The NextGenPSD2 Framework Version 1.2 offers a modern, open, harmonised and interoperable set of Application Programming Interfaces (APIs) as the safest and most efficient way to provide data securely. The NextGenPSD2 Framework reduces XS2A complexity and costs, addresses the problem of multiple competing standards in Europe and, aligned with the goals of the Euro Retail Payments Board, enables European banking customers to benefit from innovative products and services ('Banking as a Service') by granting TPPs safe and secure (authenticated and authorised) access to their bank accounts and financial data.
Futhermore this API definition contains only a subset of the methods, the ones which are mandatory or which are applicable in the BT ecosystem.
Some General Remarks Related to this version of the OpenAPI Specification:
- This API definition is based on the Implementation Guidelines of the Berlin Group PSD2 API. It is not an replacement in any sense. The main specification is (at the moment) allways the Implementation Guidelines of the Berlin Group PSD2 API.
- This API definition contains the REST-API for requests from the PIISP to the ASPSP.
- This API definition contains the messages for all different approaches defined in the Implementation Guidelines. *
Paths
/v1/funds-confirmations
Confirmation of Funds Request
Creates a confirmation of funds request at the ASPSP. Checks whether a specific amount is available at point of time of the request on an account linked to a given tuple card issuer(TPP)/card number, or addressed by IBAN and TPP respectively
ID of the request, unique to the call, as determined by the initiating party.
Request body for a confirmation of funds request.
This contains the consentId of the related PIISP consent, which was performed prior to this call.
This header should be in the form "Bearer Token", where Token is returned from the call to OAuth2 Token endpoint.
Bad Request
Unauthorized
Forbidden
Not found
Method Not Allowed
Not Acceptable
Request Timeout
Unsupported Media Type
Too Many Requests
Service Unavailable
Internal Server Error
/v1/consents/confirmation-of-funds
Create consent
This method create a consent resource, defining access rights to dedicated accounts of a given PSU-ID. These accounts are addressed explicitly in the method as parameters as a core function.
Side Effects When this Consent Request is a request where the "recurringIndicator" equals "true", and if it exists already a former consent for recurring access on account information for the addressed PSU, then the former consent automatically expires as soon as the new consent request is authorised by the PSU.
Optional Extension: As an option, an ASPSP might optionally accept a specific access right on the access on all psd2 related services for all available accounts.
As another option an ASPSP might optionally also accept a command, where only access rights are inserted without mentioning the addressed account. The relation to accounts is then handled afterwards between PSU and ASPSP. This option is supported only within the Decoupled, OAuth2 or Re-direct SCA Approach. As a last option, an ASPSP might in addition accept a command with access rights
- to see the list of available payment accounts or
- to see the list of available payment accounts with balances.
ID of the request, unique to the call, as determined by the initiating party.
The forwarded IP Address header field consists of the corresponding http request IP Address field between PSU and TPP.
The forwarded Geo Location of the corresponding http request between PSU and TPP if available.
{
"pattern": "(GEO:)[0-9]{1,3}\\.[-][0-9]{6}\\,[-][0-9]{1,3}\\.[0-9]{6}"
}
Requestbody for a consents request
Created
Bad Request
Unauthorized
Forbidden
Not found
Method Not Allowed
Not Acceptable
Request Timeout
Unsupported Media Type
Too Many Requests
Service Unavailable
Internal Server Error
/v1/consents/confirmation-of-funds/{consentId}/status
Consent status request
Read the status of an account information consent resource.
ID of the corresponding consent object as returned by an Account Information Consent Request.
ID of the request, unique to the call, as determined by the initiating party.
The forwarded IP Address header field consists of the corresponding http request IP Address field between PSU and TPP.
The forwarded Geo Location of the corresponding http request between PSU and TPP if available.
{
"pattern": "(GEO:)[0-9]{1,3}\\.[-][0-9]{6}\\,[-][0-9]{1,3}\\.[0-9]{6}"
}
This header should be in the form "Bearer Token", where Token is returned from the call to OAuth2 Token endpoint.
Bad Request
Unauthorized
Forbidden
Not found
Method Not Allowed
Not Acceptable
Request Timeout
Unsupported Media Type
Too Many Requests
Service Unavailable
Internal Server Error
/v1/consents/confirmation-of-funds/{consentId}
Get Consent Request
Returns the content of an account information consent object. This is returning the data for the TPP especially in cases, where the consent was directly managed between ASPSP and PSU e.g. in a re-direct SCA Approach.
ID of the corresponding consent object as returned by an Account Information Consent Request.
ID of the request, unique to the call, as determined by the initiating party.
The forwarded IP Address header field consists of the corresponding http request IP Address field between PSU and TPP.
The forwarded Geo Location of the corresponding http request between PSU and TPP if available.
{
"pattern": "(GEO:)[0-9]{1,3}\\.[-][0-9]{6}\\,[-][0-9]{1,3}\\.[0-9]{6}"
}
This header should be in the form "Bearer Token", where Token is returned from the call to OAuth2 Token endpoint.
Bad Request
Unauthorized
Forbidden
Not found
Method Not Allowed
Not Acceptable
Request Timeout
Unsupported Media Type
Too Many Requests
Service Unavailable
Internal Server Error
Delete Consent
The TPP can delete an account information consent object if needed.
ID of the corresponding consent object as returned by an Account Information Consent Request.
ID of the request, unique to the call, as determined by the initiating party.
The forwarded IP Address header field consists of the corresponding http request IP Address field between PSU and TPP.
The forwarded Geo Location of the corresponding http request between PSU and TPP if available.
{
"pattern": "(GEO:)[0-9]{1,3}\\.[-][0-9]{6}\\,[-][0-9]{1,3}\\.[0-9]{6}"
}
This header should be in the form "Bearer Token", where Token is returned from the call to OAuth2 Token endpoint.
No Content
Bad Request
Unauthorized
Forbidden
Not found
Method Not Allowed
Not Acceptable
Request Timeout
Unsupported Media Type
Too Many Requests
Service Unavailable
Internal Server Error
Definitions
{
"title": "amount",
"example": {
"currency": "EUR",
"amount": "123"
},
"type": "object",
"properties": {
"currency": {
"description": "ISO 4217 Alpha 3 currency code",
"example": "EUR",
"type": "string",
"pattern": "[A-Z]{3}"
},
"amount": {
"description": "The amount given with fractional digits, where fractions must be compliant to the currency definition.\nUp to 14 significant figures. Negative amounts are signed by minus.\nThe decimal separator is a dot.\n\n**Example:**\nValid representations for EUR with up to two decimals are:\n\n * 1056\n * 5768.2\n * -1.50\n * 5877.78",
"example": "5877.78",
"type": "string",
"pattern": "-?[0-9]{1,14}(\\.[0-9]{1,3})?"
}
},
"required": [
"currency",
"amount"
]
}
JSON Request body for the "Confirmation of Funds Service"
cardNumber | String | Optional | Card Number of the card issued by the PIISP. Should be delivered if available. |
account | Account Reference | Mandatory | PSU's account number. |
payee | Max70Text | Optional | The merchant where the card is accepted as an information to the PSU. |
instructedAmount | Amount | Mandatory | Transaction amount to be checked within the funds check mechanism. |
{
"title": "confirmationOfFunds",
"type": "object",
"properties": {
"account": {
"description": "",
"$ref": "#/definitions/AccountList"
},
"instructedAmount": {
"$ref": "#/definitions/Amount"
},
"cardNumber": {
"description": "Card Number of the card issued by the PIISP. \nShould be delivered if available.",
"type": "string"
},
"payee": {
"description": "Name payee",
"type": "string",
"maxLength": 70
}
},
"required": [
"account",
"instructedAmount"
],
"example": {
"cardNumber": "12345678901234",
"account": {
"iban": " RO98BTRLRONCRT0ABCDEFGHI"
},
"instructedAmount": {
"currency": "EUR",
"amount": "123"
}
}
}
Equals "true" if sufficient funds are available at the time of the request, "false" otherwise.
{
"title": "V1 Funds Confirmations Response",
"type": "object",
"properties": {
"fundsAvailable": {
"description": "",
"type": "boolean"
}
},
"required": [
"fundsAvailable"
]
}
{
"properties": {
"tppMessages": {
"$ref": "#/definitions/TppMessages"
}
},
"additionalProperties": false
}
{
"type": "array",
"items": {
"$ref": "#/definitions/TppMessage"
}
}
{
"properties": {
"category": {
"type": "string"
},
"code": {
"properties": [],
"type": "string"
},
"text": {
"properties": [],
"type": "string"
}
},
"additionalProperties": false
}
{
"type": "object",
"properties": {
"iban": {
"properties": [],
"type": "string"
}
},
"additionalProperties": false,
"required": [
"iban"
]
}
{
"type": "object",
"properties": {
"iban": {
"properties": [],
"type": "string",
"minLength": 1,
"uniqueItems": true
}
},
"required": [
"iban"
],
"additionalProperties": false
}
Content of the body of a consent request.
{
"title": "consents",
"type": "object",
"properties": {
"account": {
"$ref": "#/definitions/Account",
"description": "Account, where the confirmation of funds service is aimed to be submitted to."
},
"cardNumber": {
"properties": [],
"type": "string",
"description": "Card Number of the card issued by the PIISP. Should be delivered if available."
},
"cardExpiryDate": {
"properties": [],
"type": "string",
"description": "Expiry date of the card issued by the PIISP"
},
"cardInformation": {
"properties": [],
"type": "string",
"description": "Additional explanation for the card product."
},
"registrationInformation": {
"properties": [],
"type": "string",
"description": "Additional information about the registration process for the PSU, e.g. a reference to the TPP / PSU contract"
}
},
"required": [
"account"
],
"example": {
"account": {
"iban": "RO98BTRLRONCRT0ABCDEFGHI"
},
"cardNumber": "1234567891234",
"cardExpiryDate": "2019-04-22",
"cardInformation": "MyMerchant Loyalty Card",
"registrationInformation": "Your contract Number 1234 with MyMerchant is completed with the registration with your bank."
},
"additionalProperties": false
}
{
"title": "accountAccess",
"type": "object",
"properties": {
"accounts": {
"description": "Is asking for detailed account information. \n\nIf the array is empty, the TPP is asking for an accessible account list. \nThis may be restricted in a PSU/ASPSP authorization dialogue.\nIf the array is empty, also the arrays for balances or transactions shall be empty, if used.",
"items": {
"type": "object"
},
"$ref": "#/definitions/IBANList"
},
"balances": {
"description": "Is asking for balances of the addressed accounts.\n\nIf the array is empty, the TPP is asking for the balances of all accessible account lists. \nThis may be restricted in a PSU/ASPSP authorization dialogue.\nIf the array is empty, also the arrays for accounts or transactions shall be empty, if used.",
"items": {
"type": "object"
},
"$ref": "#/definitions/IBANList"
},
"transactions": {
"description": "Is asking for transactions of the addressed accounts. \n\nIf the array is empty, the TPP is asking for the transactions of all accessible account lists. \nThis may be restricted in a PSU/ASPSP authorization dialogue.\nIf the array is empty, also the arrays for accounts or balances shall be empty, if used.",
"items": {
"type": "object"
},
"$ref": "#/definitions/IBANList"
},
"availableAccounts": {
"description": "Optional if supported by API provider.\n\nOnly the value \"allAccounts\" is admitted.",
"example": "allAccounts",
"type": "string",
"default": "allAccounts"
}
},
"additionalProperties": false
}
Body of the JSON response for a successful conset request.
{
"title": "consentsResponse-201",
"type": "object",
"properties": {
"consentStatus": {
"$ref": "#/definitions/ConsentStatus"
},
"consentId": {
"description": "ID of the corresponding consent object as returned by an Account Information Consent Request.",
"type": "string"
},
"_links": {
"description": "A list of hyperlinks to be recognised by the TPP. Type of links admitted in this response are: \n- 'scaOAuth' In case of an OAuth2 based Redirect Approach, the ASPSP is transmitting the link where the configuration of the OAuth2 Server is defined. The configuration follows the OAuth 2.0 Authorisation Server Metadata specification. \n- 'self': The link to the Establish Account Information Consent resource created by this request. This link can be used to retrieve the resource data. \n- 'status': The link to retrieve the status of the account information consent.",
"type": "object",
"additionalProperties": {
"type": "object"
}
},
"message": {
"description": "Text to be displayed to the PSU, e.g. in a Decoupled SCA Approach.",
"type": "string",
"maxLength": 512
}
},
"required": [
"consentStatus",
"consentId",
"_links"
],
"example": {
"consentStatus": "received",
"consentId": "15535944504672sfbf51fa",
"_links": {
"scaOAuth": {
"href": "https://apistorebt.ro/bt/sb/oauth/.well-known/oauth-authorization-server"
},
"self": {
"href": "https://apistorebt.ro/bt/sb/bt-psd2-aisp/v1/consents/15535944504672sfbf51fa"
},
"status": {
"href": "https://apistorebt.ro/bt/sb/bt-psd2-aisp/v1/consents/15535944504672sfbf51fa/status"
}
}
}
}
{
"title": "consentStatus",
"example": "received",
"x-enum-elements": [
{
"name": "received",
"description": ""
},
{
"name": "rejected",
"description": ""
},
{
"name": "valid",
"description": ""
},
{
"name": "revokedByPsu",
"description": ""
},
{
"name": "expired",
"description": ""
},
{
"name": "terminatedByTpp",
"description": ""
}
],
"type": "string",
"enum": [
"received",
"rejected",
"valid",
"revokedByPsu",
"expired",
"terminatedByTpp"
]
}
Body of the JSON response for a successfull get consent request.
{
"title": "consentInformationResponse-200_json",
"type": "object",
"properties": {
"access": {
"$ref": "#/definitions/AccountAccess"
},
"recurringIndicator": {
"description": "\"true\", if the consent is for recurring access to the account data.\n\n\"false\", if the consent is for one access to the account data.",
"example": false,
"type": "boolean"
},
"validUntil": {
"description": "This parameter is requesting a valid until date for the requested consent. \nThe content is the local ASPSP date in ISO-Date Format, e.g. 2017-10-30. \n\nIf a maximal available date is requested, a date in far future is to be used: \"9999-12-31\". \nThe consent object to be retrieved by the GET Consent Request will contain the adjusted date.",
"example": "2020-12-31",
"type": "string",
"format": "date"
},
"frequencyPerDay": {
"description": "This field indicates the requested maximum frequency for an access per day.\nFor a one-off access, this attribute is set to \"1\".",
"example": 4,
"type": "integer",
"format": "int32"
},
"lastActionDate": {
"description": "This date is containing the date of the last action on the consent object either through \nthe XS2A interface or the PSU/ASPSP interface having an impact on the status.",
"example": "2018-07-01",
"type": "string",
"format": "date"
},
"consentStatus": {
"$ref": "#/definitions/ConsentStatus"
}
},
"required": [
"access",
"recurringIndicator",
"validUntil",
"frequencyPerDay",
"lastActionDate",
"consentStatus"
],
"example": {
"access": {
"allPSD2": "allAccounts"
},
"recurringIndicator": true,
"validUntil": "2019-04-22",
"frequencyPerDay": "4",
"consentStatus": "valid",
"lastActionDate": "2019-03-26"
}
}
Body of the JSON response for a successful get status request for a consent.
{
"title": "consentStatusResponse-200",
"type": "object",
"properties": {
"consentStatus": {
"$ref": "#/definitions/ConsentStatus"
}
},
"required": [
"consentStatus"
],
"example": {
"consentStatus": "valid"
}
}
{
"type": "array",
"items": {
"$ref": "#/definitions/IBAN"
}
}
{
"type": "object",
"properties": {
"iban": {
"type": "string"
}
},
"additionalProperties": false,
"required": [
"iban"
]
}
Authentication Object
{
"title": "authenticationObject",
"type": "object",
"properties": {
"authenticationType": {
"$ref": "#/definitions/AuthenticationType"
},
"authenticationMethodId": {
"description": "An identification provided by the ASPSP for the later identification of the authentication method selection.",
"example": "myAuthenticationID",
"type": "string",
"maxLength": 35
},
"authenticationVersion": {
"description": "Depending on the \"authenticationType\".\nThis version can be used by differentiating authentication tools used within performing OTP generation in the same authentication type.\nThis version can be referred to in the ASPSP?s documentation.",
"type": "string"
},
"name": {
"description": "This is the name of the authentication method defined by the PSU in the Online Banking frontend of the ASPSP.\nAlternatively this could be a description provided by the ASPSP like \"SMS OTP on phone +49160 xxxxx 28\".\nThis name shall be used by the TPP when presenting a list of authentication methods to the PSU, if available.",
"example": "SMS OTP on phone +49160 xxxxx 28",
"type": "string"
},
"explanation": {
"description": "Detailed information about the SCA method for the PSU.",
"example": "Detailed information about the SCA method for the PSU.",
"type": "string"
}
},
"required": [
"authenticationType",
"authenticationMethodId"
]
}
{
"title": "authenticationType",
"example": "SMS_OTP",
"x-enum-elements": [
{
"name": "SMS_OTP",
"description": ""
},
{
"name": "CHIP_OTP",
"description": ""
},
{
"name": "PHOTO_OTP",
"description": ""
},
{
"name": "PUSH_OTP",
"description": ""
}
],
"type": "string",
"enum": [
"SMS_OTP",
"CHIP_OTP",
"PHOTO_OTP",
"PUSH_OTP"
]
}
{
"title": "challengeData",
"type": "object",
"properties": {
"image": {
"description": "PNG data (max. 512 kilobyte) to be displayed to the PSU,\nBase64 encoding, cp. [RFC4648].\nThis attribute is used only, when PHOTO_OTP or CHIP_OTP\nis the selected SCA method.",
"type": "string"
},
"data": {
"description": "String challenge data",
"type": "string"
},
"imageLink": {
"description": "A link where the ASPSP will provides the challenge image for the TPP.",
"type": "string"
},
"otpMaxLength": {
"description": "The maximal length for the OTP to be typed in by the PSU.",
"type": "integer",
"format": "int32"
},
"otpFormat": {
"$ref": "#/definitions/OtpFormat"
},
"additionalInformation": {
"description": "Additional explanation for the PSU to explain\ne.g. fallback mechanism for the chosen SCA method.\nThe TPP is obliged to show this to the PSU.",
"type": "string"
}
}
}
{
"title": "OtpFormat",
"example": "characters",
"x-enum-elements": [
{
"name": "characters",
"description": ""
},
{
"name": "integer",
"description": ""
}
],
"type": "string",
"enum": [
"characters",
"integer"
]
}