# Get the Software Statement Assertion (SSA)

## Open Banking software statement

If you're using your Open Banking certificate, use the software statement signed by Open Banking. 
You can obtain this statement from the [Open Banking Directory](https://www.openbanking.org.uk/providers/directory/). 

You will need it when you create the JWT later.

## Self-signed software statement

If you're using your eIDAS certificate, you must use a self-signed software statement.
You will need this software statement when you create the JWT later.

To generate the self-signed software statement, you need to concatenate two base-64 encoded JSON objects.
The format is the same as that of a JWT but with no signature.

You can use the following webpage to encode the body and header of your SSA: https://www.base64encode.org/.
Tick the **Perform URL safe encoding** box to ensure it is base64url encoded.

Ensure that the software statement meets the following format. You can also check the included examples.

### Header

| SSA header     | Type                                                      | Description                                                                   | Required   |
| -------------- | --------------------------------------------------------- | ----------------------------------------------------------------------------- | ---------- |
| `alg`          | string                                                    | Use `none` as the only value  to indicate a self-signed software statement.   | Yes        |

#### Example

- SSA header:

    ```json
    {
      "alg": "none"
    }
    ```

- Base-64 encoded SSA header:

    ```shell
    ewogICJhbGciOiAibm9uZSIKfQ
    ```

### Payload

| SSA payload                   | Type     | Description                                                                                                                                                                                                                     | Required                                               |
| ----------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
| `org_jwks_endpoint`           | URI      | The JWKs endpoint. It must contain a signing key (QSealC) that matches with the `kid` provided in the JWT header of the registration request.                                                                                   | Yes                                                    |
| `org_name`                    | string   | Legal Entity Identifier or other known organisation name.  It will be shown in the UI when the user interacts with a consent for this application.                                                                              | Mandatory if `software_client_name` is not provided.   |
| `software_client_name`        | string   | The name of the application. It will be shown in the UI when the user interacts with a consent for this application.                                                                                                            | Mandatory if `org_name` is not provided.               |
| `software_on_behalf_of_org`   | string   | A reference to a fourth party organisation if the registering TPP is acting on behalf of another (shown in the UI when the user authorises a consent for this application).                                                     | No                                                     |
| `software_redirect_uris`      | URI      | The list of allowed redirect URIs, which must contain the same URLs as provided in the JWT `redirect_uris` later in [step 4: Create a JWT](/docs/guides/build-banking-apps/register-your-application-using-dcr/create-a-jwt).   | Yes                                                    |

:::note [Application name]
When both `org_name` and `software_client_name` are provided, `software_client_name` will be used as the application name. 

This name, together with the value in `software_on_behalf_of_org`, will be visible to the [PSU](/docs/guides/build-banking-apps/glossary) when authorising consents or when handling existing consent permissions.
:::

#### Example

- SSA payload:

    ```json
    {
      "org_name": "TPP Company Ltd.",
      "software_client_name": "Accounting Pro",
      "org_jwks_endpoint": "https://example.com/jwks",
      "software_on_behalf_of_org": "John Doe Co.",
      "software_redirect_uris": [
        "https://example.com/my_oauth_redirect"
      ]
    }
    ```

- Base-64 encoded SSA payload:

    ```shell
    ewogICJvcmdfbmFtZSI6ICJUUFAgQ29tcGFueSBMdGQiLAogICJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6ICJBY2NvdW50aW5nIFBybyIsCiAgIm9yZ19qd2tzX2VuZHBvaW50IjogImh0dHBzOi8vZXhhbXBsZS5jb20vandrcyIsCiAgInNvZnR3YXJlX29uX2JlaGFsZl9vZl9vcmciOiAiSm9obiBEb2UgQ28iLAogICJzb2Z0d2FyZV9yZWRpcmVjdF91cmlzIjogWwogICAgImh0dHBzOi8vZXhhbXBsZS5jb20vbXlfb2F1dGhfcmVkaXJlY3QiCiAgXQp9
    ```

### Full Software Statement

#### Example

Resulting self-signed software statement:

```shell
ewogICJhbGciOiAibm9uZSIKfQ.ewogICJvcmdfbmFtZSI6ICJUUFAgQ29tcGFueSBMdGQiLAogICJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6ICJBY2NvdW50aW5nIFBybyIsCiAgIm9yZ19qd2tzX2VuZHBvaW50IjogImh0dHBzOi8vZXhhbXBsZS5jb20vandrcyIsCiAgInNvZnR3YXJlX29uX2JlaGFsZl9vZl9vcmciOiAiSm9obiBEb2UgQ28iLAogICJzb2Z0d2FyZV9yZWRpcmVjdF91cmlzIjogWwogICAgImh0dHBzOi8vZXhhbXBsZS5jb20vbXlfb2F1dGhfcmVkaXJlY3QiCiAgXQp9.
```

:::note
The signature of the self-signed software statement is an empty string (there is no string after the second dot).
:::