This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Managing Account Access

With the consent of the respective customer (PSU), Account Information Service Providers (AISPs) are allowed to access the PSU's account and transaction data. The endpoints listed below allow the AISP to create an account access consent using the listed permissions.

Endpoints

Resource
HTTP Operation
Endpoint
Mandatory/Optional
Scope
Grant Type
Idempotency Key
Request Object
Response Object
account-access-consentsPOSTPOST /account-access-consentsMandatoryaccountsClient CredentialsNoOBReadConsent1OBReadConsentResponse1
account-access-consentsGETGET /account-access-consents/{ConsentId}MandatoryaccountsClient CredentialsNo
OBReadConsentResponse1
account-access-consentsDELETEDELETE /account-access-consents/{ConsentId}MandatoryaccountsClient CredentialsNo

POST /account-access-consents 

The API allows the AISP to ask an ASPSP to create a new account-access-consent resource.

  • This API effectively allows the AISP to send a copy of the consent to the ASPSP to authorise access to account and transaction information.
  • An AISP is not able to pre-select a set of accounts for account-access-consent authorisation. This is because the behaviour of the pre-selected accounts, after authorisation, is not clear from a legal perspective.
  • An ASPSP creates the account-access-consent resource and responds with a unique ConsentId to refer to the resource.
  • Prior to calling the API, the AISP must have an access token issued by the ASPSP using a client credentials grant.

GET /account-access-consents/{ConsentId}

An AISP may optionally retrieve an account-access-consent resource that they have created to check its status. Prior to calling the API, the AISP must have an access token issued by the ASPSP using a client credentials grant. The usage of this API endpoint will be subjected to an ASPSP's fair usage policies.

Once the PSU authorises the account-access-consent resource, the status of the account-access-consent resource is updated with Authorised.

DELETE /account-access-consents/{ConsentId}

If the PSU revokes consent to data access with the AISP, the AISP must delete the account-access-consent resource with the ASPSP before confirming consent revocation with the PSU.

  • This is done by making a call to DELETE the account-access-consent resource.
  • Prior to calling the API, the AISP must have an access token issued by the ASPSP using a client credentials grant.

Account access consent status

The PSU must authenticate with the ASPSP and authorise the account-access-consent for the account-access-consent to be successfully setup. The account-access-consent resource that is created successfully must have the following status code-list enumeration:

Status
Status Description
AwaitingAuthorisationThe account access consent is awaiting authorisation.

After authorisation has taken place, the account-access-consent resource may have any of the following statuses.


Status
Status Description
RejectedThe account access consent has been rejected.
AuthorisedThe account access consent has been successfully authorised.
RevokedThe account access consent has been revoked via the ASPSP interface.


Permissions

Permission codes will be used to limit the data that is returned in response to a resource request. 

When a permission is granted for a Detail permission code (e.g., ReadAccountsDetail), it implies that access is also granted to the corresponding Basic permission code (e.g., ReadAccountsBasic)

The following combinations of permissions are not allowed and the ASPSP must not allow such account-requests to be created:

  • Account requests with an empty Permissions array
  • Account requests with a Permissions array that contains ReadTransactionBasic but does not contain at least one of ReadTransactionCredits and ReadTransactionDebits.
  • Account requests with a Permissions array that contains ReadTransactionDetail but does not contain at least one of ReadTransactionCredits and ReadTransactionDebits.
  • Account requests with a Permissions array that contains ReadTransactionCredits but does not contain at least one of ReadTransactionBasic and ReadTransactionDetails.
  • Account requests with a Permissions array that contains ReadTransactionDebits but does not contain at least one of ReadTransactionBasic and ReadTransactionDetails.
PermissionsEndpointsBusiness LogicData Cluster Description
ReadAccountsBasic

/accounts

/accounts/{AccountId}


Ability to read basic account information
ReadAccountsDetail

/accounts

/accounts/{AccountId}

Access to additional elements in the payload (the additional data elements are listed in the table below)Ability to read account identification details
ReadBalances

/balances

/accounts/{AccountId}/balances


Ability to read all balance information
ReadBeneficiariesBasic

/beneficiaries

/accounts/{AccountId}/beneficiaries


Ability to read basic beneficiary details
ReadBeneficiariesDetail/beneficiaries

/accounts/{AccountId}/beneficiaries

Access to additional elements in the payloadAbility to read account identification details for the beneficiary
ReadDirectDebits

/direct-debits
/accounts/{AccountId}/direct-debits


Ability to read all direct debit information
ReadStandingOrdersBasic/standing-orders
/accounts/{AccountId}/standing-orders


Ability to read standing order information
ReadStandingOrdersDetail/standing-orders
/accounts/{AccountId}/standing-orders
Access to additional elements in the payloadAbility to read account identification details for beneficiary of the standing order
ReadTransactionsBasic/transactions
/accounts/{AccountId}/transactions

Permissions must also include at least one of:

  • ReadTransactions Credits
  • ReadTransactions Debits

Ability to read basic transaction information

ReadTransactionsDetail/transactions
/accounts/{AccountId}/transactions

Access to additional elements in the payload

Permissions must also include at least one of

  • ReadTransactions Credits
  • ReadTransactions Debits

Ability to read transaction data elements which may hold silent party details

ReadTransactionsCredits/transactions
/accounts/{AccountId}/transactions

Access to credit transactions.

Permissions must also include one of:

  • ReadTransactionsBasic
  • ReadTransactionsDetail
Ability to read only credit transactions
ReadTransactionsDebits/transactions
/accounts/{AccountId}/transactions

Access to debit transactions.

Permissions must also include one of:

  • ReadTransactionsBasic
  • ReadTransactionsDetail
Ability to read only debit transactions
ReadProducts/products
/accounts/{AccountId}/product

Ability to read all product information relating to the account