Introduction
Access to Environments
Allpay Production
Status | Live |
Certificate | Production |
URL | https://priora.saltedge.com |
Provider code | allpay_production |
Launch date | 22 June 2022 |
Allpay Sandbox
Status | Sandbox |
Certificate | Test/Production |
URL | https://priora.saltedge.com |
Provider code | allpay_sandbox |
Creation date | 25 March 2021 |
Test credentials (Oauth)
Username
Password
Token
Changelog
Timestamp | Change/note |
---|---|
12 Apr 2023 |
Following the FCA recommendation under PS21/19, this dedicated interface enables the SCA exemption under SCA-RTS Article 10A for AISPs.
This feature allows the AISPs to create a consent longer than 90-days, not limited. AISPs must reconfirm customer consent under Article 36(6) of the SCA-RTS, and must not access information without the customer actively requesting it unless the customer has reconfirmed the consent within the previous 90 days.
When a customer fails to reconfirm consent on the AISP side after 90 days, AISP must stop accessing the customer’s account information.
In case you need any assistance on the above please contact us at: compliance@saltedge.com |
23 Dec 2021 |
The CBC-mode cipher encryption will be disabled on PSD2 APIs and the following cipher suites will no longer be supported since 3rd February 2022:
|
Definitions
Term | Definition |
API | Application Programming interface. A set of definitions, protocols, and tools that can be used to create applications, interact with other applications, and exchange data. |
Provider | Represents the ASPSP. A bank or financial institution that offer payment accounts with online access. |
ASPSP | Account Servicing Payment Service Provider. Payment service provider providing and maintaining a payment account for a payer. |
TPP | An entity authorised to access accounts on behalf of customers but that does not operate those accounts themselves. TPPs include PISPs, AISPs, and PIISPs. |
PSU | Payment Service User. Natural or legal person making use of a payment service as a payee, payer or both. |
AISP | Account Information Service Provider. Provides account information services as an online service with consolidated information on one or more payment accounts held by a payment service user with one or more payment service provider(s). |
PISP | Payment Initiation Service Provider. Provides an online service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider. |
PIISP | Payment Issuer Instrument Service Provider. Provides information about the funds availability of payment transactions based on the payment cards. The related services supplied can be identified as CAF/FCS (Confirmation on the Availability of Funds Service). |
SCA | Strong Customer Authentication. Authentication based on the use of two or more elements designed in such a way as to protect the confidentiality of the authentication data. |
XS2A | Access to Account. The provision of secure access to accounts operated by ASPSPs using APIs. |
eIDAS | Electronic Identification, Authentication and trust Services. A set of standards for electronic identification and trust services for electronic transactions in the European Single Market. |
QSEAL | Qualified Electronic Seal Certificate is a qualified digital certificate under the trust services defined in the eIDAS Regulation. |
PSD2 | The Second Revised Payment Services Directive. The directive of the European Parliament and of the Council of the European Union which requires financial institutions within the European Economic Area to provide access to their customers' accounts (XS2A), to Third Party Providers to provide account information and payment initiation services. |
Registration
The process of TPP registration is made via an API request to TPP Register endpoint. In order to access Provider Sandbox you need to use OBSEAL test certificate.
After adding a certificate, the registered TPP will have assigned a set of scopes based on the provided certificate.
I.e. AISP certificate will result in account, transactions, kyc scopes, while a PISP certificate will result in payments, funds_availability scopes. The available scopes can be seen when creating an TPP Application.
API Endpoints
The table below describes the list of all API endpoints available at Salt Edge PSD2 Compliance Solution. The endpoints are based on NextGenPSD2 Framework version 1.3.6. also known as BerlinGroup Standard. BerlinGroup endpoints are name-spaced after selected provider_code. Ex: for Allpay Production, the endpoints will start with /allpay_production/api...
Endpoint | Verb | Purpose |
---|---|---|
/v1/accounts/refresh | POST | This endpoint is responsible for starting the process of refreshing account information data on Salt Edge PSD2 Compliance Solution side. Due to asynchronous nature of this action, TPP has to poll the status of this process using Accounts RefreshStatus endpoint. |
/v1/accounts/refresh/status | GET | This endpoint is responsible for returning the current status of fetching account information process. |
/v1/aspsps/product_templates | GET | Used by TPP for obtaining the list of payment products which support NextGenPSD2 standard. |
/v1/card-accounts/:account_id/balances | GET | Reads balance data from a given card account addressed by account-id. |
/v1/card-accounts | GET | Reads a list of card accounts with additional information, e.g. balance information. It is assumed that a consent of the PSU to this access is already given. The addressed list of card accounts depends on the PSU ID and the stored consent addressed by consentId. |
/v1/card-accounts/:account_id | GET | Reads details about a card account. It is assumed that a consent of the PSU to this access is already given. The addressed details of this account depends on the stored consent addressed by consentId. |
/v1/card-accounts/:account_id/transactions | GET | Read transaction reports or transaction lists of a given card account addressed by account-id. |
/v1/consents/:consent_id/authorisations/:authorisation_id | GET | This method returns the SCA status of a consent initiation's authorisation subresource. |
/v1/consents | POST | This method creates a consent resource, defining access rights to dedicated accounts of a given PSU-ID. These accounts are addressed explicitly in the method as parameters as a core function. |
/v1/consents/:consent_id | DELETE | This method deletes a consent. |
/v1/consents/:consent_id | GET | Returns the content of an account information consent object. This returns the data for the TPP especially in cases, where the consent was directly managed between ASPSP and PSU e.g. in a redirect SCA Approach. |
/v1/consents/:consent_id/status | GET | Read the status of an account information consent resource. |
/v1/funds-confirmations | POST | Checks whether a specific amount is available at point of time of the request on an account addressed by IBAN or other available identifiers. |
/v1/payments/:payment_product/:payment_id/authorisations/:authorisation_id | GET | This method returns the SCA status of a consent initiation's authorisation subresource. |
/v1/payments/:payment_product | POST | This method is used to instruct Salt Edge PSD2 Compliance Solution to initialize the payment creation. |
/v1/payments/:payment_product/:payment_id | GET | This method returns payment data. |
/v1/payments/:payment_product/:payment_id/status | GET | This method returns payment status. |
Scopes Definition
Type | Description |
---|---|
payments | grants TPP right to initiate payment orders on behalf of Customer |
accounts | grants TPP access to Customer's accounts data |
transactions | grants TPP access to transactions which belong to Customer's account |
funds_availability | grants TPP right to check availability of funds under specific account which belongs to Customer |
All Errors
During any request or flow originating either on TPP or Salt Edge PSD2 Compliance side, a number of errors may appear. In order to standardize errors while still giving some degree of freedom in explaining an error callback, parameters should include both error_text and error_code. Error message serves the purpose of communicating the issue to the Customer, whereas error class should be used by TPPs in order to be able to handle various scenarios.
Contents of the error_code are entirely up to the Provider, they may even be localized. However, values sent within error_text parameter should be from the standardized list. This list may and will be extended over time.
Class | Code | Description |
---|---|---|
BadRequest | 400 | Given value is invalid. |
CountryNameInvalid | 400 | Country doesn't exist or is invalid. Expected alpha 2 ISO3166 format. |
ServiceInvalid | 400 | Something went wrong on Provider(ASPSP) side. |
FormatError | 400 | Invalid input. More info in error_message |
ConsentInvalid | 401 | The consent was created by this TPP but is not valid for the addressed service/resource. |
ConsentUnknown | 401 | The Consent-ID cannot be matched by the ASPSP relative to the TPP. |
CertificateMissing | 401 | This request cannot be performed without Certificate header. |
CertificateInvalid | 401 | Given certificate is invalid. |
SignatureMalformed | 401 | Given signature is malformed. |
SignatureMissing | 401 | This request cannot be performed without Signature header. |
SignatureInvalid | 401 | Given signature is invalid. |
ConsentExpired | 401 | The consent was created by this TPP but has expired and needs to be renewed. |
AccessDenied | 403 | Action you want to perform is not allowed. More in error_message |
ProductInvalid | 403 | The payment product is not supported by the addressed service/resource. |
ResourceUnknown | 404 | The addressed resource is unknown relative to the TPP. |
ProductUnknown | 404 | The payment product wasn't found. |
CancellationInvalid | 405 | The addressed payment is not cancellable e.g. due to cut off time passed or legal constraints. |
AccessExceeded | 429 | Exceeded the number of requests for this action. |