This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Retrieving Account Information

Follow the steps below to access the PSU's account and transaction data:

Generating an application access token

When invoking APIs in the CBPII flow, application access tokens must be generated using the client credential grant type. 

  1. Generate the client assertion by signing the following JSON payload using the supported algorithms:

    {
      "alg": "<<This will be the algorithm used for signing>>",
      "kid": "<<This will be the certificate fingerprint>>",
      "typ": "JWT"
    }
    
    {
      "iss": "<<This is the issue of the token, e.g., client ID of your application>>",
      "sub": "<<This is the subject identifier of the issuer, e.g., client ID of your application>>",
      "exp": <<This is epoch time of the token expiration date/time>>,
      "iat": <<This is epoch time of the token issuance date/time>>,
      "jti": "<<This is an incremental unique value>>",
      "aud": "<<This is the audience that the ID token is intended for, e.g., https://<<AM_HOST>>:8243/token>>"
    }
    <signature> 
  2. Run the following cURL command in a command prompt to generate the access token. Make sure you update the placeholders with the relevant values:

    curl -v POST -H "Content-Type: application/x-www-form-urlencoded;charset=ISO-8859-1" -k -d "grant_type=client_credentials&scope=accounts&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<<pass the signed key generated in the above>>&redirect_uri=<<The callback URL of your application>>" https://<<AM_HOST>>:8243/token

    The access token is generated.

    You can use the same cURL command to re-generate the access token.

Initiating account consents

The TPP passes the customer-provided consents to the bank. The bank will validate the request and store the user consents.

  1. Navigate to the API Store as a TPP user.

  2. Click APIs.

  3. Select the AccountAndTransactionAPI API.

  4. Click the POST/account-request resource, if you have subscribed to v1.1 or v2.0. Click the POST /account-access-consent resource, if you have subscribed to v3.0.

  5. Use the following as the body: 

    {
     "Data": {
       "Permissions": [
     	"ReadTransactionsCredits",
     	"ReadTransactionsDetail"
       ],
      "ExpirationDateTime": "<<The request call expiry date and time in ISO 8601>>",
       "TransactionFromDateTime": "<<The date and time from which the account and transaction data should be retrieved in ISO 8601>>",
       "TransactionToDateTime": "<<The date and time until which the account and transaction data should be retrieved in ISO 8601>>"
     },
     "Risk": {}
    }
  6. Enter a unique ID that identifies the ASPSP in the x-fapi-financial-id field.

  7. In the Authorization field, enter the application access token you created above. User the Bearer:<< access token>> format.

  8. Click Try it out!. The API response will bear the AccountRequestId.

Authorizing account consents

The TPP redirects the bank customer to authenticate and approve/deny application-provided consents on behalf of the bank customer.

  1. Generate the request object by signing the following JSON payload using the supported algorithms as a TPP user.

    {
      "alg": "<<This will be the algorithm used for signing>>",
      "kid": "<<This will be the certificate fingerprint>>",
      "typ": "JWT"
    }
    
    Body
    {
    	"aud": "<<This is the audience that the ID token is intended for, e.g., https://<<AM_HOST>>:8243/token>>",	
    	"iss": "<<This is the issue of the token, e.g., client ID of your application>>",
    	"response_type": "<<This can be code or code id_token>>", 
    	"client_id": "<<This is the client ID of your application>>",
    	"redirect_uri": "<<This is the callback URL we set during application access token generation. Ref: Generate Application Access Token section>",
    	"scope": "accounts openid",
    	"nonce": "<<This is a value used to prevent replay attacks>>",
    	"max_age": 86400,
    	"claims": {
        	"userinfo": {
            	"openbanking_intent_id": {
                	"value": "<<This is the AccountRequestId retrieved in Invoke the AccountAndTransactionAPI API section>>",
                	"essential": true
            	}
        	},
        	"id_token": {
            	"openbanking_intent_id": {
                	"value": "<<This is the AccountRequestId retrieved in Invoke the AccountAndTransactionAPI API section>>",
                	"essential": true
            	},
            	"acr": {
                	"essential": true,
                	"values": [
                    	"urn:openbanking:psd2:sca",
                    	"urn:openbanking:psd2:ca"
                	]
            	}
        	}
    	}
    }
    
    <signature>

    For a response type, use the values based on their purpose:

    • code: Retrieves authorize code

    • code id_token: Retrieves authorize token and ID token

  2. Run the following in a browser to prompt the invocation of the /authorize API. Make sure you update the placeholders with the relevant values:

    https://<<AM_HOST>>:8243/authorize/?response_type=code%20id_token&client_id=<<the client-id of your application>>&scope=accounts openid&redirect_uri=<<The Callback URL of your application>>&prompt=login&request=<<The request object generated in the step above>>
  3. Once you pass this call, you are directed to a login page. Log in with the credentials of a user that has a subscriber role.
  4. If a secondary factor is required, e.g. SMSOTP, provide the relevant values.

  5. Upon successful authentication, the user is redirected to the consent management page.

  6. Upon providing consent, an authorization code is generated.

Generating a user access token

In this section, you will be generating an access token using the authorization code generated in the Invoke the /authorize API section above.

  1. Run the following cURL command in a command prompt to generate the access token as a TPP user:

    curl -v POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=authorization_code&code=<<Authorization code we generated in the Invoke the /authorize API section>>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<<Client assertion generated in step 2 of the Generate Application Access Token section>>&redirect_uri=<<The Callback URL of your application>>" https://<<AM_HOST>:8243/token

    An access token and refresh token are generated.

    You can renew the access token using the refresh token. To renew an access token, see Renew Access Token.

  2. Remain in the API Store.


Retrieving the Accounts and Transaction APIs

In this section, the TPP invokes the actual Accounts APIs. From the bank side, it is validated whether the TPP sends the Accounts API request based on approved consents by the bank customer.

Accounts

The following endpoints exist for the resource:

Resource
HTTP Operation
Endpoint
Mandatory/Optional
Scope
Grant Type
Idempotency Key
Parameters
accountsGET

GET /accounts

Mandatory

accountsAuthorization CodeNoPagination
accountsGETGET /accounts/{AccountId}MandatoryaccountsAuthorization CodeNo
GET /accounts

The first step for an AISP after an account-request is authorised, is to call the GET /accounts endpoint. An AISP will be given the full list of accounts (the AccountIds) that the PSU has authorised the AISP to access. The AccountId(s) returned may then be used to retrieve other resources for a specific AccountId. The selection of authorised accounts happens only at the ASPSP's interface.

Examples
curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts'
GET /accounts/{AccountId}

An AISP may retrieve the account information resources for the AccountId (which is retrieved in the call to GET /accounts).

Examples

Use the user access token generated in the step above to invoke the APIs, as shown below:

 curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts/<<AccountRequestId>>'
Bulk accounts - detail permission

The call to GET /accounts is the first step after an account-request is authorised. This allows the AISP to discover which accounts (and AccountId values) are associated with the authorisation of consent.

In this scenario,

  • AccountId 22289 has a building society roll number; and AccountId 31820 does not.
  • The ReadAccountsDetail permission has been granted.

Specific account - detail permission

An AISP may also retrieve the account resource details specifically for AccountId 22289. The ReadAccountsDetail permission has been granted.


Bulk accounts - basic permission

The ReadAccountsBasic permission has been granted.


Balances

The following endpoints exist for the resource:

Resource
HTTP Operation
Endpoint
Mandatory/Optional
Scope
Grant Type
Idempotency Key
Parameters
balancesGETGET /accounts/{AccountId}/balancesMandatoryaccountsAuthorization CodeNo
balancesGETGET /balancesOptionalaccountsAuthorization CodeNoPagination
GET /accounts/{AccountId}/balances

An AISP may retrieve the account balance information resource for a specific AccountId (this is retrieved in the call to GET /accounts).

Examples
curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/balances'
GET /balances

If an ASPSP has implemented the bulk retrieval endpoints, an AISP may optionally retrieve the account information resources in bulk. This will retrieve the resources for all authorised accounts linked to the account-request.

Examples

Use the user access token generated in the step above to invoke the APIs, as shown below:

curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer  <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts/<<AccountRequestId>>/balances'

Specific account balances


Bulk balances


Transactions

The following endpoints exist for the resource:

HTTP Operation
HTTP Operation
Endpoint
Mandatory/Optional
Scope
Grant Type
Idempotency Key
Parameters
transactionsGETGET /accounts/{AccountId}/transactionsMandatoryaccountsAuthorization CodeNo

Pagination

Filtering

transactionsGET

GET /transactions

Optional

accountsAuthorization CodeNo

Pagination

Filtering

GET /accounts/{AccountId}/transactions
An AISP may retrieve the transaction resource for a specific AccountId (this is retrieved in the call to GET /accounts).
GET /transactions

If an ASPSP has implemented the bulk retrieval endpoints, an AISP may optionally retrieve the transactions in bulk. This will retrieve the resources for all authorised accounts linked to the account-request.

curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts/<<AccountRequestId>>/transactions'
Examples

Use the user access token generated in the step above to invoke the APIs, as shown below:

curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts/<<AccountRequestId>>/transactions'

Specific account transactions


Bulk transactions

None of the transactions included in the payload are e-commerce transactions, so MerchantDetails are not included in the examples.


No access to transactions

In this example, the AISP does not have access to call the transactions endpoint. This will result in a 403 error.


Beneficiaries

The following endpoints exist for the resource:

Resource
HTTP Operation
Endpoint
Mandatory/Optional
Scope
Grant Type
Idempotency Key
Parameters
beneficiariesGETGET /accounts/{AccountId}/beneficiariesConditionalaccountsAuthorization CodeNo
beneficiariesGET

GET /beneficiaries

OptionalaccountsAuthorization CodeNoPagination
GET /accounts/{AccountId}/beneficiaries

An AISP may retrieve the account beneficiaries information resource for a specific AccountId (this is retrieved in the call to GET /accounts).

GET /beneficiaries

If an ASPSP has implemented the bulk retrieval endpoints for beneficiaries, an AISP may optionally retrieve the beneficiaries' information in bulk. This endpoint will retrieve the beneficiaries' resources for all authorised accounts linked to a specific account-request.

Examples

Use the user access token generated in the step above to invoke the APIs, as shown below:

curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts/<<AccountRequestId>>/beneficiaries'

Specific account beneficiaries


Bulk beneficiaries


Direct-debits

The following endpoints exist for the resource:


Resource
HTTP Operation
Endpoint
Mandatory?
Scope
Grant Type
Idempotency Key
Parameters
direct-debitsGETGET /accounts/{AccountId}/direct-debitsConditionalaccountsAuthorization CodeNo


direct-debitsGETGET /direct-debitsOptionalaccountsAuthorization CodeNo

Pagination

GET /accounts/{AccountId}/direct-debits

An ASPSP must provide this endpoint for AISPs to retrieve the direct-debits for a specific account identified by the AccountId.

GET /direct-debits

An ASPSP may provide this endpoint for AISPs to retrieve direct-debits for all accounts that the PSU has consented to. This will retrieve the direct-debit resources for all authorised accounts linked to the account-request.

Examples

Use the user access token generated in the step above to invoke the APIs, as shown below:

curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts/<<AccountRequestId>>/direct-debits'

Specific account direct-debits


Bulk account direct-debits


Standing-orders

The following endpoints exist for the resource:

Endpoints for the resource and available methods.

Resource
HTTP Operation
Endpoint
Mandatory/Optional
Scope
Grant Type
Idempotency Key
Parameters
standing-ordersGETGET /accounts/{AccountId}/standing-ordersConditionalaccountsAuthorization CodeNo
standing-ordersGETGET /standing-ordersOptionalaccountsAuthorization CodeNoPagination
GET /accounts/{AccountId}/standing-orders

An AISP may retrieve the standing-order resource for a specific AccountId (this is retrieved in the call to GET /accounts).

GET /standing-orders

If an ASPSP has implemented the bulk retrieval endpoints, an AISP may optionally retrieve the standing-order resources in bulk.

This will retrieve the resources for all authorised accounts linked to the account-request.

Examples

Use the user access token generated in the step above to invoke the APIs, as shown below:

curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts/<<AccountRequestId>>/standing-orders'

Specific account standing-orders


Bulk accounts standing-orders

Get Standing Orders Request
GET /standing-orders HTTP/1.1Authorization: Bearer Az90SAOJklae
x-fapi-financial-id: OB/2017/001
x-fapi-customer-last-logged-time:  Sun, 10 Sep 2017 19:43:31 GMT
x-fapi-customer-ip-address: 104.25.212.99
x-fapi-interaction-id: 93bac548-d2de-4546-b106-880a5018460d
Accept: application/json


Products

Resource
HTTP Operation
Endpoint
Mandatory/Optional
Scope
Grant Type
Idempotency Key
Parameters
productsGETGET /accounts/{AccountId}/productConditionalaccountsAuthorization CodeNo
productsGETGET /productsOptionalaccountsAuthorization CodeNoPagination
GET /accounts/{AccountId}/product
An AISP may retrieve the account product information for a specific AccountId (this is retrieved in the call to GET /accounts). While this endpoint is marked as conditional, it is mandatory for ASPSPs and account types covered in the CMA Order.
GET /products

If an ASPSP has implemented the bulk retrieval endpoints for products, an AISP may optionally retrieve the products information in bulk. This endpoint will retrieve the products resources for all authorised accounts linked to a specific account-request.

Examples

Use the user access token generated in the step above to invoke the APIs, as shown below:

curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts/<<AccountRequestId>>/product'

Specific account product information


Bulk accounts product information


Supported API calls
All account balances

In addition to the above API calls, the v2.0 and v3.0 API versions support the following API calls.

All offers
curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/offers'
Account-specific offers
curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts/<<AccountRequestId>>/offers'
All account owner/party details
curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/party'
Account-specific account owner/party details
curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts/<<AccountRequestId>>/party'
All scheduled payment details
curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/scheduled-payments'
Account-specific scheduled payment details
curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts/<<AccountRequestId>>/scheduled-payments'
All account statements
curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/statements'
All account-specific details
curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts/<<AccountRequestId>>/statements'
File-based account-specific statement
curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts/<<AccountRequestId>>/statements/<<StatementId>>/file'
Account-specific statement transactions
curl -X GET --header 'Accept: application/json' --header 'x-fapi-financial-id: OB/2017/001' --header 'Authorization: Bearer <<access token>>' 'https://<<AM_HOST>>:8243/open-banking/<<version>>/aisp/accounts/<<AccountRequestId>>/statements/<<StatementId>>/transactions

Renewing the access token

Since access tokens have an expiration period, once an access token expires, you need to regenerate it. Let's regenerate the access token that was generated using the authorization code in the section above.

Run the following cURL command to call the refresh_token endpoint and regenerate a new access token as a TPP user:


curl -v POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=refresh_token&refresh_token=<<refresh token token>>&scope=accounts openid&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<<Client assertion generated in step 2 of the Generate User Access Token section>>&redirect_uri=<<The Callback URL of your application>>" https://<<AM_HOST>>:8243/token/