Our APIs use the OAuth 2.0 protocol for authentication and authorization. The bank supports common OAuth 2.0 scenarios such as those for web server, single page and mobile applications.
To begin, obtain OAuth 2.0 client credentials from the Developer Portal. Then your client application requests an access token from the bank Authorization Server, extracts a token from the response, and sends the token to the banking API that you want to access.
Our APIs supports following grant types:
All applications follow a basic pattern when accessing a banking API using OAuth 2.0. At a high level, you follow four steps:
Step 1. Obtain OAuth 2.0 credentials from the Developer Portal
Register your application on the Developer Portal to obtain OAuth 2.0 credentials such as a client ID and client secret that are known to both the bank and your application. To register your application navigate to Applications page from your dashboard and click to Add Application. Follow the new applicatioin wizard to provide application information and to select APIs your application will access. After saving information a request for new application is sent to the bank and status of the request is set to pending state. Approving your request generate OAuth 2.0 client credentials for your application.
Step 2. Obtain an access token from the bank Authorization Server.
Before your application can access private data using a banking API, it must obtain an access token that grants access to that API. A single access token can grant varying degrees of access to multiple APIs. A variable parameter called scope controls the set of resources and operations that an access token permits. During the access-token request, your application sends one or more values in the scope parameter.
Some requests require an authentication step where the user logs in with their bank account. After logging in, the user is asked whether they are willing to grant the permissions that your application is requesting. This process is called user consent.
If the user grants the permission, the bank Authorization Server sends your application an access token (or an authorization code that your application can use to obtain an access token). If the user does not grant the permission, the server returns an error.
Step 3. Send the access token to an API.
After an application obtains an access token, it sends the token to a bank API in an HTTP authorization header. It is possible to send tokens as URI query-string parameters, but we don't recommend it, because URI parameters can end up in log files that are not completely secure. Also, it is good REST practice to avoid creating unnecessary URI parameter names.
Access tokens are valid only for the set of operations and resources described in the scope of the token request. For example, if an access token is issued for the Account Information API, it does not grant access to the Payment Initiation API. You can, however, send that access token to the Account Information API multiple times for similar operations.
Step 4. Refresh the access token, if necessary.
Access tokens have limited lifetimes. If your application needs access to a banking API beyond the lifetime of a single access token, it can obtain a refresh token. A refresh token allows your application to obtain new access tokens.
Access Token issued through Client Credentials Grant
When an access token issued through a Client Credentials Grant expires, you must get a new access token by executing a client credential grant again.
Access Token issued through Authorization Code Grant
Due to the immediate nature of single immediate payments, an access token is unlikely to expire before it is used for creating the payment-submission. Consequently, issuing a refresh token along with the access token is not useful in this situation. However, to simplify their implementation, the bank may issue a refresh token along with an access token at the end of an authorisation code grant. When an access token obtained through an authorisation code grant expires, you may attempt to get a new access and refresh token as defined in Section 6 of the OAuth 2.0 specification. If you fail to get an access token using a refresh token, you would have to get the bank client to initiate a fresh authorisation code grant.