Flow

Onboarding your user

Before your first call to confirmation of funds services API your user should authorize you to access user's personal data.

1.Register Consent 

1.1. Your application initiates the flow by requesting to create a Consent using /POST Consent endpoint. Initiation is carried out by making a GET /oauth2/authorize request. 

The following character set is accepted:

a b c d e f g h i j k l m n o p q r s t u v w x y z

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

0 1 2 3 4 5 6 7 8 9

/ - ? : ( ) . , ' +

Space

In case of special characters instructed, the request will be rejected.

Confirmation of funds consent can be initiated only for one specific IBAN.

1.2. The bank authenticates the PSU and establishes whether the user grants or denies on your access request. The bank will perform SCA for the client based on RTS.

1.3. Assuming the PSU grants access, the bank server redirects the user browser back to your application using the redirection URI provided during your application registration. The redirection URI includes an authorization code.

1.4. Your application requests an access token from the bank server's token endpoint by including the authorization code received in the previous step. The authorization code exchange is carried out by making a POST /oauth2/token request.

1.5. The bank server authenticates your application, validates the authorization code and ensures that the redirection URI received matches the URI used to redirect your application in step 3. If it is valid, the bank server responds back with an access token and a refresh token. When issued refresh token expires, a new authorization has to be completed by client. In Sandbox refresh token is valid for 24 hours.

After token revocation

Issued token can revoked if PSU revoked the Consent from TPP. In this case the bank server responses with HTTP 401 Unauthorized to your API call.

 

2. Get Consent Status

2.1. Your application initiate /Get Consent/{Consent ID}/status;

2.2. The bank server validates access token and returns consent status;

 

3. Get Consent Details 

3.1. Your application initiate /Get Consent/{Consent ID};

3.2. The bank server validates access token and returns consent details;

 

 4. POST Confirmation of funds

4.1. Your application initiate POST /funds-confirmation request with valid access token.

4.2. The bank server validates access token and transaction details. If all data in the request are correct, bank will return response TRUE (for sufficient balance) or FALSE (for insufficient balance)

If instructedAmount = OR < balance, then respond with 200 OK, "fundsAvailable": true.
If instructedAmount > balance, then respond with 200 OK, "fundsAvailable": false.

 

5. Delete Consent 

5.1. Your application initiate DELETE /consents/{consentId};

5.2. The bank server validates access token and returns response message.

 

 6. Refresh Expired Access Token 

When an access token obtained through an authorization code grant expires, your application should attempt to get a new access and refresh token by calling POST /oauth2/token. For more information see Section 6 Refreshing an Access Token in of the OAuth 2.0 specification.

If your application fails to get an access token using a refresh token, your application would have to get your client to initiate a fresh authorisation code grant using an existing consent.