OAuth Authentication Flow OAuth Authentication Flow

Show

Return current state of a token.

CURL

curl -i  \ 
 -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJkYXRhIjp7fSwiZXhwIjoxNzM1MzUyODI2LCJpc3MiOiJwcmlvcmEuc2FsdGVkZ2UuY29tIn0.DmvgiZQ1ORPfkhqw_YJQfr2a_ddAo_EnH0WVKxazwdY8TgdYdeE9ODK7bsVW5t6JfBjQwSD6bZoUV0hZE-W3jP_BqXfDrdp-Uyu0L1-ejquluQTC0lfxkQQ1lRSHhyOBt_7Su1rhuez1cjjthHjfz9AvYPJrv3M1-Qz8Ix0BzE8af3WNIhQIF4mn9kD6ZkK8VZBUDlicm_IE-u6wiE0GpwaHDFGvUqeS4vBtH1dcJtU12MlkP5U6rzebkmwOnZcgWkH0gL3NYRVKKYXtT7ffkIbpDOUUFVo1ddV9Ap3NGXJ_bSngvICTvOXvN9Hel1M6xfWVfcdxMNkibkvRezOfMw" \ 
 -H "App-Id: 6mWl9hbxoN3rg_nX4804tw" \ 
 -H "App-Secret: 6FdCub2C2AMQbyaI6KSv4Q" \ 
 -H "Access-Token: 7eb89bd116268f02b5ab5ab6f46a89a65a8476d8c287a84fdceae03724d5511ae445b0342c73fc02681b3fcbbfeb12cf78e9292956b67ea76d20dfff0a1ba7a2" \ 
 -H "Client-Request-Id: 54" \ 
 -X GET "/api/v2/tokens"

Example of request parameters

{"data":{},"exp":1574093211}

Example of response

{"data":{"scopes":["accounts","transactions","kyc","payments","funds_availability","trusted_beneficiaries"],"access_token_expires_at":"2019-11-18T16:04:51.638Z"}}
Request

GET /api/v2/tokens

Headers
Header Type Description
Authorization string, required JSON Web Token containing payload, signed using RSA256 and application.private_key. Can raise: AuthorizationMissing
App-Id string, required Application’s app_id from connection details tab. Can raise: OauthAppNotFound, CertificateNotFound
App-Secret string, required Application’s app_secret from connection details tab.
Access-Token string, required Token for which we are requesting info. Can raise: TokenMissing, TokenNotFound, TokenRevoked, TokenExpired
Client-Request-Id string, optional Request identifier. If present, it will be returned within meta field in response.
Unpacked Request Authorization
data
hash, required
Wrapper for the data.
exp
integer, required
The lifetime of the request in timestamp UTC format. Values greater than: Current time.
Response

Upon successful request, 200 status code will be returned. See ‘Related Errors’ table for other possibilities.


Related Errors
Class Code Description
TokenMissing 400 This request cannot be performed without Access_Token header.
AuthorizationMissing 401 Authorization header is missing.
TokenNotFound 401 Token specified in request does not exist or cannot be retrieved.
TokenRevoked 401 Token specified in request is revoked and cannot be used anymore.
TokenExpired 401 Token specified in request is expired and cannot be used.
OauthAppNotFound 404 OAuth Application specified in request does not exist or cannot be retrieved.
CertificateNotFound 404 Certificate has no permissions.

Remote

Initiate the process of authentication on behalf of PSU. During this process, TPP will receive callbacks with instructions and current status of session. Prior to this, TPP is required to ask PSU for consent. TPP can also set up a custom expiration period for the consent in the field `consent_period_days`, which cannot be greater than 90 days.

CURL

curl -i  \ 
 -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJkYXRhIjp7ImNyZWRlbnRpYWxzIjp7ImF1dGhvcml6YXRpb25fdHlwZSI6IlBTRF9BSVNQIn0sInByb3ZpZGVyX2NvZGUiOiJkZW1vYmFuayIsInJlZGlyZWN0X3VybCI6Imh0dHBzOi8vdXNlci53aWxsLmJlL3JlZGlyZWN0ZWQvaGVyZSIsInNjb3BlcyI6WyJhY2NvdW50cyIsInRyYW5zYWN0aW9ucyIsImt5YyIsInBheW1lbnRzIiwiZnVuZHNfYXZhaWxhYmlsaXR5IiwidHJ1c3RlZF9iZW5lZmljaWFyaWVzIl0sImNvbnNlbnRfcGVyaW9kX2RheXMiOjkwfSwiZXhwIjoxNzM1MzUyODI2LCJpc3MiOiJwcmlvcmEuc2FsdGVkZ2UuY29tIn0.KFj7eZYLtTtbls580IIIEzzpVBIdBFCdfW-1gcavTYVWFAxZVVkgdU5n_MkStPNkjcSHjySClF61b8l9_1YM6iTr3yi_3a8-4Kq2MHiyTqa4_kV50cTPu008ZdZkIJMOrXs30WPyffWq4r2cKimpsEDkdSMwMQe8Lt4zW7JKHfauBjf-RKXts0aTMhCrPTRYsCa4oVAnvkpoXmXFeYb6ZG8EuQchnzMrWgxx0QRczsT3SoYDvaMG9c6kkXIQov2Hsvn-7A5zyoUN0_Xm78PTC8UkLgkdKkJBN4Tdr2rEWW812f8edn1Cfk7JiegmWDScCmcFOM7aPoWg8cPl_-Szgw" \ 
 -H "App-Id: 8PmTDEfMengvyK1SNFkQ4A" \ 
 -H "App-Secret: n4eSP_GK0CLYoeoT8mOQLg" \ 
 -H "Client-Request-Id: 17" \ 
 -X POST "/api/v2/tokens/remote"

Example of request parameters

Example of response

{"data":{"session_secret":"i8wJ74uDGEMjmzjULLWB"}}
Request

POST /api/v2/tokens/remote

Headers
Header Type Description
Authorization string, required JSON Web Token containing payload, signed using RSA256 and application.private_key. Can raise: AuthorizationMissing
App-Id string, required Application’s app_id from connection details tab. Can raise: OauthAppNotFound, CertificateNotFound
App-Secret string, required Application’s app_secret from connection details tab.
Client-Request-Id string, optional Request identifier. If present, it will be returned within meta field in response.
Unpacked Request Authorization
Response

Upon successful request, 200 status code will be returned. See ‘Related Errors’ table for other possibilities.


Related Errors
Class Code Description
ScopesInvalid 400 Specified scopes don't match with the ones specified in Provider or OAuthApp. More info in error_message
AccessDenied 401 Action you want to perform is not allowed. More in error_message
AuthorizationMissing 401 Authorization header is missing.
ProviderNotFound 404 Provider specified in request does not exist or cannot be retrieved.
OauthAppNotFound 404 OAuth Application specified in request does not exist or cannot be retrieved.
CertificateNotFound 404 Certificate has no permissions.

Revoke

Revoke an already existing and active access token.

CURL

curl -i  \ 
 -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJkYXRhIjp7fSwiZXhwIjoxNzM1MzUyODI2LCJpc3MiOiJwcmlvcmEuc2FsdGVkZ2UuY29tIn0.DmvgiZQ1ORPfkhqw_YJQfr2a_ddAo_EnH0WVKxazwdY8TgdYdeE9ODK7bsVW5t6JfBjQwSD6bZoUV0hZE-W3jP_BqXfDrdp-Uyu0L1-ejquluQTC0lfxkQQ1lRSHhyOBt_7Su1rhuez1cjjthHjfz9AvYPJrv3M1-Qz8Ix0BzE8af3WNIhQIF4mn9kD6ZkK8VZBUDlicm_IE-u6wiE0GpwaHDFGvUqeS4vBtH1dcJtU12MlkP5U6rzebkmwOnZcgWkH0gL3NYRVKKYXtT7ffkIbpDOUUFVo1ddV9Ap3NGXJ_bSngvICTvOXvN9Hel1M6xfWVfcdxMNkibkvRezOfMw" \ 
 -H "App-Id: iiniPo3zkfpOgmHrmk0Osg" \ 
 -H "App-Secret: gNebmvKyKAVTxY_fSVe-kQ" \ 
 -H "Access-Token: 874bcafd85e1332e8657cfb68016ed33f52b055adeead1d97fdfd96fc4cb847b957ee63f407d459b80eef76951e967501ca6c0282e4a4e7f838906856720a0bf" \ 
 -H "Client-Request-Id: 17" \ 
 -X DELETE "/api/v2/tokens"

Example of request parameters

{"data":{},"exp":1574093211}

Example of response

{"data":{"revoked":true,"access_token":"yVJ-2246zz-1yRutZstm"}}
Request

DELETE /api/v2/tokens

Headers
Header Type Description
Authorization string, required JSON Web Token containing payload, signed using RSA256 and application.private_key. Can raise: AuthorizationMissing
App-Id string, required Application’s app_id from connection details tab. Can raise: OauthAppNotFound, CertificateNotFound
App-Secret string, required Application’s app_secret from connection details tab.
Access-Token string, required Token for which we are requesting info. Can raise: TokenMissing, TokenNotFound, TokenRevoked, TokenExpired
Client-Request-Id string, optional Request identifier. If present, it will be returned within meta field in response.
Unpacked Request Authorization
data
hash, required
Wrapper for the data.
exp
integer, required
The lifetime of the request in timestamp UTC format. Values greater than: Current time.
Response

Upon successful request, 200 status code will be returned. See ‘Related Errors’ table for other possibilities.


Related Errors
Class Code Description
TokenMissing 400 This request cannot be performed without Access_Token header.
AuthorizationMissing 401 Authorization header is missing.
TokenNotFound 401 Token specified in request does not exist or cannot be retrieved.
TokenRevoked 401 Token specified in request is revoked and cannot be used anymore.
TokenExpired 401 Token specified in request is expired and cannot be used.
OauthAppNotFound 404 OAuth Application specified in request does not exist or cannot be retrieved.
CertificateNotFound 404 Certificate has no permissions.

Show

Due to the asynchronous nature of requests, most of responses represent a session_secret. This endpoint could be used to verify the currrent state of newly created sessions.

CURL

curl -i  \ 
 -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJkYXRhIjp7fSwiZXhwIjoxNzM1MzUyODI2LCJpc3MiOiJwcmlvcmEuc2FsdGVkZ2UuY29tIn0.DmvgiZQ1ORPfkhqw_YJQfr2a_ddAo_EnH0WVKxazwdY8TgdYdeE9ODK7bsVW5t6JfBjQwSD6bZoUV0hZE-W3jP_BqXfDrdp-Uyu0L1-ejquluQTC0lfxkQQ1lRSHhyOBt_7Su1rhuez1cjjthHjfz9AvYPJrv3M1-Qz8Ix0BzE8af3WNIhQIF4mn9kD6ZkK8VZBUDlicm_IE-u6wiE0GpwaHDFGvUqeS4vBtH1dcJtU12MlkP5U6rzebkmwOnZcgWkH0gL3NYRVKKYXtT7ffkIbpDOUUFVo1ddV9Ap3NGXJ_bSngvICTvOXvN9Hel1M6xfWVfcdxMNkibkvRezOfMw" \ 
 -H "App-Id: lYbM35hScWwT52d6Zxz-Lg" \ 
 -H "App-Secret: ssZn53PTzxSv6kI1nJzlUQ" \ 
 -H "Client-Request-Id: 4565" \ 
 -X GET "/api/v2/sessions/:secret"

Example of request parameters

{"data":{},"exp":1574093210}

Example of response

{"data":{"secret":"BVuveSLQCrA5jBYUyxXe","status":"fetched_kyc","extra":{"scopes":["accounts","transactions","kyc","payments","funds_availability","trusted_beneficiaries"]},"token":{"access_token":"5kHijxm_DEWoP5ncHWcF","expires_at":"2019-11-18T16:04:50.915Z"},"provider_code":"demobank","id":302,"fail_at":"2019-11-18T16:04:50.915Z","success_at":"2019-11-18T16:04:50.915Z","created_at":"2019-11-18T16:04:50.915Z","updated_at":"2019-11-18T16:04:50.915Z","events":[{}],"authorization_details":{"instruction":"Use PIN code from the received SMS.","mfa_fields":[{"code":"sms_pincode","display_name":"SMS-PIN","optional":true,"type":"embedded","nature":"text"}]},"customer_id":983}}
Request

GET /api/v2/sessions/:secret

Headers
Header Type Description
Authorization string, required JSON Web Token containing payload, signed using RSA256 and application.private_key. Can raise: AuthorizationMissing
App-Id string, required Application’s app_id from connection details tab. Can raise: OauthAppNotFound, CertificateNotFound
App-Secret string, required Application’s app_secret from connection details tab.
Client-Request-Id string, optional Request identifier. If present, it will be returned within meta field in response.
Unpacked Request Authorization
data
hash, required
Wrapper for the data.
exp
integer, required
The lifetime of the request in timestamp UTC format. Values greater than: Current time.
secret (path)
string, required
Another session identifier that can be used for session lookup and confirmation. Can raise: SessionNotFound
Response

Upon successful request, 200 status code will be returned. See ‘Related Errors’ table for other possibilities.


Related Errors
Class Code Description
AuthorizationMissing 401 Authorization header is missing.
SessionNotFound 404 Session specified in request does not exist or cannot be retrieved.
OauthAppNotFound 404 OAuth Application specified in request does not exist or cannot be retrieved.
CertificateNotFound 404 Certificate has no permissions.

Destroy

Cancel session.

CURL

curl -i  \ 
 -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJkYXRhIjp7fSwiZXhwIjoxNzM1MzUyODI2LCJpc3MiOiJwcmlvcmEuc2FsdGVkZ2UuY29tIn0.DmvgiZQ1ORPfkhqw_YJQfr2a_ddAo_EnH0WVKxazwdY8TgdYdeE9ODK7bsVW5t6JfBjQwSD6bZoUV0hZE-W3jP_BqXfDrdp-Uyu0L1-ejquluQTC0lfxkQQ1lRSHhyOBt_7Su1rhuez1cjjthHjfz9AvYPJrv3M1-Qz8Ix0BzE8af3WNIhQIF4mn9kD6ZkK8VZBUDlicm_IE-u6wiE0GpwaHDFGvUqeS4vBtH1dcJtU12MlkP5U6rzebkmwOnZcgWkH0gL3NYRVKKYXtT7ffkIbpDOUUFVo1ddV9Ap3NGXJ_bSngvICTvOXvN9Hel1M6xfWVfcdxMNkibkvRezOfMw" \ 
 -H "App-Id: TnzE5rqosgx9vrox4mU5EA" \ 
 -H "App-Secret: ngYWj5vwwkf-fT1MkB6DBQ" \ 
 -H "Client-Request-Id: 17" \ 
 -X DELETE "/api/v2/sessions/:secret"

Example of request parameters

{"data":{},"exp":1574093210}

Example of response

{"data":{"session_secret":"_PkwuzoztNR3vz2-MzrJ"}}
Request

DELETE /api/v2/sessions/:secret

Headers
Header Type Description
Authorization string, required JSON Web Token containing payload, signed using RSA256 and application.private_key. Can raise: AuthorizationMissing
App-Id string, required Application’s app_id from connection details tab. Can raise: OauthAppNotFound, CertificateNotFound
App-Secret string, required Application’s app_secret from connection details tab.
Client-Request-Id string, optional Request identifier. If present, it will be returned within meta field in response.
Unpacked Request Authorization
data
hash, required
Wrapper for the data.
exp
integer, required
The lifetime of the request in timestamp UTC format. Values greater than: Current time.
secret (path)
string, required
Session secret. Can raise: SessionNotFound, SessionClosed, SessionExpired, ActionNotAllowed
Response

Upon successful request, 200 status code will be returned. See ‘Related Errors’ table for other possibilities.


Related Errors
Class Code Description
SessionClosed 400 Session specified in request is already closed and cannot be modified.
SessionExpired 401 Found session is expired and cannot be processed anymore.
AuthorizationMissing 401 Authorization header is missing.
SessionNotFound 404 Session specified in request does not exist or cannot be retrieved.
OauthAppNotFound 404 OAuth Application specified in request does not exist or cannot be retrieved.
CertificateNotFound 404 Certificate has no permissions.
ActionNotAllowed 406 You're not allowed to perform this action. This might be a configuration problem or parameters incompatibility.

Index

Returns all ASPSPs which have approved access for your TPP. More information could be found at #requesting-provider-access compartment.

CURL

curl -i  \ 
 -H "App-Id: 5L1UlLqFeEjlFlJ4dzJFDw" \ 
 -H "App-Secret: ym7AeWUYxHp0KG4MghAo-g" \ 
 -H "Client-Request-Id: 17" \ 
 -X GET "/api/v2/providers"

Example of request parameters

{"per_page":50,"from_id":1}

Example of response

{"data":[{"id":846,"name":"Example Name","code":"demobank","connector_url":"https://user.will.be/redirected/here","status":"live","scopes":["accounts","transactions","kyc","payments","funds_availability","trusted_beneficiaries"],"created_at":"2019-11-18T16:04:50.725Z","updated_at":"2019-11-18T16:04:50.725Z","authorization_types":[{"code":"sms_pin","display_name":"SMS-PIN","scopes":["accounts","transactions"],"instruction":"Use PIN code from SMS to authorize.","required_fields":[{"code":"req_field","optional":"false","display_name":"Sms_pin","type":"string"}],"mfa_fields":[{"code":"req_field2","optional":"false","display_name":"Password","type":"string"}],"sandbox_credentials":{"required_fields":[{"example":"req_field","code":"req_field"}],"mfa_fields":[{"example":"mfa_field","code":"mfa_field"}]}}]}],"meta":{"next_id":2,"time":"2019-11-18T16:04:50.725Z"}}
Request

GET /api/v2/providers

Headers
Header Type Description
App-Id string, required Application’s app_id from connection details tab. Can raise: OauthAppNotFound, CertificateNotFound
App-Secret string, required Application’s app_secret from connection details tab.
Client-Request-Id string, optional Request identifier. If present, it will be returned within meta field in response.
Unpacked Request Authorization
per_page
integer, optional
Number of providers that should be returned per request or less. Values in range between: 1 and 1000 Default value: 20
from_id
integer, optional
Return providers starting with a specific id. Default value: 0 Values greater than: 0
Response

Upon successful request, 200 status code will be returned. See ‘Related Errors’ table for other possibilities.


Related Errors
Class Code Description
OauthAppNotFound 404 OAuth Application specified in request does not exist or cannot be retrieved.
CertificateNotFound 404 Certificate has no permissions.