Steps for the Conformance Certification process
The certification process consists of three main parts:
- Completing the tests and publishing the results.
- Paying the certification fee and obtaining a payment code.
- Filling out a form with the certification information, and signing the self-declaration document.
This document goes through these steps in sequence.
1. Completing the tests
The first step is to ensure that your implementation has passed all the conformance tests for the profile you are targeting. Please see the
resource-specific page for instructions on how to run the tests that are relevant in your case.
Once you have completed the relevant test plan(s), use the Publish for certification button in the test suite user interface to obtain a zip file which contains your test logs. You will need this zip file when you submit your certification request. If you are certifying for multiple profiles, you will need to obtain one zip file for each profile (using the “Publish for certification” button on each test plan). For example, if you’re certifying for Brazil Open Finance as an OP, you will need to obtain the zip files for both the “BR-OF Adv. OP w/ Private Key, PAR (FAPI-BR v2)” test plan and the “BR-OF Adv. OP DCR (FAPI-BR v2)” test plan.
⚠️ Important information for RP certifications
If you are certifying for RP profiles, then you
- Files should be named consistently using the test name as the file name prefix. For example the log file for oidcc-client-test-invalid-iss should be named oidcc-client-test-invalid-iss.log or oidcc-client-test-invalid-iss-logs.txt or similar.
- If more than one file needs to be included for a test then they should be named oidcc-client-test-invalid-iss-1.log, oidcc-client-test-invalid-iss-2.log or similar.
- When a test plan contains the same test multiple times, e.g for an hybrid profile, then the filenames must also contain the response type. For example for an hybrid test plan, client log files for oidcc-client-test-invalid-iss should be named as follows:
- oidcc-client-test-invalid-iss_code-id_token.log
- oidcc-client-test-invalid-iss_code-token.log
- oidcc-client-test-invalid-iss_code-id_token-token.log
- The client data evidence must demonstrate that your application is detecting the error condition under test. As an example, the log file (or screenshot) for the test fapi1-advanced-final-client-test-invalid-shash must contain an indication that the application detected the invalid s-hash, by providing log files (or screenshots) from your server that show that the error was detected.
2. Obtaining the Payment Code
Every certification profile has a different fee, depending on whether your company is a member of the OpenID Foundation. Before proceeding, check with your company if you would like to become a member of the Foundation to have a seat at the table for discussing and shaping the evolution of open standards.
To start the payment process, go to the Certification Payment page. You do not need to create an account to access this page, but if your company is a member, log in first to enable the member fee.
Entity Name, Version, and Email for Payment Code
The Certification Payment page requires you to enter the Entity Name, Implementer’s Email, and Deployment Name & Version.
The Entity Name and Deployment Name & Version are used to identify your company when we publish your certification on the Certification List page .
The Entity Name can be your company name, a trademark, or whatever makes the most sense for your context. The Deployment Name & Version identifies the actual software version that is being declared conformant.
While the OpenID Foundation does not enforce specific rules for the Entity Name, the Deployment Name & Version is required to identify a specific point in time. A version number is ideal for COTS products, but for SaaS products, it may be appropriate to use the current month and year.
The email address must be valid and monitored, as the Payment Code will be sent to that address.
Certification Profile
The payment process requires you to specify the certification type.
For Brazil and KSA FAPI profiles, select “FAPI”. For emerging open banking initiatives (such as ConnectID, UAE, Colombia, and Chile), select “FAPI2”.
The “IDPs” certification type is for deployments that transmit data, while the “RPs” certification type is for products that federate with those.
Payment Options
There are two payment options: via invoice or PayPal.
If you click “Pay with PayPal”, you will be redirected to PayPal. Once the payment is completed, a payment code will be displayed. Note that PayPal handles the card processing directly, and the exchange rate may vary.
If you click “Request an Invoice”, a payment code will be shown, and a manual process will begin. The OIDF staff will generate an invoice and send it to the implementer’s email address. This may take up to 2 days.
Payment Code
The payment code will be presented after paying via PayPal or requesting an invoice. Save it for later, as it will be required during submission.
3. Submitting the certification request
The remainder of the certification request process consists of filling out a form and then signing a document. Start by going to https://submissions.openid.net/. Fill out the form that you’re presented with. Please refer to the following list for an explanation of what the fields are for:
- Email confirmation to: This is the contact email for the certification request. Information, questions, and more will be sent to this address, so make sure that it’s an actively monitored email address.
- Entity name: The name of the company or developer behind the certification being published. Example: “ProseWare”.
- Deployment Name & Version: All certified software must have a version number. Example: “ProseWare Identity Platform v2.1” or “ProseWare June 2025”.
- Regulatory Regime: The relevant ecosystem, if applicable. Example: “Brazil Open Finance”.
- Payment Code: The payment code you obtained after completing step (2) in the Prerequisites section above. Example: “oidc-pid-47672fa19fc5aa25d7e07a628927cde2”.
- Declaration of Conformance: The information in this section will be used to generate the “Certification of Conformance” document, which will be electronically signed later as part of the submission process.
- Name of the responsible person signing the Declaration of Conformance: The full name of the person who will sign the document.
- Email of the responsible person: The email address of the person who will sign the document. An email with a link to complete the signature will be sent to this address.
- Implementer’s Authorized Contact Information: All published certifications must have an authorized contact person. This section collects information about that person.
- Name: The full name of the authorized contact person.
- Title: The title of the authorized contact person.
- Phone: The phone number of the authorized contact person.
- Email: The email address of the authorized contact person.
- Address: The postal address of the authorized contact person.
- Locality: The locality/region of the authorized contact person.
- Country: The country of the authorized contact person.
- Secondary contact and Implementation details: These sections are optional. Fill them out if applicable in your case.
- Exported Test Results: This is where you attach the ZIP file(s) obtained in step (1) of the prerequisites section. If you are certifying for multiple profiles, please select all the relevant ZIP files in the file selection dialog. For example, if you’re certifying for Brazil Open Finance as an OP, upload the ZIP file for both the “BR-OF Adv. OP w/ Private Key, PAR (FAPI-BR v2)” test plan and the “BR-OF Adv. OP DCR (FAPI-BR v2)” test plan.
Signing the Certification of Conformance document
After submitting the form, the signer will shortly receive an email from DocuSign with the subject “Declaration of Conformance signing”. You will receive one such email per uploaded ZIP file, so in the case of Brazil Open Finance mentioned above, you would receive two emails. Both documents must be signed individually by following the links in the email.
Completing the certification request process
Once all of the above steps have been completed, your submission will be placed in a queue for processing. When the request is approved—or if there are any issues with the submission—you will be contacted using the email address provided in the “Email confirmation to” field.