...
- Request account information - The PSU consents to allow an AISP to access account information data.
- Setup Create account request - The AISP creates an account-request resource by connecting to the ASPSP that services the PSU's account(s). The ASPSP gets alerted that a PSU has granted access to account and transaction information to an AISP. The ASPSP responds with an identifier for the resource (the
AccountRequestId
, which is the intent identifier).- A POST request is sent to the /account-requests endpoint.
- The setup payload The payload includes the following fields that the PSU consents to share with the AISP:
- Permissions - a list of data clusters that have been consented for access
- Expiration Date - an optional expiration for when the AISP will no longer have access to the PSU's data
- Transaction Validity Period - the From/To date range that specifies a transaction history period, which can be accessed by the AISP
- An AISP may be a broker for data to other 4th partiesother stakeholders, and so it is valid for a customer to have multiple account-requests for the same accounts, with different consent/authorisation parameters agreed.
- Authorise consent - The AISP redirects the PSU to the ASPSP. The redirect includes the
AccountRequestId
generated in the previous step. This allows the ASPSP to correlate the account-request that was setupcreated. The ASPSP authenticates the PSU. The ASPSP updates the state of the account-request resource internally to indicate that the account request has been authorised. It is agreed that the consent is managed between the PSU and the AISP, so the account-request details cannot be changed (with the ASPSP) in this step. The PSU will only be able to authorise or reject the account-request details in its entirety. During authorisation, the PSU selects accounts that are authorised for the AISP request (in the ASPSP's banking interface). The PSU is redirected back to the AISP. - Request data - A GET request is sent to the relevant resource. The unique AccountId(s) that are valid for the account-request are returned with a call to GET /accounts. This will always be the first call once an AISP has a valid access token.
...