This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Managing Account Access
- Former user (Deleted)
- Former user (Deleted)
With the consent of the respective customer (PSU), Account Information Service Providers (AISPs) are allowed to access the PSU's account and transaction data. The endpoints listed below allow the AISP to create an account access consent using the listed permissions.
Endpoints
Resource | HTTP Operation | Endpoint | Mandatory/Optional | Scope | Grant Type | Idempotency Key | Request Object | Response Object |
|---|---|---|---|---|---|---|---|---|
| account-access-consents | POST | POST /account-access-consents | Mandatory | accounts | Client Credentials | No | OBReadConsent1 | OBReadConsentResponse1 |
| account-access-consents | GET | GET /account-access-consents/{ConsentId} | Mandatory | accounts | Client Credentials | No | OBReadConsentResponse1 | |
| account-access-consents | DELETE | DELETEÂ /account-access-consents/{ConsentId} | Mandatory | accounts | Client Credentials | No |
POST /account-access-consentsÂ
The API allows the AISP to ask an ASPSP to create a new account-access-consent resource.
- This API effectively allows the AISP to send a copy of the consent to the ASPSP to authorise access to account and transaction information.
- An AISP is not able to pre-select a set of accounts for account-access-consent authorisation. This is because the behaviour of the pre-selected accounts, after authorisation, is not clear from a legal perspective.
- An ASPSP creates the account-access-consent resource and responds with a uniqueÂ
ConsentIdto refer to the resource. - Prior to calling the API, the AISP must have an access token issued by the ASPSP using a client credentials grant.
GET /account-access-consents/{ConsentId}
An AISP may optionally retrieve an account-access-consent resource that they have created to check its status. Prior to calling the API, the AISP must have an access token issued by the ASPSP using a client credentials grant. The usage of this API endpoint will be subjected to an ASPSP's fair usage policies.
Once the PSU authorises the account-access-consent resource, the status of the account-access-consent resource is updated with Authorised.
DELETE /account-access-consents/{ConsentId}
If the PSU revokes consent to data access with the AISP, the AISP must delete the account-access-consent resource with the ASPSP before confirming consent revocation with the PSU.
- This is done by making a call to DELETE the account-access-consent resource.
- Prior to calling the API, the AISP must have an access token issued by the ASPSP using a client credentials grant.
Account access consent status
The PSU must authenticate with the ASPSP and authorise the account-access-consent for the account-access-consent to be successfully setup. The account-access-consent resource that is created successfully must have the following status code-list enumeration:
Status | Status Description |
|---|---|
| AwaitingAuthorisation | The account access consent is awaiting authorisation. |
After authorisation has taken place, the account-access-consent resource may have any of the following statuses.
Status | Status Description |
|---|---|
| Rejected | The account access consent has been rejected. |
| Authorised | The account access consent has been successfully authorised. |
| Revoked | The account access consent has been revoked via the ASPSP interface. |
Permissions
Permission codes will be used to limit the data that is returned in response to a resource request.Â
When a permission is granted for a Detail permission code (e.g., ReadAccountsDetail), it implies that access is also granted to the corresponding Basic permission code (e.g., ReadAccountsBasic)
The following combinations of permissions are not allowed and the ASPSP must not allow such account-requests to be created:
- Account requests with an empty Permissions array
- Account requests with a Permissions array that contains ReadTransactionBasic but does not contain at least one of ReadTransactionCredits and ReadTransactionDebits.
- Account requests with a Permissions array that contains ReadTransactionDetail but does not contain at least one of ReadTransactionCredits and ReadTransactionDebits.
- Account requests with a Permissions array that contains ReadTransactionCredits but does not contain at least one of ReadTransactionBasic and ReadTransactionDetails.
- Account requests with a Permissions array that contains ReadTransactionDebits but does not contain at least one of ReadTransactionBasic and ReadTransactionDetails.
| Permissions | Endpoints | Business Logic | Data Cluster Description |
|---|---|---|---|
| ReadAccountsBasic | /accounts /accounts/{AccountId} | Ability to read basic account information | |
| ReadAccountsDetail | /accounts /accounts/{AccountId} | Access to additional elements in the payload (the additional data elements are listed in the table below) | Ability to read account identification details |
| ReadBalances | /balances /accounts/{AccountId}/balances | Ability to read all balance information | |
| ReadBeneficiariesBasic | /beneficiaries /accounts/{AccountId}/beneficiaries | Ability to read basic beneficiary details | |
| ReadBeneficiariesDetail | /beneficiaries /accounts/{AccountId}/beneficiaries | Access to additional elements in the payload | Ability to read account identification details for the beneficiary |
| ReadDirectDebits | /direct-debits | Ability to read all direct debit information | |
| ReadStandingOrdersBasic | /standing-orders /accounts/{AccountId}/standing-orders | Ability to read standing order information | |
| ReadStandingOrdersDetail | /standing-orders /accounts/{AccountId}/standing-orders | Access to additional elements in the payload | Ability to read account identification details for beneficiary of the standing order |
| ReadTransactionsBasic | /transactions /accounts/{AccountId}/transactions | Permissions must also include at least one of:
| Ability to read basic transaction information |
| ReadTransactionsDetail | /transactions /accounts/{AccountId}/transactions | Access to additional elements in the payload Permissions must also include at least one of
| Ability to read transaction data elements which may hold silent party details |
| ReadTransactionsCredits | /transactions /accounts/{AccountId}/transactions | Access to credit transactions. Permissions must also include one of:
| Ability to read only credit transactions |
| ReadTransactionsDebits | /transactions /accounts/{AccountId}/transactions | Access to debit transactions. Permissions must also include one of:
| Ability to read only debit transactions |
| ReadProducts | /products /accounts/{AccountId}/product | Ability to read all product information relating to the account |