OBWG PSD2 FC APIs flow

OBWG PSD2 FC

OBWG PSD2 FC APIs

API Name

API Endpoint

API Description

Fund Confirmation Consent

POST /funds-confirmation-consents

Creates a fund confirmation consent

Get Fund Confirmation Consent

GET /funds-confirmation-consents/{ConsentId}

Get fund confirmation consent details

Revoke Fund Confirmation Consent

DELETE /funds-confirmation-consents/{ConsentId}

Revoke fund confirmation consent

Fund Confirmations

POST /funds-confirmations

Fund confirmation

Implicit Consent

If GET /bank returns AisConsentType as IMPLICIT then implicit flow will be apllicatble.

Step 1: Authorize

  1. Fintech / TPP will redirect PSU to PSD2 IO ‘/authorize’ URL with Fintech / TPP Redirect URL, Client Id, State, UserId for authentication and authorization of PSU.
  2. PSU will get redirected to PSD2 IO authorize URL through browser.
  3. PSD2 IO will redirect PSU to ASPSP authorize URL through browser.
  4. ASPSP will redirect PSU to login page for authentication.
  5. PSU has to authenticate with his credentials on ASPSP’s login page.
  6. Once authenticated, ASPSP will ask to allow access for authorization.
  7. PSU will allow access.
  8. ASPSP will return auth code (B) & state on the callback URL of PSD2 IO.
  9. PSD2 IO will return auth code (P) & state on the callback URL of Fintech / TPP.

Step 2: Access Token

  1. Fintech / TPP will call the ‘/token’ API of PSD2 IO with auth code (P) received on callback.
  2. PSD2 IO will return the access token to Fintech / TPP.

Step 3: Get Fund Confirmation

  1. Fintech / TPP will call get fund confirmation API using the access token received.
  2. PSD2 IO will give the response to TPP.
  3. TPP will show the response to PSU on TPP UI.

Explicit Consent - OAuth SCA

If GET /bank returns AisConsentType as EXPLICIT then explicit flow will be apllicatble.

Step 1: Pre-step OAuth

  1. PSU will request for confirmation of fund.
  2. Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.

Step 2: Fund Confirmation Consent

  1. Fintech / TPP will send the fund confirmation consent request with A.C/C.C. access token to PSD2 IO.
  2. PSD2 IO will return response containing ConsentId, OAuth SCA approach to Fintech / TPP.

Step 3: Authorize

  1. Fintech / TPP will redirect PSU to ‘/authorize’ URL with TPP Redirect URL, Client Id , State , UserId & ConsentId in JWT to authenticate the request id from PSU.
  2. PSU will get redirected to PSD2 IO authorize URL through browser.
  3. PSD2 IO will redirect PSU to ASPSP authorize URL through browser.
  4. ASPSP will redirect PSU to login page for authentication.
  5. PSU has to authenticate with his credentials on ASPSP’s login page.
  6. Once authenticated, ASPSP will ask to allow access for authorization.
  7. PSU will allow access.
  8. ASPSP will return auth code (B) & state on the callback URL of PSD2 IO.
  9. PSD2 IO will return auth code (P) & state on the callback URL of Fintech / TPP.

Step 4: Access Token

  1. Fintech / TPP will call the ‘/token’ API of PSD2 IO with auth code (P) received on callback.
  2. PSD2 IO will return the access token to Fintech / TPP.

Step 5: Fund Confirmation

  1. Fintech / TPP will call fund confirmation API using the access token received.
  2. PSD2 IO will give the response to Fintech / TPP.
  3. Fintech / TPP will show the response to PSU on Fintech / TPP UI.

Explicit Consent - Redirect SCA

Step 1: Pre-step OAuth

  1. PSU will request for confirmation of fund.
  2. Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.

Step 2: Fund Confirmation Consent

  1. Fintech / TPP will send the fund confirmation consent request with Fintech / TPP success URL, A.C./C.C. access token to PSD2 IO.
  2. PSD2 IO will return response containing ConsentId, Redirect SCA approach to Fintech / TPP.

Step 3: Redirect

  1. Fintech / TPP will redirect PSU to ‘/redirect’ URL with Client Id, ConsentId to authenticate the ConsentId from PSU.
  2. PSU will get redirected to PSD2 IO redirect URL through browser.
  3. PSD2 IO will redirect PSU to ASPSP redirect URL through browser.
  4. ASPSP will redirect PSU to login page for authentication.
  5. PSU has to authenticate with his credentials on ASPSP’s login page.
  6. Once authenticated, ASPSP will ask to allow access for authorization.
  7. PSU will allow access.
  8. ASPSP will return success along with ConsentId on the success URL of PSD2 IO.
  9. PSD2 IO will return success along with ConsentId on the success URL of Fintech / TPP.

Step 4: Fund Confirmation

  1. Fintech / TPP will call fund confirmation API using the A.C./C.C. access token received.
  2. PSD2 IO will give the response to Fintech / TPP.
  3. Fintech / TPP will show the response to PSU on TPP UI.

Explicit Consent - Embedded SCA

Step 1: Pre-step OAuth

  1. PSU will request for confirmation of fund.
  2. Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.

Step 2: Fund Confirmation Consent

  1. Fintech / TPP will send the payment request with A.C / C.C. access token to PSD2 IO.
  2. PSD2 IO will return response containing ConsentId, OAuth SCA approach to Fintech / TPP.

Step 3: Embedded SCA

  1. Fintech / TPP will ask PSU to provide answer of the challenge received in the payment create response. Here for e.g.: OTP is taken.
  2. PSU will enter and submit the challenge data e.g.: OTP
  3. Fintech / TPP will call authorize fund confirmation API with the A.C./C.C. access token, challenge data e.g. OTP.
  4. PSD2 IO will give the response to Fintech / TPP.

Step 4: Fund Confirmation

  1. Fintech / TPP will call fund confirmation API using the A.C./C.C. access token received.
  2. PSD2 IO will give the response to Fintech / TPP.
  3. Fintech / TPP will show the response to PSU on Fintech / TPP UI.

Explicit Consent - Embedded SCA with SCA Method Selection

Step 1: Pre-step OAuth

  1. PSU will request for confirmation of fund.
  2. Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.

Step 2: Fund Confirmation Consent

  1. Fintech / TPP will send the payment request with A.C / C.C. access token to PSD2 IO.
  2. PSD2 IO will return response containing ConsentId, OAuth SCA approach to Fintech / TPP.

Step 3: Embedded SCA with SCA Method Selection

  1. Fintech / TPP will ask PSU to select SCA method out of those received in the response.
  2. PSU will select the SCA method.
  3. Fintech / TPP will call select authentication API using the A.C./C.C. access token and selected SCA method.
  4. PSD2 IO will give the response to TPP.
  5. Fintech / TPP will ask PSU to provide answer of the challenge received in the select authentication API response. Here for e.g.: OTP is taken.
  6. PSU will enter and submit the challenge data e.g.: OTP
  7. Fintech / TPP will call authorize payment API with the A.C./C.C. access token, challenge data e.g. OTP.
  8. PSD2 IO will give the response to Fintech / TPP.

Step 4: Fund Confirmation

  1. Fintech / TPP will call fund confirmation API using the A.C./C.C. access token.
  2. PSD2 IO will give the response to Fintech / TPP.
  3. Fintech / TPP will show the response to PSU on Fintech / TPP UI.

Explicit Consent - Decoupled SCA

Step 1: Pre-step OAuth

  1. PSU will request for confirmation of fund.
  2. Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.

Step 2: Fund Confirmation Consent 

  1. Fintech / TPP will send the fund confirmation consent request with A.C / C.C. access token to PSD2 IO.
  2. PSD2 IO will return response containing ConsentId, OAuth SCA approach to Fintech / TPP.

Step 3: Authorize payment on ASPSP application

  1. Fintech / TPP will show the message to PSU to authorize the payment on ASPSP application.
  2. PSU will authorize the payment on the ASPSP application.
  3. PSD2 IO will return success along with ConsentId on the success URL of Fintech / TPP.

Step 4: Fund Confirmation

  1. Fintech / TPP will call fund confirmation API using the A.C./C.C access token received.
  2. PSD2 IO will give the response to TPP.
  3. Fintech / TPP will show the response to PSU on Fintech / TPP UI.

Explicit Consent - Decoupled SCA with Update Identification

Decoupled SCA with Update Identification

Step 1: Pre-step OAuth

  1. PSU will request to make a payment.
  2. Depends on destination bank, TPP has to do a pre-step authorization_code (A.C.) / client_credentials (C.C.) access token Oauth.

Step 2: Fund Confirmation Consent

  1. Fintech / TPP will send the fund confirmation consent request with A.C / C.C. access token to PSD2 IO.
  2. PSD2 IO will return response containing ConsentId, OAuth SCA approach to Fintech / TPP.

Step 3: Decoupled SCA with Update Identification

  1. PP will ask PSU to update his identification data.
  2. PSU will enter his identification data e.g. PSU-Id.
  3. Fintech / TPP will call update identification API with the PSU identification data, C.C. access token
  4. PSD2 IO will give the response to Fintech / TPP.

Step 4: Authorize fund confirmation on ASPSP application

  1. Fintech / TPP will show the message to PSU to authorize the payment on ASPSP application.
  2. PSU will authorize the payment on the ASPSP application.
  3. PSD2 IO will return success along with ConsentId on the success URL of Fintech / TPP.

Step 5: Fund Confirmation

  1. Fintech / TPP will call fund confirmation API using the A.C./C.C access token received.
  2. PSD2 IO will give the response to Fintech / TPP.
  3. Fintech / TPP will show the response to PSU on TPP UI.