Onboarding your user

Before your first call to account information services API your user should authorize you to access user's personal data.

  1.  Register Consent 

1.1. Your application initiates the flow by requesting to create a Consent using /POST Consent endpoint. Initiation is carried out by making a GET /oauth2/authorize request. 

The following character set is accepted:

a b c d e f g h i j k l m n o p q r s t u v w x y z


0 1 2 3 4 5 6 7 8 9

/ - ? : ( ) . , ' +


In case of special characters instructed, the request will be rejected.


We support Detailed Consent Model according to Berlin Group Standard with following Consent Access type accepted: 

    • Accounts - with non-empty array of account references (minimum 1 IBAN provided);
    • Balances - with non-empty array of account references (minimum 1 IBAN provided);
    • Transactions - with non-empty array of account references (minimum 1 IBAN provided);

1.2. Authentication can be performed on web portal, aswell as on mobile application (android/ iOS) depeding on customer preferences. The bank authenticates the PSU and establishes whether the user grants or denies on your access request. The bank will perform SCA for the client based on RTS.

Note: App2app flow is available for AIS flow (APIs v1.3.2)

1.3. Assuming the PSU grants access, the bank server redirects the user browser back to your application using the redirection URI provided during your application registration. The redirection URI includes an authorization code.

Note: In order for the app2app flow to be functional, both applications (tpp app and banks authentication app) need to be installed on the same device.

1.4. Your application requests an access token from the bank server's token endpoint by including the authorization code received in the previous step. The authorization code exchange is carried out by making a POST /oauth2/token request.

1.5. The bank server authenticates your application, validates the authorization code and ensures that the redirection URI received matches the URI used to redirect your application in step 3. If it is valid, the bank server responds back with an access token and a refresh token. Issued refresh token expires after 90 days, when new authorization has to be completed by client.

After token revocation

Issued token can be revoked if PSU revoked the Consent from TPP I or after time period - 90 days for PSD2 AISP APIs by default (24h for Sandbox). In this case the bank server responses with HTTP 401 Unauthorized to your API call. In this case you need to get the giving consent flow again.


2. Get Consent Status

2.1. Your application initiate /Get Consent/{Consent ID}/status;

2.2. The bank server validates access token and returns consent status;


3. Get Consent Details 

3.1. Your application initiate /Get Consent/{Consent ID};

3.2. The bank server validates access token and returns consent details;


 4. Get Consented Accounts List

4.1. Your application initiate GET /accounts request with valid access token.

4.2. The bank server validates access token and returns consented accounts list.


5. Get Account Balances 

5.1. To provide your user with balance information about account your application initiates GET /accounts/{id}/balance request with valid access token.

5.2. The bank server validates access token and returns account's balances.


6. Get Account Transactions History  

6.1. Your application requests account transaction history by GET /accounts/(id)/transactions with valid access token.

6.2. The bank server validates access token and returns a page with  the Transactions history report for the respective account.


Your application can provide a paginated response for transactions history that returns multiple transaction records. For a paginated responses, please ensure that the number of transaction records on a page (value of pageSize request parameter) are within reasonable limits - a minimum of 10 records (except on the last page where there are no further records) and a maximum of 100 records.


7. Delete Consent 

7.1. Your application initiate DELETE /consents/{consentId};

7.2. The bank server validates access token and returns response message.


 8. Refresh Expired Access Token 

When an access token obtained through an authorization code grant expires, your application should attempt to get a new access and refresh token by calling POST /oauth2/token. For more information see Section 6 Refreshing an Access Token in of the OAuth 2.0 specification.

If your application fails to get an access token using a refresh token, your application would have to get your client to initiate a fresh authorisation code grant using an existing consent.