Hi - I've already logged this on the HSBC developer support site but they are ignoring it.
I'm not clear what the kid parameter of the JWT header should be. Usually it would be the key ID of the public signing certificate as per the JWK URI, but in the case of HSBC the certs / keys are not stored on the OB Sandbox Directory hence not listed on the JWK URI.
Alternative option is to use the OBWAC and OBSEAL keys / certs provided by the OB Sandbox Directory, but that returns a 401 error response.
So I've tested two different approaches with two different (failed) outcomes:
Scenario 1) Use WAC / SEAL created on HSBC Dev Portal, and assign kid = 'abc' (random value). This returns a JSON response (attached) which is possibly telling me how the request JWT should be structured? I've double checked my JWT against this structure and as far as I can tell they do match.
Scenario 2) Use WAC / SEAL created on OB Sandbox Dir, and assign kid = 'KZhULq6ARb0QFM0jWmFjKF-8ZPc' as per JWK URI. This creates the 401 error response.
I've attached the JWT and keys / certs for both scenarios, along with responses and WAC / SEALs.
Any help greatly appreciated.