All API endpoints are protected using mutual TLS and require a valid eIDAS certificate, which are issued by one of the approved Trust Centers. In Germany, these test certificates are issued, among others, by the Bundesdruckerei.The certificate is being validated and the given TPP roles (AIS, PIS or PIIS) are extracted. If the certificate is invalid or lacks the required permissions level for the given request, the API will respond with a 403 error.