PSD2 Compliance | Berlin Group API Documentation

Access to Environments

Ikano Bank AB Poland

Status Live
Certificate Production
Provider code ikano-pl-prod
Launch date 10 September 2021

Ikano Poland Sandbox BG

Status Sandbox
Certificate Test/Production
Provider code ikano_poland_sandbox_bg_xf
Creation date 24 March 2020
Test credentials (Oauth)

CARD Number

Copy to clipboard


Copy to clipboard

Change log

Timestamp Change/note
23 Dec 2021 The CBC-mode cipher encryption will be disabled on PSD2 APIs and the following cipher suites will no longer be supported since 3rd February 2022:
Please find below the list of supported ciphers and make sure you support any of the below to keep the connection with the PSD2 APIs:
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
In case you need any assistance on the above please contact us at:


Term Definition
Authorisation The XS2A API will allow an ASPSP to implement OAuth2 as a support for the authorisation of the PSU towards the TPP for the payment initiation and/or account information service. In this case, the TPP will be the client, the PSU the resource owner and the ASPSP will be the resource server in the abstract OAuth2 model.
Consent A range of rules on security, providing access to accounts, and enabling traceability and the mitigation of fraud risks.
Provider Represents the ASPSP. A bank or financial institution that offer payment accounts with online access.
TPP A third party provider application.
Customer A bank account holder. The end-user of payment services.
AISP Account Information Service Provider. A Client application that allows a Customer to list account and holder information.
Session Any activity that is forwarded by Salt Edge PSD2 Compliance on behalf of a Customer.
Scopes A set of permissions granted to a TPP application.
SCA Strong Customer Authentication using Salt Edge Authenticator.


The process of TPP registration is made via an API request to TPP Register endpoint. In order to access Provider Sandbox you need to use eIDAS QSEAL test certificate.

Access to production environment is allowed only with production QSEAL certificates. It is possible to add a QSEAL or QWAC certificate via API request to TPP Certficate endpoint.

After adding a certificate, the registered TPP will have assigned a set of scopes based on the provided certificate.

I.e. AISP certificate will result in account, transactions, kyc scopes, while a PISP certificate will result in payments, funds_availability scopes. The available scopes can be seen when creating an TPP Application.

API Endpoints

The table below describes the list of all API endpoints available at Salt Edge PSD2 Compliance Solution. The endpoints are based on NextGenPSD2 Framework version 1.3.6. also known as BerlinGroup Standard. BerlinGroup endpoints are name-spaced after selected provider_code. Ex: for Ikano Bank AB Poland, the endpoints will start with /ikano-pl-prod/api...

Endpoint Verb Purpose
/v1/accounts/refresh POST This endpoint is responsible for starting the process of refreshing account information data on Salt Edge PSD2 Compliance Solution side. Due to asynchronous nature of this action, TPP has to poll the status of this process using Accounts RefreshStatus endpoint.
/v1/accounts/refresh/status GET This endpoint is responsible for returning the current status of fetching account information process.
/v1/aspsps/product_templates GET Used by TPP for obtaining the list of payment products which support NextGenPSD2 standard.
/v1/card-accounts/:account_id/balances GET Reads balance data from a given card account addressed by account-id.
/v1/card-accounts GET Reads a list of card accounts with additional information, e.g. balance information. It is assumed that a consent of the PSU to this access is already given and stored on Salt Edge Compliance system. The addressed list of card accounts depends on the PSU ID and the stored consent addressed by consentId.
/v1/card-accounts/:account_id GET Reads details about a card account. It is assumed that a consent of the PSU to this access is already given and stored on the Salt Edge Compliance system. The addressed details of this account depends on the stored consent addressed by consentId.
/v1/card-accounts/:account_id/transactions GET Read transaction reports or transaction lists of a given card account addressed by account-id.
/v1/consents/:consent_id/authorisations/:authorisation_id GET This method returns the SCA status of a consent initiation's authorisation subresource.
/v1/consents POST This method creates a consent resource, defining access rights to dedicated accounts of a given PSU-ID. These accounts are addressed explicitly in the method as parameters as a core function.
/v1/consents/:consent_id DELETE This method deletes a consent.
/v1/consents/:consent_id GET Returns the content of an account information consent object. This returns the data for the TPP especially in cases, where the consent was directly managed between ASPSP and PSU e.g. in a redirect SCA Approach.
/v1/consents/:consent_id/status GET Read the status of an account information consent resource.
/v1/tpp/certificates POST Used for adding certificate. After action, you will receive a letter of confirmation on your representative email.
/v1/tpp/register POST Used for registration in Salt Edge PSD2 Compliance Dashboard. After registration, you will receive a letter of confirmation on your representative email.

Scopes Definition

Type Description
payments grants TPP right to initiate payment orders on behalf of Customer
accounts grants TPP access to Customer's accounts data
transactions grants TPP access to transactions which belong to Customer's account
funds_availability grants TPP right to check availability of funds under specific account which belongs to Customer

During any request or flow originating either on TPP or Salt Edge PSD2 Compliance side, a number of errors may appear. In order to standardize errors while still giving some degree of freedom in explaining an error callback, parameters should include both error_text and error_code. Error message serves the purpose of communicating the issue to the Customer, whereas error class should be used by TPPs in order to be able to handle various scenarios.

Contents of the error_code are entirely up to the Provider, they may even be localized. However, values sent within error_text parameter should be from the standardized list. This list may and will be extended over time.

Class Code Description
CountryNameInvalid 400 Country doesn't exist or name is in incorect format. Should be in alpha 2 ISO3166 format.
ServiceInvalid 400 Something went wrong on Provider(ASPSP) side.
FormatError 400 Invalid input. More info in error_message
ConsentInvalid 401 The consent was created by this TPP but is not valid for the addressed service/resource.
ConsentUnknown 401 The Consent-ID cannot be matched by the ASPSP relative to the TPP.
CertificateMissing 401 This request cannot be performed without Certificate header.
CertificateInvalid 401 Given certificate is invalid.
SignatureMalformed 401 Given signature is malformed.
SignatureMissing 401 This request cannot be performed without Signature header.
SignatureInvalid 401 Given signature is invalid.
ConsentExpired 401 The consent was created by this TPP but has expired and needs to be renewed.
AccessDenied 403 Action you want to perform is not allowed. More in error_message
ProductInvalid 403 The payment product is not supported by the addressed service/resource.
ResourceUnknown 404 The addressed resource is unknown relative to the TPP.
ProductUnknown 404 The payment product wasn't found.
CancellationInvalid 405 The addressed payment is not cancellable e.g. due to cut off time passed or legal constraints.
AccessExceeded 429 Exceeded the number of requests for this action.