About

The Open Finance Data Sandbox is a client-side static explorer that lets a TPP-perspective user load synthetic UAE customer personas and read every UAE Open Finance Bank Data Sharing payload they would receive, with mandatory / optional / conditional field treatment derived live from the published v2.1 OpenAPI spec.

It is contributed and maintained as part of the OpenFinance-OS Commons. Synthetic by construction — no real customer data, no anonymised data, no institution-specific operational detail. The Median LFI profile is a Commons-curated ecosystem assumption, not endorsed by Nebras or CBUAE, and is recalibrated quarterly as cross-LFI public evidence accumulates.

Source on GitHub · v1.0.0 release notes · Changelog · Contributing

What this sandbox is for

Underwriters, risk modellers, AML analysts and product managers stress-testing affordability / fraud / decisioning logic against worst-case (Sparse) and best-case (Rich) field-population shapes.
Fintech founders and pre-licence applicants assessing UAE OF feasibility before raising the next round.
SDK and tooling authors who want a deterministic test corpus they can pin and rerun in CI.
LFI compliance officers self-verifying their bank's emissions against the v2.1 spec.
Educators and journalists who want a citable, stable example of what a real OF payload looks like.

What this sandbox is not

Not a production decisioning system. It never runs a real credit decision, payment, or any other operation against live data.
Not a TPP runtime. It does not call the Al Tareq API Hub. It synthesises data from the spec; it does not consume real payloads.
Not a faithful simulation of any specific LFI. The Median populate-rate is a Commons-curated assumption from publicly available evidence.

Methodology — populate-rate bands

Every optional field in the v2.1 spec carries one of five bands. These are the qualitative vocabulary; the numeric calibration that drives the Median LFI generator is the engineering contract pinned in the source.

Band	Meaning	Median populate (v1)
Universal	Populated by all LFIs in practice.	1.0
Common	Populated by most LFIs.	0.7
Variable	Populated by some LFIs.	0.4
Rare	Only premium-product or mature-integration LFIs.	0.1
Unknown	No cross-LFI evidence yet.	0.0

Bands are revised quarterly as public evidence accumulates from the live API Hub and ecosystem reporting. The revision history is published on /changelog with a one-paragraph note explaining what changed and why.

Citation guidance

If you are referencing this sandbox in an article, blog post, slide deck, paper or LMS module:

Stable persona-level URLs. Every share-URL encodes (persona, lfi, seed) and reproduces the same payload bundle deterministically across machines. URLs are stable across deployments — pin tested at every build.
Embed mode. A chrome-less variant lives at /embed?persona=&lfi=&endpoint=&seed=&height= for iframe consumption. oEmbed metadata published.
TPP showcase journeys. If you are wiring sandbox personas into a TPP demo journey (sales deck, investor pitch, regulator demo, internal QA), see the integration guide for the four plug points (iframe, npm, PyPI, raw HTTPS).
Cite the spec, not the sandbox. The sandbox is the show-don't-tell complement; the authoritative source is the upstream UAE Open Finance Standards v2.1 OpenAPI spec at the pinned SHA.
Always describe the data as synthetic. The footer watermark is on every export and embed; please carry it through to the citation.

Stewardship

The sandbox is committed to a 24-month minimum maintenance window from public launch. Maintenance includes quarterly populate-rate band recalibration, spec-pin updates within 30 days of any upstream Nebras v2.x release on the ozone branch, bug-fix triage within 14 days of an issue report, and quarterly persona-library reviews.

If the maintainer can no longer continue, the sandbox will be offered to OF-OS Commons stewards for take-over with full repository access and 90 days of consultative support. The artefact will never go un-maintained without an explicit, public end-of-life notice on this page providing at least 90 days' warning.

Spec source & version pin

Standards baseline: UAE Open Finance v2.1 (Account Information API)
OpenAPI version: —
Upstream repo: —
Pinned SHA: —
Retrieved: —
Endpoints in scope: —
Total fields: —
Mandatory fields: —

Reporting issues & contributing

Every field card carries a Report an issue link that opens a pre-filled GitHub issue with the full reproduction context (persona, LFI, seed, pinned SHA, field path). Issues are triaged within 14 days.

Community persona contributions (PR-style) open in v2 alongside a contributing guide and SME review process. v1 and v1.5 remain maintainer-curated.

Privacy & analytics

The sandbox emits anonymous usage analytics to PostHog so the maintainer can see which personas, endpoints and integration plug-points actually get used. The full event list is exhaustive — these seven names are the only events the bundle will ever send, and the property keys they carry are likewise restricted:

Event	Fires when	Properties
`persona_load`	Page mount, persona switch, domain switch	`persona_id`, `domain`, `lfi`, `custom`
`lfi_switch`	LFI selector or compare-partner change	`from`, `to`
`endpoint_nav`	Navigator endpoint click	`endpoint`, `domain`
`field_click`	Field-name click in a payload table	`status`, `endpoint`
`raw_json_toggle`	Rendered ↔ Raw JSON toggle	`mode`
`export`	JSON / CSV / tarball download	`format`
`share`	Permalink, embed, npm, PyPI or curl snippet copy	`kind`

What is never captured: no IP address, no URL or referrer, no user agent or device fingerprint, no cookies, no localStorage, no field values, no search input, no persona identity beyond the seven persona slugs, no transaction values, no cross-session identifier. The PostHog SDK is initialised with autocapture: false, capture_pageview: false, disable_session_recording: true, persistence: 'memory', and a property blacklist covering every auto-property the SDK might otherwise attach. Each page reload generates a fresh random distinct-ID so PostHog cannot reconstruct a visitor across sessions.

The contract is enforced at build time: tests/analytics-allowlist.test.mjs fails CI on any non-allowlisted event, non-allowlisted property key, or PII-shaped key name; a Playwright contract (tests/e2e/analytics.spec.mjs) additionally asserts the SDK init options, the captured payload shape, and the absence of cookies and localStorage. To opt out entirely, any standard tracker-blocker (uBlock Origin, Brave Shields, Pi-hole) blocks the SDK without affecting the rest of the page.

Licensing

Code: MIT.
Synthetic data & fixtures: CC0 — public domain.
Vendored OpenAPI YAML: inherits the upstream Nebras-Open-Finance/api-specs licence; the maintainer verifies compatibility at every pin-SHA bump.