OBWG PSD2 FC
OBWG PSD2 FC APIs
API Name | API Endpoint | API Description |
Fund Confirmation Consent | POST /funds-confirmation-consents | Creates a fund confirmation consent |
Get Fund Confirmation Consent | GET /funds-confirmation-consents/{ConsentId} | Get fund confirmation consent details |
Revoke Fund Confirmation Consent | DELETE /funds-confirmation-consents/{ConsentId} | Revoke fund confirmation consent |
Fund Confirmations | POST /funds-confirmations | Fund confirmation |
Implicit Consent
If GET /bank returns AisConsentType as IMPLICIT then implicit flow will be apllicatble.
Step 1: Authorize
- Fintech / TPP will redirect PSU to PSD2 IO ‘/authorize’ URL with Fintech / TPP Redirect URL, Client Id, State, UserId for authentication and authorization of PSU.
- PSU will get redirected to PSD2 IO authorize URL through browser.
- PSD2 IO will redirect PSU to ASPSP authorize URL through browser.
- ASPSP will redirect PSU to login page for authentication.
- PSU has to authenticate with his credentials on ASPSP’s login page.
- Once authenticated, ASPSP will ask to allow access for authorization.
- PSU will allow access.
- ASPSP will return auth code (B) & state on the callback URL of PSD2 IO.
- PSD2 IO will return auth code (P) & state on the callback URL of Fintech / TPP.
Step 2: Access Token
- Fintech / TPP will call the ‘/token’ API of PSD2 IO with auth code (P) received on callback.
- PSD2 IO will return the access token to Fintech / TPP.
Step 3: Get Fund Confirmation
- Fintech / TPP will call get fund confirmation API using the access token received.
- PSD2 IO will give the response to TPP.
- TPP will show the response to PSU on TPP UI.
Explicit Consent - OAuth SCA
If GET /bank returns AisConsentType as EXPLICIT then explicit flow will be apllicatble.
Step 1: Pre-step OAuth
- PSU will request for confirmation of fund.
- Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.
Step 2: Fund Confirmation Consent
- Fintech / TPP will send the fund confirmation consent request with A.C/C.C. access token to PSD2 IO.
- PSD2 IO will return response containing ConsentId, OAuth SCA approach to Fintech / TPP.
Step 3: Authorize
- Fintech / TPP will redirect PSU to ‘/authorize’ URL with TPP Redirect URL, Client Id , State , UserId & ConsentId in JWT to authenticate the request id from PSU.
- PSU will get redirected to PSD2 IO authorize URL through browser.
- PSD2 IO will redirect PSU to ASPSP authorize URL through browser.
- ASPSP will redirect PSU to login page for authentication.
- PSU has to authenticate with his credentials on ASPSP’s login page.
- Once authenticated, ASPSP will ask to allow access for authorization.
- PSU will allow access.
- ASPSP will return auth code (B) & state on the callback URL of PSD2 IO.
- PSD2 IO will return auth code (P) & state on the callback URL of Fintech / TPP.
Step 4: Access Token
- Fintech / TPP will call the ‘/token’ API of PSD2 IO with auth code (P) received on callback.
- PSD2 IO will return the access token to Fintech / TPP.
Step 5: Fund Confirmation
- Fintech / TPP will call fund confirmation API using the access token received.
- PSD2 IO will give the response to Fintech / TPP.
- Fintech / TPP will show the response to PSU on Fintech / TPP UI.
Explicit Consent - Redirect SCA
Step 1: Pre-step OAuth
- PSU will request for confirmation of fund.
- Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.
Step 2: Fund Confirmation Consent
- Fintech / TPP will send the fund confirmation consent request with Fintech / TPP success URL, A.C./C.C. access token to PSD2 IO.
- PSD2 IO will return response containing ConsentId, Redirect SCA approach to Fintech / TPP.
Step 3: Redirect
- Fintech / TPP will redirect PSU to ‘/redirect’ URL with Client Id, ConsentId to authenticate the ConsentId from PSU.
- PSU will get redirected to PSD2 IO redirect URL through browser.
- PSD2 IO will redirect PSU to ASPSP redirect URL through browser.
- ASPSP will redirect PSU to login page for authentication.
- PSU has to authenticate with his credentials on ASPSP’s login page.
- Once authenticated, ASPSP will ask to allow access for authorization.
- PSU will allow access.
- ASPSP will return success along with ConsentId on the success URL of PSD2 IO.
- PSD2 IO will return success along with ConsentId on the success URL of Fintech / TPP.
Step 4: Fund Confirmation
- Fintech / TPP will call fund confirmation API using the A.C./C.C. access token received.
- PSD2 IO will give the response to Fintech / TPP.
- Fintech / TPP will show the response to PSU on TPP UI.
Explicit Consent - Embedded SCA
Step 1: Pre-step OAuth
- PSU will request for confirmation of fund.
- Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.
Step 2: Fund Confirmation Consent
- Fintech / TPP will send the payment request with A.C / C.C. access token to PSD2 IO.
- PSD2 IO will return response containing ConsentId, OAuth SCA approach to Fintech / TPP.
Step 3: Embedded SCA
- Fintech / TPP will ask PSU to provide answer of the challenge received in the payment create response. Here for e.g.: OTP is taken.
- PSU will enter and submit the challenge data e.g.: OTP
- Fintech / TPP will call authorize fund confirmation API with the A.C./C.C. access token, challenge data e.g. OTP.
- PSD2 IO will give the response to Fintech / TPP.
Step 4: Fund Confirmation
- Fintech / TPP will call fund confirmation API using the A.C./C.C. access token received.
- PSD2 IO will give the response to Fintech / TPP.
- Fintech / TPP will show the response to PSU on Fintech / TPP UI.
Explicit Consent - Embedded SCA with SCA Method Selection
Step 1: Pre-step OAuth
- PSU will request for confirmation of fund.
- Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.
Step 2: Fund Confirmation Consent
- Fintech / TPP will send the payment request with A.C / C.C. access token to PSD2 IO.
- PSD2 IO will return response containing ConsentId, OAuth SCA approach to Fintech / TPP.
Step 3: Embedded SCA with SCA Method Selection
- Fintech / TPP will ask PSU to select SCA method out of those received in the response.
- PSU will select the SCA method.
- Fintech / TPP will call select authentication API using the A.C./C.C. access token and selected SCA method.
- PSD2 IO will give the response to TPP.
- Fintech / TPP will ask PSU to provide answer of the challenge received in the select authentication API response. Here for e.g.: OTP is taken.
- PSU will enter and submit the challenge data e.g.: OTP
- Fintech / TPP will call authorize payment API with the A.C./C.C. access token, challenge data e.g. OTP.
- PSD2 IO will give the response to Fintech / TPP.
Step 4: Fund Confirmation
- Fintech / TPP will call fund confirmation API using the A.C./C.C. access token.
- PSD2 IO will give the response to Fintech / TPP.
- Fintech / TPP will show the response to PSU on Fintech / TPP UI.
Explicit Consent - Decoupled SCA
Step 1: Pre-step OAuth
- PSU will request for confirmation of fund.
- Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.
Step 2: Fund Confirmation Consent
- Fintech / TPP will send the fund confirmation consent request with A.C / C.C. access token to PSD2 IO.
- PSD2 IO will return response containing ConsentId, OAuth SCA approach to Fintech / TPP.
Step 3: Authorize payment on ASPSP application
- Fintech / TPP will show the message to PSU to authorize the payment on ASPSP application.
- PSU will authorize the payment on the ASPSP application.
- PSD2 IO will return success along with ConsentId on the success URL of Fintech / TPP.
Step 4: Fund Confirmation
- Fintech / TPP will call fund confirmation API using the A.C./C.C access token received.
- PSD2 IO will give the response to TPP.
- Fintech / TPP will show the response to PSU on Fintech / TPP UI.
Explicit Consent - Decoupled SCA with Update Identification
Step 1: Pre-step OAuth
- PSU will request to make a payment.
- Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.
Step 2: Fund Confirmation Consent
- Fintech / TPP will send the fund confirmation consent request with A.C / C.C. access token to PSD2 IO.
- PSD2 IO will return response containing ConsentId, OAuth SCA approach to Fintech / TPP.
Step 3: Decoupled SCA with Update Identification
- PP will ask PSU to update his identification data.
- PSU will enter his identification data e.g. PSU-Id.
- Fintech / TPP will call update identification API with the PSU identification data, C.C. access token
- PSD2 IO will give the response to Fintech / TPP.
Step 4: Authorize fund confirmation on ASPSP application
- Fintech / TPP will show the message to PSU to authorize the payment on ASPSP application.
- PSU will authorize the payment on the ASPSP application.
- PSD2 IO will return success along with ConsentId on the success URL of Fintech / TPP.
Step 5: Fund Confirmation
- Fintech / TPP will call fund confirmation API using the A.C./C.C access token received.
- PSD2 IO will give the response to Fintech / TPP.
- Fintech / TPP will show the response to PSU on TPP UI.