
  • Exposes service metadata, supported methods, hash/signature algorithms, and OAuth2 authorization details via the info endpoint.

Key Endpoints

  • POST /v0/b2b/csc/v2/info and GET /v0/b2b/csc/v2/info — Service information: metadata, supported methods, algorithms, and optional OAuth2 server details.
  • POST /v0/b2b/csc/v2/credentials/list — Returns credential IDs associated with the OIDC client (optionally certificate chain and printable certificate info).
  • POST /v0/b2b/csc/v2/signatures/signHash — Creates PKCS#1 signatures for one or more provided hashes; includes OCSP data for the signing certificate.

Authentication & Authorization

  • Uses BearerAuth with OAuth2 + DPoP and scope esign/b2b. Client credentials and authorization code flows may be supported by service configuration. No authentication parameters are required in request bodies.

Signature and Validation Details

  • Signatures: PKCS#1 on
  • OCSP: Returned as BasicOCSPResponse (not the full OCSPResponse structure). Some libraries expect the full structure—extend accordingly if needed.
  • Hash algorithms and signature OIDs: Reported via the info endpoint to ensure clients select supported options

Behavior & Limits

  • All methods are synchronous.
  • Multi-signing; multiple hashes can be signed in a single request.

Environments

  • Public testing: https://api.preprod.esign-stoetest.cloud
  • Production: https://api.esign-stoe.cloud

Typical Flow

  1. Call info to discover supported algorithms and methods.
  2. Validate chosen hash algorithm OID and signature OID against the info response.
  3. Use credentials/list to obtain credential IDs and, if needed, retrieve certificate chain and info.
  4. Call signatures/signHash to produce PKCS#1 signatures over your precomputed hash values.
  5. Verify signatures, using returned OCSP data to confirm certificate status.

When to Use This API

  • Building other signing outputs (e.g., CAdES, XAdES, PAdES) than SDO.
  • Needing direct access to PKCS#1 signatures and OCSP data for custom signature formats.

For the full OpenAPI specification, see the B2B BankID CSC OpenAPI documentation.