Tokens
Initiate a linking process for a provider. The client application has to handle all the authentication UI in this flow (see <a href="/docs/tpp#tpp-configuration-and-api-keys">Provider authorization_types</a>). During the lifecycle, events will be added to the session which will send <a href="/docs/tpp#callbacks">Callbacks</a> to your application.
Show
Return current state of a token.
CURL
curl -i \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJkYXRhIjp7fSwiZXhwIjoxNzM1MzUyMjY5LCJpc3MiOiJwcmlvcmEuc2FsdGVkZ2UuY29tIn0.FbTdl6iFIA2jMfYOOtspZMmQEY_zVM_rN9J_7nhDWmu3D3UdocorpE96qrwuFPjxJpUSNOlCBmrBb0nfgqqBRu34U9C6syvm6k6vyhHAJl1RF-Tb9hGaZhS9o0R1wwJuJk6nogNr5oQCewxOoro0l2jbsoWpGxpgLO6WMT64Mx-M5fodAM8FdpjqPPdBT0x5xMZtB0w64TpPdE6UxVEOvuDJ6jT-Ivo4O2mY5FsVeDl7dyp-e0rbVSCGglGpVXghepOBULReTCn85ubL_JZpdmz_HtgnazkH3eSWPa7fzf-hVqxg1PWpp3tO8IeI_S7MmSdvl8dt3DkBtYsPcHpymA" \
-H "App-Id: 6mWl9hbxoN3rg_nX4804tw" \
-H "App-Secret: 6FdCub2C2AMQbyaI6KSv4Q" \
-H "Access-Token: 7eb89bd116268f02b5ab5ab6f46a89a65a8476d8c287a84fdceae03724d5511ae445b0342c73fc02681b3fcbbfeb12cf78e9292956b67ea76d20dfff0a1ba7a2" \
-H "Client-Request-Id: 54" \
-X GET "/api/v2/tokens"
Example of request parameters
{"data":{},"exp":1574093211}
Example of response
{"data":{"scopes":["accounts","transactions","kyc","payments","funds_availability","trusted_beneficiaries"],"access_token_expires_at":"2019-11-18T16:04:51.638Z"}}
Request
GET
/api/v2/tokens
Headers
Header | Type | Description |
---|---|---|
Authorization
|
string, required |
JSON Web Token containing payload, signed using RSA256 and application.private_key .
Can raise:
AuthorizationMissing
|
App-Id
|
string, required |
Application’s app_id from connection details tab.
Can raise:
OauthAppNotFound, CertificateNotFound
|
App-Secret
|
string, required |
Application’s app_secret from connection details tab.
|
Access-Token
|
string, required | Token for which we are requesting info. Can raise: TokenMissing, TokenNotFound, TokenRevoked, TokenExpired |
Client-Request-Id
|
string, optional |
Request identifier. If present, it will be returned within meta field in response.
|
Unpacked Request Authorization
Response
Upon successful request, 200 status code will be returned. See ‘Related Errors’ table for other possibilities.
Related Errors
Class | Code | Description |
---|---|---|
TokenMissing | 400 | This request cannot be performed without Access_Token header. |
AuthorizationMissing | 401 | Authorization header is missing. |
TokenNotFound | 401 | Token specified in request does not exist or cannot be retrieved. |
TokenRevoked | 401 | Token specified in request is revoked and cannot be used anymore. |
TokenExpired | 401 | Token specified in request is expired and cannot be used. |
OauthAppNotFound | 404 | OAuth Application specified in request does not exist or cannot be retrieved. |
CertificateNotFound | 404 | Certificate has no permissions. |
Remote
Initiate the process of authentication on behalf of PSU. During this process, TPP will receive callbacks with instructions and current status of session. Prior to this, TPP is required to ask PSU for consent. TPP can also set up a custom expiration period for the consent in the field `consent_period_days`, which cannot be greater than 90 days.
CURL
curl -i \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJkYXRhIjp7ImNyZWRlbnRpYWxzIjp7ImF1dGhvcml6YXRpb25fdHlwZSI6IlBTRF9BSVNQIn0sInByb3ZpZGVyX2NvZGUiOiJkZW1vYmFuayIsInJlZGlyZWN0X3VybCI6Imh0dHBzOi8vdXNlci53aWxsLmJlL3JlZGlyZWN0ZWQvaGVyZSIsInNjb3BlcyI6WyJhY2NvdW50cyIsInRyYW5zYWN0aW9ucyIsImt5YyIsInBheW1lbnRzIiwiZnVuZHNfYXZhaWxhYmlsaXR5IiwidHJ1c3RlZF9iZW5lZmljaWFyaWVzIl0sImNvbnNlbnRfcGVyaW9kX2RheXMiOjkwfSwiZXhwIjoxNzM1MzUyMjY5LCJpc3MiOiJwcmlvcmEuc2FsdGVkZ2UuY29tIn0.NpCql-7kQ2YW_h7jcyrPYWmOhG6E6Rnp-jsgejxd4j86K0DVL4N0TaFUcE5Wdy1EIzhpxXMs7iXIYqU2t_v4t7H-INCONEy3VtUfPhuDrW0ilDkDDGW4HDiWEw5WVAPw_frv2apXCgDozBtLwAuTq-O-x_9ELxd0KaGraiGeA1d9DN-Pd2YcoS2SfKWcdpxltFt9lxeBKEB-itSGlmzyuq-aWUlVJREPUM-h2xlMnSXFoNWTbXPIwDQzPdCqwniUGzvn929TYjDRiIzhSQy4jgMmXHrxBUxPeRgsKXoY2fIJawa1Ka2Gn5X0e5P_nLebdoSIQriRiRVJV0labjvU7A" \
-H "App-Id: 8PmTDEfMengvyK1SNFkQ4A" \
-H "App-Secret: n4eSP_GK0CLYoeoT8mOQLg" \
-H "Client-Request-Id: 17" \
-X POST "/api/v2/tokens/remote"
Example of request parameters
Example of response
{"data":{"session_secret":"i8wJ74uDGEMjmzjULLWB"}}
Request
POST
/api/v2/tokens/remote
Headers
Header | Type | Description |
---|---|---|
Authorization
|
string, required |
JSON Web Token containing payload, signed using RSA256 and application.private_key .
Can raise:
AuthorizationMissing
|
App-Id
|
string, required |
Application’s app_id from connection details tab.
Can raise:
OauthAppNotFound, CertificateNotFound
|
App-Secret
|
string, required |
Application’s app_secret from connection details tab.
|
Client-Request-Id
|
string, optional |
Request identifier. If present, it will be returned within meta field in response.
|
Unpacked Request Authorization
Response
Upon successful request, 200 status code will be returned. See ‘Related Errors’ table for other possibilities.
Related Errors
Class | Code | Description |
---|---|---|
ScopesInvalid | 400 | Specified scopes don't match with the ones specified in Provider or OAuthApp. More info in error_message |
AccessDenied | 401 | Action you want to perform is not allowed. More in error_message |
AuthorizationMissing | 401 | Authorization header is missing. |
ProviderNotFound | 404 | Provider specified in request does not exist or cannot be retrieved. |
OauthAppNotFound | 404 | OAuth Application specified in request does not exist or cannot be retrieved. |
CertificateNotFound | 404 | Certificate has no permissions. |
Revoke
Revoke an already existing and active access token.
CURL
curl -i \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJkYXRhIjp7fSwiZXhwIjoxNzM1MzUyMjY5LCJpc3MiOiJwcmlvcmEuc2FsdGVkZ2UuY29tIn0.FbTdl6iFIA2jMfYOOtspZMmQEY_zVM_rN9J_7nhDWmu3D3UdocorpE96qrwuFPjxJpUSNOlCBmrBb0nfgqqBRu34U9C6syvm6k6vyhHAJl1RF-Tb9hGaZhS9o0R1wwJuJk6nogNr5oQCewxOoro0l2jbsoWpGxpgLO6WMT64Mx-M5fodAM8FdpjqPPdBT0x5xMZtB0w64TpPdE6UxVEOvuDJ6jT-Ivo4O2mY5FsVeDl7dyp-e0rbVSCGglGpVXghepOBULReTCn85ubL_JZpdmz_HtgnazkH3eSWPa7fzf-hVqxg1PWpp3tO8IeI_S7MmSdvl8dt3DkBtYsPcHpymA" \
-H "App-Id: iiniPo3zkfpOgmHrmk0Osg" \
-H "App-Secret: gNebmvKyKAVTxY_fSVe-kQ" \
-H "Access-Token: 874bcafd85e1332e8657cfb68016ed33f52b055adeead1d97fdfd96fc4cb847b957ee63f407d459b80eef76951e967501ca6c0282e4a4e7f838906856720a0bf" \
-H "Client-Request-Id: 17" \
-X DELETE "/api/v2/tokens"
Example of request parameters
{"data":{},"exp":1574093211}
Example of response
{"data":{"revoked":true,"access_token":"yVJ-2246zz-1yRutZstm"}}
Request
DELETE
/api/v2/tokens
Headers
Header | Type | Description |
---|---|---|
Authorization
|
string, required |
JSON Web Token containing payload, signed using RSA256 and application.private_key .
Can raise:
AuthorizationMissing
|
App-Id
|
string, required |
Application’s app_id from connection details tab.
Can raise:
OauthAppNotFound, CertificateNotFound
|
App-Secret
|
string, required |
Application’s app_secret from connection details tab.
|
Access-Token
|
string, required | Token for which we are requesting info. Can raise: TokenMissing, TokenNotFound, TokenRevoked, TokenExpired |
Client-Request-Id
|
string, optional |
Request identifier. If present, it will be returned within meta field in response.
|
Unpacked Request Authorization
Response
Upon successful request, 200 status code will be returned. See ‘Related Errors’ table for other possibilities.
Related Errors
Class | Code | Description |
---|---|---|
TokenMissing | 400 | This request cannot be performed without Access_Token header. |
AuthorizationMissing | 401 | Authorization header is missing. |
TokenNotFound | 401 | Token specified in request does not exist or cannot be retrieved. |
TokenRevoked | 401 | Token specified in request is revoked and cannot be used anymore. |
TokenExpired | 401 | Token specified in request is expired and cannot be used. |
OauthAppNotFound | 404 | OAuth Application specified in request does not exist or cannot be retrieved. |
CertificateNotFound | 404 | Certificate has no permissions. |
Sessions
Show
Due to the asynchronous nature of requests, most of responses represent a session_secret. This endpoint could be used to verify the currrent state of newly created sessions.
CURL
curl -i \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJkYXRhIjp7fSwiZXhwIjoxNzM1MzUyMjY5LCJpc3MiOiJwcmlvcmEuc2FsdGVkZ2UuY29tIn0.FbTdl6iFIA2jMfYOOtspZMmQEY_zVM_rN9J_7nhDWmu3D3UdocorpE96qrwuFPjxJpUSNOlCBmrBb0nfgqqBRu34U9C6syvm6k6vyhHAJl1RF-Tb9hGaZhS9o0R1wwJuJk6nogNr5oQCewxOoro0l2jbsoWpGxpgLO6WMT64Mx-M5fodAM8FdpjqPPdBT0x5xMZtB0w64TpPdE6UxVEOvuDJ6jT-Ivo4O2mY5FsVeDl7dyp-e0rbVSCGglGpVXghepOBULReTCn85ubL_JZpdmz_HtgnazkH3eSWPa7fzf-hVqxg1PWpp3tO8IeI_S7MmSdvl8dt3DkBtYsPcHpymA" \
-H "App-Id: lYbM35hScWwT52d6Zxz-Lg" \
-H "App-Secret: ssZn53PTzxSv6kI1nJzlUQ" \
-H "Client-Request-Id: 4565" \
-X GET "/api/v2/sessions/:secret"
Example of request parameters
{"data":{},"exp":1574093210}
Example of response
{"data":{"secret":"BVuveSLQCrA5jBYUyxXe","status":"fetched_kyc","extra":{"scopes":["accounts","transactions","kyc","payments","funds_availability","trusted_beneficiaries"]},"token":{"access_token":"5kHijxm_DEWoP5ncHWcF","expires_at":"2019-11-18T16:04:50.915Z"},"provider_code":"demobank","id":302,"fail_at":"2019-11-18T16:04:50.915Z","success_at":"2019-11-18T16:04:50.915Z","created_at":"2019-11-18T16:04:50.915Z","updated_at":"2019-11-18T16:04:50.915Z","events":[{}],"authorization_details":{"instruction":"Use PIN code from the received SMS.","mfa_fields":[{"code":"sms_pincode","display_name":"SMS-PIN","optional":true,"type":"embedded","nature":"text"}]},"customer_id":983}}
Request
GET
/api/v2/sessions/:secret
Headers
Header | Type | Description |
---|---|---|
Authorization
|
string, required |
JSON Web Token containing payload, signed using RSA256 and application.private_key .
Can raise:
AuthorizationMissing
|
App-Id
|
string, required |
Application’s app_id from connection details tab.
Can raise:
OauthAppNotFound, CertificateNotFound
|
App-Secret
|
string, required |
Application’s app_secret from connection details tab.
|
Client-Request-Id
|
string, optional |
Request identifier. If present, it will be returned within meta field in response.
|
Unpacked Request Authorization
Response
Upon successful request, 200 status code will be returned. See ‘Related Errors’ table for other possibilities.
Related Errors
Class | Code | Description |
---|---|---|
AuthorizationMissing | 401 | Authorization header is missing. |
SessionNotFound | 404 | Session specified in request does not exist or cannot be retrieved. |
OauthAppNotFound | 404 | OAuth Application specified in request does not exist or cannot be retrieved. |
CertificateNotFound | 404 | Certificate has no permissions. |
Destroy
Cancel session.
CURL
curl -i \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJkYXRhIjp7fSwiZXhwIjoxNzM1MzUyMjY5LCJpc3MiOiJwcmlvcmEuc2FsdGVkZ2UuY29tIn0.FbTdl6iFIA2jMfYOOtspZMmQEY_zVM_rN9J_7nhDWmu3D3UdocorpE96qrwuFPjxJpUSNOlCBmrBb0nfgqqBRu34U9C6syvm6k6vyhHAJl1RF-Tb9hGaZhS9o0R1wwJuJk6nogNr5oQCewxOoro0l2jbsoWpGxpgLO6WMT64Mx-M5fodAM8FdpjqPPdBT0x5xMZtB0w64TpPdE6UxVEOvuDJ6jT-Ivo4O2mY5FsVeDl7dyp-e0rbVSCGglGpVXghepOBULReTCn85ubL_JZpdmz_HtgnazkH3eSWPa7fzf-hVqxg1PWpp3tO8IeI_S7MmSdvl8dt3DkBtYsPcHpymA" \
-H "App-Id: TnzE5rqosgx9vrox4mU5EA" \
-H "App-Secret: ngYWj5vwwkf-fT1MkB6DBQ" \
-H "Client-Request-Id: 17" \
-X DELETE "/api/v2/sessions/:secret"
Example of request parameters
{"data":{},"exp":1574093210}
Example of response
{"data":{"session_secret":"_PkwuzoztNR3vz2-MzrJ"}}
Request
DELETE
/api/v2/sessions/:secret
Headers
Header | Type | Description |
---|---|---|
Authorization
|
string, required |
JSON Web Token containing payload, signed using RSA256 and application.private_key .
Can raise:
AuthorizationMissing
|
App-Id
|
string, required |
Application’s app_id from connection details tab.
Can raise:
OauthAppNotFound, CertificateNotFound
|
App-Secret
|
string, required |
Application’s app_secret from connection details tab.
|
Client-Request-Id
|
string, optional |
Request identifier. If present, it will be returned within meta field in response.
|
Unpacked Request Authorization
Response
Upon successful request, 200 status code will be returned. See ‘Related Errors’ table for other possibilities.
Related Errors
Class | Code | Description |
---|---|---|
SessionClosed | 400 | Session specified in request is already closed and cannot be modified. |
SessionExpired | 401 | Found session is expired and cannot be processed anymore. |
AuthorizationMissing | 401 | Authorization header is missing. |
SessionNotFound | 404 | Session specified in request does not exist or cannot be retrieved. |
OauthAppNotFound | 404 | OAuth Application specified in request does not exist or cannot be retrieved. |
CertificateNotFound | 404 | Certificate has no permissions. |
ActionNotAllowed | 406 | You're not allowed to perform this action. This might be a configuration problem or parameters incompatibility. |
Providers
Index
Returns all ASPSPs which have approved access for your TPP. More information could be found at #requesting-provider-access compartment.
CURL
curl -i \
-H "App-Id: 5L1UlLqFeEjlFlJ4dzJFDw" \
-H "App-Secret: ym7AeWUYxHp0KG4MghAo-g" \
-H "Client-Request-Id: 17" \
-X GET "/api/v2/providers"
Example of request parameters
{"per_page":50,"from_id":1}
Example of response
{"data":[{"id":846,"name":"Example Name","code":"demobank","connector_url":"https://user.will.be/redirected/here","status":"live","scopes":["accounts","transactions","kyc","payments","funds_availability","trusted_beneficiaries"],"created_at":"2019-11-18T16:04:50.725Z","updated_at":"2019-11-18T16:04:50.725Z","authorization_types":[{"code":"sms_pin","display_name":"SMS-PIN","scopes":["accounts","transactions"],"instruction":"Use PIN code from SMS to authorize.","required_fields":[{"code":"req_field","optional":"false","display_name":"Sms_pin","type":"string"}],"mfa_fields":[{"code":"req_field2","optional":"false","display_name":"Password","type":"string"}],"sandbox_credentials":{"required_fields":[{"example":"req_field","code":"req_field"}],"mfa_fields":[{"example":"mfa_field","code":"mfa_field"}]}}]}],"meta":{"next_id":2,"time":"2019-11-18T16:04:50.725Z"}}
Request
GET
/api/v2/providers
Headers
Header | Type | Description |
---|---|---|
App-Id
|
string, required |
Application’s app_id from connection details tab.
Can raise:
OauthAppNotFound, CertificateNotFound
|
App-Secret
|
string, required |
Application’s app_secret from connection details tab.
|
Client-Request-Id
|
string, optional |
Request identifier. If present, it will be returned within meta field in response.
|
Unpacked Request Authorization
Response
Upon successful request, 200 status code will be returned. See ‘Related Errors’ table for other possibilities.
Related Errors
Class | Code | Description |
---|---|---|
OauthAppNotFound | 404 | OAuth Application specified in request does not exist or cannot be retrieved. |
CertificateNotFound | 404 | Certificate has no permissions. |