OBWG PSD2 AIS APIs Flow

OBWG PSD2 AIS

OBWG PSD2 AIS APIs

API Name

API Endpoint

API Description

Account Access Consent

POST /account-access-consent

Creates an account access consent request, after which PSU approval needs to be taken on it using OAuth flow.

Account Consent Delete

DELETE /account-access-consents/{ConsentId}

Delete the account access consent

Account Bulk

GET /accounts

Returns list of accounts with the details

Account Specific

GET /accounts/{AccountId}

Returns details of a specific account

Balance Bulk

GET /balances

Returns balance details of all the accounts

Balance Specific

GET /accounts/{AccountId}/balances

Returns balance details of a specific account

Transactions Bulk

GET /transactions

Returns list of transactions of all the accounts

Transactions Specific

GET /accounts/{AccountId}/transactions

Returns list of transactions of a specific account

Implicit Consent

If GET /bank returns AisConsentType as IMPLICIT then implicit flow will be apllicatble.

Step 1: Authorize

  1. Fintech / TPP will redirect PSU to PSD2 IO ‘/authorize’ URL with TPP Redirect URL, Client Id, State, UserId for authentication and authorization of PSU.
  2. PSU will get redirected to PSD2 IO authorize URL through browser.
  3. PSD2 IO will redirect PSU to ASPSP authorize URL through browser.
  4. ASPSP will redirect PSU to login page for authentication.
  5. PSU has to authenticate with his credentials on ASPSP’s login page.
  6. Once authenticated, ASPSP will ask to allow access for authorization.
  7. PSU will allow access.
  8. ASPSP will return auth code (B) & state on the callback URL of PSD2 IO.
  9. PSD2 IO will return auth code (P) & state on the callback URL of TPP.

Step 2: Access Token

  1. Fintech / TPP will call the ‘/token’ API of PSD2 IO with auth code (P) received on callback.
  2. PSD2 IO will return the access token to TPP.

Step 3: Get Accounts/Balances/Transactions

  1. Fintech / TPP will call get ‘/accounts’ API using the access token received.
  2. PSD2 IO will give the response to TPP.
  3. TPP will show the response to PSU on TPP UI.

Explicit Consent - OAuth SCA

If GET /bank returns AisConsentType as EXPLICIT then Explicit flow will be apllicatble.

Step 1: Pre-step OAuth

  1. PSU will request to fetch accounts from ASPSP.
  2. Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.

Step 2: Account Access Consent Request

  1. Fintech / TPP will send the account access consent request with A.C / C.C. access token to PSD2 IO.
  2. PSD2 IO will return response containing ConsentId, OAuth SCA approach to TPP.

Step 3: Authorize

  1. Fintech / TPP will redirect PSU to PSD2 IO ‘/authorize’ URL with TPP Redirect URL, Client Id, State, UserId for authentication and authorization of PSU.
  2. PSU will get redirected to PSD2 IO authorize URL through browser.
  3. PSD2 IO will redirect PSU to ASPSP authorize URL through browser.
  4. ASPSP will redirect PSU to login page for authentication.
  5. PSU has to authenticate with his credentials on ASPSP’s login page.
  6. Once authenticated, ASPSP will ask to allow access for authorization.
  7. PSU will allow access.
  8. ASPSP will return auth code (B) & state on the callback URL of PSD2 IO.
  9. PSD2 IO will return auth code (P) & state on the callback URL of TPP.

Step 4: Access Token

  1. Fintech / TPP will call the ‘/token’ API of PSD2 IO with auth code (P) received on callback.
  2. PSD2 IO will return the access token to TPP.

Step 5: Get Accounts/Balances/Transactions

  1. Fintech / TPP will call get ‘/accounts’ API using the access token received.
  2. PSD2 IO will give the response to Fintech /  TPP.
  3. Fintech / TPP will show the response to PSU on Fintech /  TPP UI.

Explicit Consent - Redirect SCA

Step 1: Pre-step OAuth

  1. PSU will request to fetch accounts from ASPSP.
  2. Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.

Step 2: Account Access Consent Request

  1. Fintech / TPP will send the account access consent request with A.C / C.C. access token to PSD2 IO.
  2. PSD2 IO will return response containing ConsentId, OAuth SCA approach to TPP.

Step 3: Redirect

  1. Fintech /  TPP will redirect PSU to ‘/redirect’ URL with Client Id, ConsentId to authenticate the ConsentId from PSU.
  2. PSU will get redirected to PSD2 IO redirect URL through browser.
  3. PSD2 IO will redirect PSU to ASPSP redirect URL through browser.
  4. ASPSP will redirect PSU to login page for authentication.
  5. PSU has to authenticate with his credentials on ASPSP’s login page.
  6. Once authenticated, ASPSP will ask to allow access for authorization.
  7. PSU will allow access.
  8. ASPSP will return success along with ConsentId on the success URL of PSD2 IO.
  9. PSD2 IO will return success along with ConsentId on the success URL of TPP.

Step 4: Get Accounts/Balances/Transactions

  1. Fintech /  TPP will call get ‘/accounts’ API using the access token received.
  2. PSD2 IO will give the response to Fintech /  TPP.
  3. Fintech /  TPP will show the response to PSU on Fintech /  TPP UI.

Explicit Consent - Embedded SCA

Step 1: Pre-step OAuth

  1. PSU will request to fetch accounts from ASPSP.
  2. Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.

Step 2: Account Access Consent Request

  1. Fintech / TPP will send the account access consent request with A.C / C.C. access token to PSD2 IO.
  2. PSD2 IO will return response containing ConsentId, OAuth SCA approach to Fintech /  TPP.

Step 3: Embedded SCA

  1. Fintech /  TPP will ask PSU to provide answer of the challenge received in the account access consent response. Here for e.g.: OTP is taken.
  2. PSU will enter and submit the challenge data e.g.: OTP
  3. Fintech /  TPP will call authorize consent API with the A.C./C.C. access token, challenge data e.g. OTP.
  4. PSD2 IO will give the response to Fintech /  TPP.

Step 4: Get Accounts/Balances/Transactions

  1. Fintech / TPP will call get ‘/accounts’ API using the access token received.
  2. PSD2 IO will give the response to Fintech / TPP.
  3. Fintech / TPP will show the response to PSU on Fintech / TPP UI.

Explicit Consent - Embedded SCA with SCA Method Selection

Step 1: Pre-step OAuth

  1. PSU will request to fetch accounts from ASPSP.
  2. Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.

Step 2: Account Access Consent Request

  1. Fintech / TPP will send the account access consent request with A.C / C.C. access token to PSD2 IO.
  2. PSD2 IO will return response containing ConsentId, OAuth SCA approach to Fintech /  TPP.

Step 3: Embedded SCA with SCA Method Selection

  1. Fintech / TPP will ask PSU to select SCA method out of those received in the response.
  2. PSU will select the SCA method.
  3. TPP will call select authentication API using the A.C./C.C. access token and selected SCA method.
  4. PSD2 IO will give the response to TPP.
  5. Fintech / TPP will ask PSU to provide answer of the challenge received in the select authentication API response. Here for e.g.: OTP is taken.
  6. PSU will enter and submit the challenge data e.g.: OTP
  7. Fintech / TPP will call authorize consent API with the A.C./C.C. access token, challenge data e.g. OTP.
  8. PSD2 IO will give the response to Fintech / TPP.

Step 4: Get Accounts/Balances/Transactions

  1. Fintech / TPP will call get ‘/accounts’ API using the access token received.
  2. PSD2 IO will give the response to TPP.
  3. Fintech / TPP will show the response to PSU on Fintech / TPP UI.

Explicit Consent - Decoupled SCA

Step 1: Pre-step OAuth

  1. PSU will request to fetch accounts from ASPSP.
  2. Depends on destination bank, Fintech /  TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.

Step 2: Account Access Consent Request

  1. Fintech / TPP will send the account access consent request with A.C / C.C. access token to PSD2 IO.
  2. PSD2 IO will return response containing ConsentId, OAuth SCA approach to Fintech / TPP.

Step 3: Provide accounts access consent on ASPSP application

  1. Fintech / TPP will show the message to PSU to provide an accounts access consent on ASPSP application.
  2. PSU will provide an accounts access consent on the ASPSP application.
  3. PSD2 IO will return success along with ConsentId on the success URL of Fintech / TPP.

Step 4: Get Accounts/Balances/Transactions

  1. Fintech / TPP will call get ‘/accounts’ API using the access token received.
  2. PSD2 IO will give the response to TPP.
  3. Fintech / TPP will show the response to PSU on Fintech / TPP UI.

Explicit Consent - Decoupled SCA with Update Identification

Step 1: Pre-step OAuth

  1. PSU will request to fetch accounts from ASPSP.
  2. Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.

Step 2: Account Access Consent Request

  1. Fintech / TPP will send the account access consent request with A.C / C.C. access token to PSD2 IO.
  2. PSD2 IO will return response containing ConsentId, OAuth SCA approach to TPP.

Step 3: Decoupled SCA with Update Identification

  1. Fintech / TPP will ask PSU to update his identification data.
  2. PSU will enter his identification data e.g. PSU-Id.
  3. Fintech / TPP will call update identification API with the PSU identification data, C.C. access token
  4. PSD2 IO will give the response to Fintech / TPP.

Step 4: Provide accounts access consent on ASPSP application

  1. Fintech / TPP will show the message to PSU to provide an accounts access consent on ASPSP application.
  2. PSU will provide an accounts access consent on the ASPSP application.
  3. PSD2 IO will return success along with ConsentId on the success URL of Fintech / TPP.

Step 5: Get Accounts/Balances/Transactions

  1. Fintech / TPP will call get ‘/accounts’ API using the access token received.
  2. PSD2 IO will give the response to Fintech / TPP.
  3. TPP will show the response to PSU on TPP UI.