-
API
-
The terms `API` (Application Programming Interface) and `Endpoint` are used somewhat interchangeablyMore...
- Get API Configuration
- Get API Info (root)
- Get Adapter Info
- Get Adapter Info for a bank
- Get Connector Status (Loopback)
- Get JSON Web Key (JWK)
- Get JSON Web Key (JWK) URIs
- Get Rate Limiting Info
-
-
Account
-
The thing that tokens of value (money) come in and out of. An account has one or more `owners` whichMore...
- Check Available Funds
- Create Account
- Create Account Attribute
- Get Account by Id (Core)
- Get Account by Id (Full)
- Get Accounts Balances
- Get Accounts Held
- Get Accounts at Bank
- Get Accounts at Bank (IDs only)
- Get Accounts at Bank (Minimal)
- Get Accounts at all Banks (private)
- Get Checkbook orders
- Get Firehose Accounts at Bank
- Update Account
- Update Account Attribute
- Update Account Label
-
-
Bank
-
A Bank (aka Space) represents a financial institution, brand or organizational unit under which resMore...
- Create Bank
- Create Transaction Type at bank
- Get Bank
- Get Banks
- Get Transaction Types at Bank
-
-
Consent
-
Consents provide a mechanism by which a third party App or User can access resources on behalf of aMore...
- Answer Consent Challenge
- Create Consent (EMAIL)
- Create Consent (IMPLICIT)
- Create Consent (SMS)
- Get Consents
- Revoke Consent
-
-
Consumer
-
The "consumer" of the API, i.e. the web, mobile or serverside "App" that calls on the OBP API on beMore...
- Enable or Disable Consumers
- Get Call Limits for a Consumer
- Get Consumer
- Get Consumers
- Get Consumers (logged in User)
- Set Rate Limiting (call limits) per Consumer
- Update Consumer RedirectUrl
-
-
Counterparty Metadata
- Add Corporate Location to Counterparty
- Add Counterparty More Info
- Add Open Corporates URL to Counterparty
- Add image url to other bank account
- Add physical location to other bank account
- Add public alias to other bank account
- Add url to other bank account
- Create Other Account Private Alias
- Delete Counterparty Corporate Location
- Delete Counterparty Image URL
- Delete Counterparty Open Corporates URL
- Delete Counterparty Physical Location
- Delete Counterparty Private Alias
- Delete Counterparty Public Alias
- Delete more info of other bank account
- Delete url of other bank account
- Get Other Account Metadata
- Get Other Account Private Alias
- Get public alias of other bank account
- Update Counterparty Corporate Location
- Update Counterparty Image Url
- Update Counterparty More Info
- Update Counterparty Physical Location
- Update Counterparty Private Alias
- Update Open Corporates Url of Counterparty
- Update public alias of other bank account
- Update url of other bank account
-
Customer
-
The legal entity that has the relationship to the bank. Customers are linked to Users via `User CusMore...
- Create Address
- Create Customer
- Create Customer Social Media Handle
- Create Tax Residence
- Create User Customer Link
- Delete Customer Address
- Delete Tax Residence
- Get CRM Events
- Get Customer Addresses
- Get Customer Social Media Handles
- Get Customer by CUSTOMER_ID
- Get Customer by CUSTOMER_NUMBER
- Get Customers for Current User
- Get Customers for current User at Bank
- Get Firehose Customers
- Get Tax Residences of Customer
- Update the Address of a Customer
- Update the Branch of a Customer
- Update the credit limit of a Customer
- Update the credit rating and source of a Customer
- Update the email of a Customer
- Update the identity data of a Customer
- Update the mobile number of a Customer
- Update the number of a Customer
- Update the other data of a Customer
-
-
Method Routing
-
Open Bank Project can have different connectors, to connect difference data sources. We supportMore...
- Create MethodRouting
- Delete MethodRouting
- Get MethodRoutings
- Update MethodRouting
-
-
Role
- Add Entitlement for a User
- Create Entitlement Request for current User
- Delete Entitlement
- Delete Entitlement Request
- Get Entitlement Requests for a User
- Get Entitlement Requests for the current User
- Get Entitlements for User
- Get Entitlements for User at Bank
- Get Entitlements for the current User
- Get Roles
- Get all Entitlement Requests
- Get all Entitlements
-
Transaction
-
Transactions are records of successful movements of value into or out of an `Account`. OBP TransacMore...
- Get Firehose Transactions for Account
- Get Other Account of Transaction
- Get Transaction by Id
- Get Transactions for Account (Core)
- Get Transactions for Account (Full)
-
-
Transaction Metadata
- Add a Transaction Comment
- Add a Transaction Image
- Add a Transaction Narrative
- Add a Transaction Tag
- Add a Transaction where Tag
- Delete a Transaction Comment
- Delete a Transaction Image
- Delete a Transaction Narrative
- Delete a Transaction Tag
- Delete a Transaction Tag
- Get Transaction Comments
- Get Transaction Images
- Get Transaction Tags
- Get a Transaction Narrative
- Get a Transaction where Tag
- Update a Transaction Narrative
- Update a Transaction where Tag
-
Transaction Request
- Answer Transaction Request Challenge
- Create Transaction Request (COUNTERPARTY)
- Create Transaction Request (FREE_FORM)
- Create Transaction Request (SANDBOX_TAN)
- Create Transaction Request (SEPA)
- Get Transaction Request Types at Bank
- Get Transaction Request Types for Account
- Get Transaction Requests
- Save Historical Transactions
-
User
-
The entity that accesses the API with a login / authorisation token and has access to zero or moreMore...
- Answer Auth Context Update Challenge
- Create User
- Create User Auth Context
- Create User Auth Context Update Request
- Delete User Auth Context
- Delete User's Auth Contexts
- Get User (Current)
- Get User Auth Contexts
- Get User Lock Status
- Get User by USERNAME
- Get User by USER_ID
- Get Users by Email Address
- Get all Users
- Refresh User
- Unlock the user
-
-
API
- Get API Configuration
- Get API Info (root)
- Get Adapter Info
- Get Adapter Info for a bank
- Get Connector Status (Loopback)
- Get JSON Web Key (JWK)
- Get JSON Web Key (JWK) URIs
- Get Rate Limiting Info
-
ATM
-
Account
- Check Available Funds
- Create Account
- Create Account Attribute
- Get Account by Id (Core)
- Get Account by Id (Full)
- Get Accounts Balances
- Get Accounts Held
- Get Accounts at Bank
- Get Accounts at Bank (IDs only)
- Get Accounts at Bank (Minimal)
- Get Accounts at all Banks (private)
- Get Checkbook orders
- Get Firehose Accounts at Bank
- Update Account
- Update Account Attribute
- Update Account Label
-
Account Application
- Create Account Application
- Get Account Application by Id
- Get Account Applications
- Update Account Application Status
-
Account Public
-
Bank
-
Bank Accounts (Dynamic Endpoint)
-
Branch
-
Card
- Create Card
- Create Card Attribute
- Delete Card
- Get Card By Id
- Get Cards for the specified bank
- Get cards for the current user
- Get status of Credit Card order
- Update Card
- Update Card Attribute
-
Consent
- Answer Consent Challenge
- Create Consent (EMAIL)
- Create Consent (IMPLICIT)
- Create Consent (SMS)
- Get Consents
- Revoke Consent
-
Consumer
- Enable or Disable Consumers
- Get Call Limits for a Consumer
- Get Consumer
- Get Consumers
- Get Consumers (logged in User)
- Set Rate Limiting (call limits) per Consumer
- Update Consumer RedirectUrl
-
Counterparty
- Create Counterparty (Explicit)
- Get Counterparties (Explicit)
- Get Counterparty by Counterparty Id (Explicit)
- Get Other Account by Id
- Get Other Accounts of one Account
-
Counterparty Metadata
- Add Corporate Location to Counterparty
- Add Counterparty More Info
- Add Open Corporates URL to Counterparty
- Add image url to other bank account
- Add physical location to other bank account
- Add public alias to other bank account
- Add url to other bank account
- Create Other Account Private Alias
- Delete Counterparty Corporate Location
- Delete Counterparty Image URL
- Delete Counterparty Open Corporates URL
- Delete Counterparty Physical Location
- Delete Counterparty Private Alias
- Delete Counterparty Public Alias
- Delete more info of other bank account
- Delete url of other bank account
- Get Other Account Metadata
- Get Other Account Private Alias
- Get public alias of other bank account
- Update Counterparty Corporate Location
- Update Counterparty Image Url
- Update Counterparty More Info
- Update Counterparty Physical Location
- Update Counterparty Private Alias
- Update Open Corporates Url of Counterparty
- Update public alias of other bank account
- Update url of other bank account
-
Customer
- Create Address
- Create Customer
- Create Customer Social Media Handle
- Create Tax Residence
- Create User Customer Link
- Delete Customer Address
- Delete Tax Residence
- Get CRM Events
- Get Customer Addresses
- Get Customer Social Media Handles
- Get Customer by CUSTOMER_ID
- Get Customer by CUSTOMER_NUMBER
- Get Customers for Current User
- Get Customers for current User at Bank
- Get Firehose Customers
- Get Tax Residences of Customer
- Update the Address of a Customer
- Update the Branch of a Customer
- Update the credit limit of a Customer
- Update the credit rating and source of a Customer
- Update the email of a Customer
- Update the identity data of a Customer
- Update the mobile number of a Customer
- Update the number of a Customer
- Update the other data of a Customer
-
Customer Meeting
-
Customer Message
-
Data Warehouse
-
Documentation
- Get Bank Level Dynamic Resource Docs
- Get Glossary of the API
- Get Message Docs
- Get Message Docs Swagger
- Get Resource Docs
- Get Resource Docs
- Get Swagger documentation
-
Dynamic Resource Doc
-
FX
-
KYC
- Add KYC Check
- Add KYC Document
- Add KYC Media
- Add KYC Status
- Get Customer KYC Checks
- Get Customer KYC Documents
- Get Customer KYC statuses
- Get KYC Media for a customer
-
Method Routing
-
Metric
- Get Aggregate Metrics
- Get Connector Metrics
- Get Metrics
- Get Top APIs
- Get Top Consumers
- Search API Metrics via Elasticsearch
-
Product
- Create Product
- Create Product Attribute
- Delete Product Attribute
- Get Bank Product
- Get Product Attribute
- Get Product Tree
- Get Products
- Update Product Attribute
-
Product Collection
-
Role
- Add Entitlement for a User
- Create Entitlement Request for current User
- Delete Entitlement
- Delete Entitlement Request
- Get Entitlement Requests for a User
- Get Entitlement Requests for the current User
- Get Entitlements for User
- Get Entitlements for User at Bank
- Get Entitlements for the current User
- Get Roles
- Get all Entitlement Requests
- Get all Entitlements
-
Sandbox
-
Scope
-
Transaction
- Get Firehose Transactions for Account
- Get Other Account of Transaction
- Get Transaction by Id
- Get Transactions for Account (Core)
- Get Transactions for Account (Full)
-
Transaction Metadata
- Add a Transaction Comment
- Add a Transaction Image
- Add a Transaction Narrative
- Add a Transaction Tag
- Add a Transaction where Tag
- Delete a Transaction Comment
- Delete a Transaction Image
- Delete a Transaction Narrative
- Delete a Transaction Tag
- Delete a Transaction Tag
- Get Transaction Comments
- Get Transaction Images
- Get Transaction Tags
- Get a Transaction Narrative
- Get a Transaction where Tag
- Update a Transaction Narrative
- Update a Transaction where Tag
-
Transaction Request
- Answer Transaction Request Challenge
- Create Transaction Request (COUNTERPARTY)
- Create Transaction Request (FREE_FORM)
- Create Transaction Request (SANDBOX_TAN)
- Create Transaction Request (SEPA)
- Get Transaction Request Types at Bank
- Get Transaction Request Types for Account
- Get Transaction Requests
- Save Historical Transactions
-
User
- Answer Auth Context Update Challenge
- Create User
- Create User Auth Context
- Create User Auth Context Update Request
- Delete User Auth Context
- Delete User's Auth Contexts
- Get User (Current)
- Get User Auth Contexts
- Get User Lock Status
- Get User by USERNAME
- Get User by USER_ID
- Get Users by Email Address
- Get all Users
- Refresh User
- Unlock the user
-
View Custom
- Create Custom View
- Delete Custom View
- Get Account access for User
- Get Views for Account
- Get access
- Grant User access to View
- Grant User access to a list of views
- Revoke access to all Views on Account
- Revoke access to one View
- Update Custom View
-
View System
-
WebUi Props
-
Webhook
-
_Covid APIDays
- Create new Covid APIDays
- Delete Covid APIDays by id
- Get Covid APIDays List
- Get Covid APIDays by id
- Update Covid APIDays
-
_Customer Cars
- Create new Customer Cars
- Delete Customer Cars by id
- Get Customer Cars List
- Get Customer Cars by id
- Update Customer Cars
-
_D Entity1(gh.29.uk)
-
_Fish Port
-
_Foo Bar
-
_Insurance Policy(gh.29.uk)
- Create new Insurance Policy
- Delete Insurance Policy by id
- Get Insurance Policy List
- Get Insurance Policy by id
- Update Insurance Policy
-
_Insurance Premium(gh.29.uk)
- Create new Insurance Premium
- Delete Insurance Premium by id
- Get Insurance Premium List
- Get Insurance Premium by id
- Update Insurance Premium
-
_March Hare(gh.29.uk)
- Create new March Hare
- Delete March Hare by id
- Get March Hare List
- Get March Hare by id
- Update March Hare
-
_Obp Activity(obp.testing.01)
- Create new Obp Activity
- Delete Obp Activity by id
- Get Obp Activity List
- Get Obp Activity by id
- Update Obp Activity
-
_Odometer(gh.29.uk)
-
_Simon Covid
- Create new Simon Covid
- Delete Simon Covid by id
- Get Simon Covid List
- Get Simon Covid by id
- Update Simon Covid
-
_Sustrans
-
_Test Daniel707
- Create new My Test Daniel707
- Create new Test Daniel707
- Delete My Test Daniel707 by id
- Delete Test Daniel707 by id
- Get My Test Daniel707 List
- Get My Test Daniel707 by id
- Get Test Daniel707 List
- Get Test Daniel707 by id
- Update My Test Daniel707
- Update Test Daniel707
-
_Test1
v3.1.0 (327 APIs)
Answer Consent Challenge
An OBP Consent allows the holder of the Consent to call one or more endpoints.
Consents must be created and authorisied using SCA (Strong Customer Authentication).
That is, Consents can be created by an authorised User via the OBP REST API but they must be confirmed via an out of band (OOB) mechanism such as a code sent to a mobile phone.
Each Consent has one of the following states: INITIATED, ACCEPTED, REJECTED, REVOKED, RECEIVED, VALID, REVOKEDBYPSU, EXPIRED, TERMINATEDBYTPP, AUTHORISED, AWAITINGAUTHORISATION.
Each Consent is bound to a consumer i.e. you need to identify yourself over request header value Consumer-Key.
For example:
GET /obp/v4.0.0/users/current HTTP/1.1
Host: 127.0.0.1:8080
Consent-JWT: eyJhbGciOiJIUzI1NiJ9.eyJlbnRpdGxlbWVudHMiOlt7InJvbGVfbmFtZSI6IkNhbkdldEFueVVzZXIiLCJiYW5rX2lkIjoiIn
1dLCJjcmVhdGVkQnlVc2VySWQiOiJhYjY1MzlhOS1iMTA1LTQ0ODktYTg4My0wYWQ4ZDZjNjE2NTciLCJzdWIiOiIzNDc1MDEzZi03YmY5LTQyNj
EtOWUxYy0xZTdlNWZjZTJlN2UiLCJhdWQiOiI4MTVhMGVmMS00YjZhLTQyMDUtYjExMi1lNDVmZDZmNGQzYWQiLCJuYmYiOjE1ODA3NDE2NjcsIml
zcyI6Imh0dHA6XC9cLzEyNy4wLjAuMTo4MDgwIiwiZXhwIjoxNTgwNzQ1MjY3LCJpYXQiOjE1ODA3NDE2NjcsImp0aSI6ImJkYzVjZTk5LTE2ZTY
tNDM4Yi1hNjllLTU3MTAzN2RhMTg3OCIsInZpZXdzIjpbXX0.L3fEEEhdCVr3qnmyRKBBUaIQ7dk1VjiFaEBW8hUNjfg
Consumer-Key: ejznk505d132ryomnhbx1qmtohurbsbb0kijajsk
cache-control: no-cache
Maximum time to live of the token is specified over props value consents.max_time_to_live. In case isn't defined default value is 3600 seconds.
Example of POST JSON:
{
"everything": false,
"views": [
{
"bank_id": "GENODEM1GLS",
"account_id": "8ca8a7e4-6d02-40e3-a129-0b2bf89de9f0",
"view_id": "owner"
}
],
"entitlements": [
{
"bank_id": "GENODEM1GLS",
"role_name": "CanGetCustomer"
}
],
"consumer_id": "7uy8a7e4-6d02-40e3-a129-0b2bf89de8uh",
"email": "eveline@example.com",
"valid_from": "2020-02-07T08:43:34Z",
"time_to_live": 3600
}
Please note that only optional fields are: consumer_id, valid_from and time_to_live.
In case you omit they the default values are used:
consumer_id = consumer of current user
valid_from = current time
time_to_live = consents.max_time_to_live
This endpoint is used to confirm a Consent previously created.
The User must supply a code that was sent out of band (OOB) for example via an SMS.
Authentication is Mandatory
URL Parameters:
BANK_ID: gh.29.uk
JSON request body fields:
JSON response body fields:
jwt:
{
"consent_id":"9d429899-24f5-42c8-8565-943ffa6a7945",
"jwt":"eyJhbGciOiJIUzI1NiJ9.eyJlbnRpdGxlbWVudHMiOltdLCJjcmVhdGVkQnlVc2VySWQiOiJhYjY1MzlhOS1iMTA1LTQ0ODktYTg4My0wYWQ4ZDZjNjE2NTciLCJzdWIiOiIyMWUxYzhjYy1mOTE4LTRlYWMtYjhlMy01ZTVlZWM2YjNiNGIiLCJhdWQiOiJlanpuazUwNWQxMzJyeW9tbmhieDFxbXRvaHVyYnNiYjBraWphanNrIiwibmJmIjoxNTUzNTU0ODk5LCJpc3MiOiJodHRwczpcL1wvd3d3Lm9wZW5iYW5rcHJvamVjdC5jb20iLCJleHAiOjE1NTM1NTg0OTksImlhdCI6MTU1MzU1NDg5OSwianRpIjoiMDlmODhkNWYtZWNlNi00Mzk4LThlOTktNjYxMWZhMWNkYmQ1Iiwidmlld3MiOlt7ImFjY291bnRfaWQiOiJtYXJrb19wcml2aXRlXzAxIiwiYmFua19pZCI6ImdoLjI5LnVrLngiLCJ2aWV3X2lkIjoib3duZXIifSx7ImFjY291bnRfaWQiOiJtYXJrb19wcml2aXRlXzAyIiwiYmFua19pZCI6ImdoLjI5LnVrLngiLCJ2aWV3X2lkIjoib3duZXIifV19.8cc7cBEf2NyQvJoukBCmDLT7LXYcuzTcSYLqSpbxLp4",
"status":"INITIATED"
}
- Required JSON Validation: No
- Allowed Authentication Types: Not set
- OBP-20001: User not logged in. Authentication is required!
- OBP-30001: Bank not found. Please specify a valid value for BANK_ID.
- OBP-10001: Incorrect json format.
- OBP-50200: Connector cannot return the data we requested.
- OBP-50000: Unknown Error.
Create Consent (EMAIL)
This endpoint starts the process of creating a Consent.
The Consent is created in an INITIATED state.
A One Time Password (OTP) (AKA security challenge) is sent Out of Band (OOB) to the User via the transport defined in SCA_METHOD
SCA_METHOD is typically "SMS","EMAIL" or "IMPLICIT". "EMAIL" is used for testing purposes. OBP mapped mode "IMPLICIT" is "EMAIL".
Other mode, bank can decide it in the connector method 'getConsentImplicitSCA'.
When the Consent is created, OBP (or a backend system) stores the challenge so it can be checked later against the value supplied by the User with the Answer Consent Challenge endpoint.
An OBP Consent allows the holder of the Consent to call one or more endpoints.
Consents must be created and authorisied using SCA (Strong Customer Authentication).
That is, Consents can be created by an authorised User via the OBP REST API but they must be confirmed via an out of band (OOB) mechanism such as a code sent to a mobile phone.
Each Consent has one of the following states: INITIATED, ACCEPTED, REJECTED, REVOKED, RECEIVED, VALID, REVOKEDBYPSU, EXPIRED, TERMINATEDBYTPP, AUTHORISED, AWAITINGAUTHORISATION.
Each Consent is bound to a consumer i.e. you need to identify yourself over request header value Consumer-Key.
For example:
GET /obp/v4.0.0/users/current HTTP/1.1
Host: 127.0.0.1:8080
Consent-JWT: eyJhbGciOiJIUzI1NiJ9.eyJlbnRpdGxlbWVudHMiOlt7InJvbGVfbmFtZSI6IkNhbkdldEFueVVzZXIiLCJiYW5rX2lkIjoiIn
1dLCJjcmVhdGVkQnlVc2VySWQiOiJhYjY1MzlhOS1iMTA1LTQ0ODktYTg4My0wYWQ4ZDZjNjE2NTciLCJzdWIiOiIzNDc1MDEzZi03YmY5LTQyNj
EtOWUxYy0xZTdlNWZjZTJlN2UiLCJhdWQiOiI4MTVhMGVmMS00YjZhLTQyMDUtYjExMi1lNDVmZDZmNGQzYWQiLCJuYmYiOjE1ODA3NDE2NjcsIml
zcyI6Imh0dHA6XC9cLzEyNy4wLjAuMTo4MDgwIiwiZXhwIjoxNTgwNzQ1MjY3LCJpYXQiOjE1ODA3NDE2NjcsImp0aSI6ImJkYzVjZTk5LTE2ZTY
tNDM4Yi1hNjllLTU3MTAzN2RhMTg3OCIsInZpZXdzIjpbXX0.L3fEEEhdCVr3qnmyRKBBUaIQ7dk1VjiFaEBW8hUNjfg
Consumer-Key: ejznk505d132ryomnhbx1qmtohurbsbb0kijajsk
cache-control: no-cache
Maximum time to live of the token is specified over props value consents.max_time_to_live. In case isn't defined default value is 3600 seconds.
Example of POST JSON:
{
"everything": false,
"views": [
{
"bank_id": "GENODEM1GLS",
"account_id": "8ca8a7e4-6d02-40e3-a129-0b2bf89de9f0",
"view_id": "owner"
}
],
"entitlements": [
{
"bank_id": "GENODEM1GLS",
"role_name": "CanGetCustomer"
}
],
"consumer_id": "7uy8a7e4-6d02-40e3-a129-0b2bf89de8uh",
"email": "eveline@example.com",
"valid_from": "2020-02-07T08:43:34Z",
"time_to_live": 3600
}
Please note that only optional fields are: consumer_id, valid_from and time_to_live.
In case you omit they the default values are used:
consumer_id = consumer of current user
valid_from = current time
time_to_live = consents.max_time_to_live
Authentication is Mandatory
Example 1:
{
"everything": true,
"views": [],
"entitlements": [],
"consumer_id": "7uy8a7e4-6d02-40e3-a129-0b2bf89de8uh",
"phone_number": "+49 170 1234567"
}
Please note that consumer_id is optional field
Example 2:
{
"everything": true,
"views": [],
"entitlements": [],
"phone_number": "+49 170 1234567"
}
Please note if everything=false you need to explicitly specify views and entitlements
Example 3:
{
"everything": false,
"views": [
{
"bank_id": "GENODEM1GLS",
"account_id": "8ca8a7e4-6d02-40e3-a129-0b2bf89de9f0",
"view_id": "owner"
}
],
"entitlements": [
{
"bank_id": "GENODEM1GLS",
"role_name": "CanGetCustomer"
}
],
"consumer_id": "7uy8a7e4-6d02-40e3-a129-0b2bf89de8uh",
"phone_number": "+49 170 1234567"
}
URL Parameters:
BANK_ID: gh.29.uk
JSON request body fields:
account_id: 8ca8a7e4-6d02-40e3-a129-0b2bf89de9f0
bank_id: gh.29.uk
view_id: owner
consumer_id: 7uy8a7e4-6d02-40e3-a129-0b2bf89de8uh
valid_from: 2020-01-27
JSON response body fields:
jwt:
{
"consent_id":"9d429899-24f5-42c8-8565-943ffa6a7945",
"jwt":"eyJhbGciOiJIUzI1NiJ9.eyJlbnRpdGxlbWVudHMiOltdLCJjcmVhdGVkQnlVc2VySWQiOiJhYjY1MzlhOS1iMTA1LTQ0ODktYTg4My0wYWQ4ZDZjNjE2NTciLCJzdWIiOiIyMWUxYzhjYy1mOTE4LTRlYWMtYjhlMy01ZTVlZWM2YjNiNGIiLCJhdWQiOiJlanpuazUwNWQxMzJyeW9tbmhieDFxbXRvaHVyYnNiYjBraWphanNrIiwibmJmIjoxNTUzNTU0ODk5LCJpc3MiOiJodHRwczpcL1wvd3d3Lm9wZW5iYW5rcHJvamVjdC5jb20iLCJleHAiOjE1NTM1NTg0OTksImlhdCI6MTU1MzU1NDg5OSwianRpIjoiMDlmODhkNWYtZWNlNi00Mzk4LThlOTktNjYxMWZhMWNkYmQ1Iiwidmlld3MiOlt7ImFjY291bnRfaWQiOiJtYXJrb19wcml2aXRlXzAxIiwiYmFua19pZCI6ImdoLjI5LnVrLngiLCJ2aWV3X2lkIjoib3duZXIifSx7ImFjY291bnRfaWQiOiJtYXJrb19wcml2aXRlXzAyIiwiYmFua19pZCI6ImdoLjI5LnVrLngiLCJ2aWV3X2lkIjoib3duZXIifV19.8cc7cBEf2NyQvJoukBCmDLT7LXYcuzTcSYLqSpbxLp4",
"status":"INITIATED"
}
- Required JSON Validation: No
- Allowed Authentication Types: Not set
- OBP-20001: User not logged in. Authentication is required!
- OBP-30001: Bank not found. Please specify a valid value for BANK_ID.
- OBP-10001: Incorrect json format.
- OBP-35009: Only SMS, EMAIL and IMPLICIT are supported as SCA methods.
- OBP-35013: Consents can only contain Roles that you already have access to.
- OBP-35014: Consents can only contain Views that you already have access to.
- OBP-30019: Consumer not found. Please specify a valid value for CONSUMER_ID.
- OBP-20058: Consumer is disabled.
- OBP-50200: Connector cannot return the data we requested.
- OBP-50000: Unknown Error.
Create Consent (IMPLICIT)
This endpoint starts the process of creating a Consent.
The Consent is created in an INITIATED state.
A One Time Password (OTP) (AKA security challenge) is sent Out of Band (OOB) to the User via the transport defined in SCA_METHOD
SCA_METHOD is typically "SMS","EMAIL" or "IMPLICIT". "EMAIL" is used for testing purposes. OBP mapped mode "IMPLICIT" is "EMAIL".
Other mode, bank can decide it in the connector method 'getConsentImplicitSCA'.
When the Consent is created, OBP (or a backend system) stores the challenge so it can be checked later against the value supplied by the User with the Answer Consent Challenge endpoint.
An OBP Consent allows the holder of the Consent to call one or more endpoints.
Consents must be created and authorisied using SCA (Strong Customer Authentication).
That is, Consents can be created by an authorised User via the OBP REST API but they must be confirmed via an out of band (OOB) mechanism such as a code sent to a mobile phone.
Each Consent has one of the following states: INITIATED, ACCEPTED, REJECTED, REVOKED, RECEIVED, VALID, REVOKEDBYPSU, EXPIRED, TERMINATEDBYTPP, AUTHORISED, AWAITINGAUTHORISATION.
Each Consent is bound to a consumer i.e. you need to identify yourself over request header value Consumer-Key.
For example:
GET /obp/v4.0.0/users/current HTTP/1.1
Host: 127.0.0.1:8080
Consent-JWT: eyJhbGciOiJIUzI1NiJ9.eyJlbnRpdGxlbWVudHMiOlt7InJvbGVfbmFtZSI6IkNhbkdldEFueVVzZXIiLCJiYW5rX2lkIjoiIn
1dLCJjcmVhdGVkQnlVc2VySWQiOiJhYjY1MzlhOS1iMTA1LTQ0ODktYTg4My0wYWQ4ZDZjNjE2NTciLCJzdWIiOiIzNDc1MDEzZi03YmY5LTQyNj
EtOWUxYy0xZTdlNWZjZTJlN2UiLCJhdWQiOiI4MTVhMGVmMS00YjZhLTQyMDUtYjExMi1lNDVmZDZmNGQzYWQiLCJuYmYiOjE1ODA3NDE2NjcsIml
zcyI6Imh0dHA6XC9cLzEyNy4wLjAuMTo4MDgwIiwiZXhwIjoxNTgwNzQ1MjY3LCJpYXQiOjE1ODA3NDE2NjcsImp0aSI6ImJkYzVjZTk5LTE2ZTY
tNDM4Yi1hNjllLTU3MTAzN2RhMTg3OCIsInZpZXdzIjpbXX0.L3fEEEhdCVr3qnmyRKBBUaIQ7dk1VjiFaEBW8hUNjfg
Consumer-Key: ejznk505d132ryomnhbx1qmtohurbsbb0kijajsk
cache-control: no-cache
Maximum time to live of the token is specified over props value consents.max_time_to_live. In case isn't defined default value is 3600 seconds.
Example of POST JSON:
{
"everything": false,
"views": [
{
"bank_id": "GENODEM1GLS",
"account_id": "8ca8a7e4-6d02-40e3-a129-0b2bf89de9f0",
"view_id": "owner"
}
],
"entitlements": [
{
"bank_id": "GENODEM1GLS",
"role_name": "CanGetCustomer"
}
],
"consumer_id": "7uy8a7e4-6d02-40e3-a129-0b2bf89de8uh",
"email": "eveline@example.com",
"valid_from": "2020-02-07T08:43:34Z",
"time_to_live": 3600
}
Please note that only optional fields are: consumer_id, valid_from and time_to_live.
In case you omit they the default values are used:
consumer_id = consumer of current user
valid_from = current time
time_to_live = consents.max_time_to_live
Authentication is Mandatory
Example 1:
{
"everything": true,
"views": [],
"entitlements": [],
"consumer_id": "7uy8a7e4-6d02-40e3-a129-0b2bf89de8uh",
}
Please note that consumer_id is optional field
Example 2:
{
"everything": true,
"views": [],
"entitlements": [],
}
Please note if everything=false you need to explicitly specify views and entitlements
Example 3:
{
"everything": false,
"views": [
{
"bank_id": "GENODEM1GLS",
"account_id": "8ca8a7e4-6d02-40e3-a129-0b2bf89de9f0",
"view_id": "owner"
}
],
"entitlements": [
{
"bank_id": "GENODEM1GLS",
"role_name": "CanGetCustomer"
}
],
"consumer_id": "7uy8a7e4-6d02-40e3-a129-0b2bf89de8uh",
}
URL Parameters:
BANK_ID: gh.29.uk
IMPLICIT: IMPLICIT
JSON request body fields:
account_id: 8ca8a7e4-6d02-40e3-a129-0b2bf89de9f0
bank_id: gh.29.uk
view_id: owner
consumer_id: 7uy8a7e4-6d02-40e3-a129-0b2bf89de8uh
valid_from: 2020-01-27
JSON response body fields:
jwt:
{
"consent_id":"9d429899-24f5-42c8-8565-943ffa6a7945",
"jwt":"eyJhbGciOiJIUzI1NiJ9.eyJlbnRpdGxlbWVudHMiOltdLCJjcmVhdGVkQnlVc2VySWQiOiJhYjY1MzlhOS1iMTA1LTQ0ODktYTg4My0wYWQ4ZDZjNjE2NTciLCJzdWIiOiIyMWUxYzhjYy1mOTE4LTRlYWMtYjhlMy01ZTVlZWM2YjNiNGIiLCJhdWQiOiJlanpuazUwNWQxMzJyeW9tbmhieDFxbXRvaHVyYnNiYjBraWphanNrIiwibmJmIjoxNTUzNTU0ODk5LCJpc3MiOiJodHRwczpcL1wvd3d3Lm9wZW5iYW5rcHJvamVjdC5jb20iLCJleHAiOjE1NTM1NTg0OTksImlhdCI6MTU1MzU1NDg5OSwianRpIjoiMDlmODhkNWYtZWNlNi00Mzk4LThlOTktNjYxMWZhMWNkYmQ1Iiwidmlld3MiOlt7ImFjY291bnRfaWQiOiJtYXJrb19wcml2aXRlXzAxIiwiYmFua19pZCI6ImdoLjI5LnVrLngiLCJ2aWV3X2lkIjoib3duZXIifSx7ImFjY291bnRfaWQiOiJtYXJrb19wcml2aXRlXzAyIiwiYmFua19pZCI6ImdoLjI5LnVrLngiLCJ2aWV3X2lkIjoib3duZXIifV19.8cc7cBEf2NyQvJoukBCmDLT7LXYcuzTcSYLqSpbxLp4",
"status":"INITIATED"
}
- Required JSON Validation: No
- Allowed Authentication Types: Not set
- OBP-20001: User not logged in. Authentication is required!
- OBP-30001: Bank not found. Please specify a valid value for BANK_ID.
- OBP-10001: Incorrect json format.
- OBP-35009: Only SMS, EMAIL and IMPLICIT are supported as SCA methods.
- OBP-35013: Consents can only contain Roles that you already have access to.
- OBP-35014: Consents can only contain Views that you already have access to.
- OBP-30019: Consumer not found. Please specify a valid value for CONSUMER_ID.
- OBP-20058: Consumer is disabled.
- OBP-00010: Missing props value at this API instance -
- OBP-35010: SMS server is not working or SMS server can not send the message to the phone number:
- OBP-50200: Connector cannot return the data we requested.
- OBP-50000: Unknown Error.
Create Consent (SMS)
This endpoint starts the process of creating a Consent.
The Consent is created in an INITIATED state.
A One Time Password (OTP) (AKA security challenge) is sent Out of Band (OOB) to the User via the transport defined in SCA_METHOD
SCA_METHOD is typically "SMS","EMAIL" or "IMPLICIT". "EMAIL" is used for testing purposes. OBP mapped mode "IMPLICIT" is "EMAIL".
Other mode, bank can decide it in the connector method 'getConsentImplicitSCA'.
When the Consent is created, OBP (or a backend system) stores the challenge so it can be checked later against the value supplied by the User with the Answer Consent Challenge endpoint.
An OBP Consent allows the holder of the Consent to call one or more endpoints.
Consents must be created and authorisied using SCA (Strong Customer Authentication).
That is, Consents can be created by an authorised User via the OBP REST API but they must be confirmed via an out of band (OOB) mechanism such as a code sent to a mobile phone.
Each Consent has one of the following states: INITIATED, ACCEPTED, REJECTED, REVOKED, RECEIVED, VALID, REVOKEDBYPSU, EXPIRED, TERMINATEDBYTPP, AUTHORISED, AWAITINGAUTHORISATION.
Each Consent is bound to a consumer i.e. you need to identify yourself over request header value Consumer-Key.
For example:
GET /obp/v4.0.0/users/current HTTP/1.1
Host: 127.0.0.1:8080
Consent-JWT: eyJhbGciOiJIUzI1NiJ9.eyJlbnRpdGxlbWVudHMiOlt7InJvbGVfbmFtZSI6IkNhbkdldEFueVVzZXIiLCJiYW5rX2lkIjoiIn
1dLCJjcmVhdGVkQnlVc2VySWQiOiJhYjY1MzlhOS1iMTA1LTQ0ODktYTg4My0wYWQ4ZDZjNjE2NTciLCJzdWIiOiIzNDc1MDEzZi03YmY5LTQyNj
EtOWUxYy0xZTdlNWZjZTJlN2UiLCJhdWQiOiI4MTVhMGVmMS00YjZhLTQyMDUtYjExMi1lNDVmZDZmNGQzYWQiLCJuYmYiOjE1ODA3NDE2NjcsIml
zcyI6Imh0dHA6XC9cLzEyNy4wLjAuMTo4MDgwIiwiZXhwIjoxNTgwNzQ1MjY3LCJpYXQiOjE1ODA3NDE2NjcsImp0aSI6ImJkYzVjZTk5LTE2ZTY
tNDM4Yi1hNjllLTU3MTAzN2RhMTg3OCIsInZpZXdzIjpbXX0.L3fEEEhdCVr3qnmyRKBBUaIQ7dk1VjiFaEBW8hUNjfg
Consumer-Key: ejznk505d132ryomnhbx1qmtohurbsbb0kijajsk
cache-control: no-cache
Maximum time to live of the token is specified over props value consents.max_time_to_live. In case isn't defined default value is 3600 seconds.
Example of POST JSON:
{
"everything": false,
"views": [
{
"bank_id": "GENODEM1GLS",
"account_id": "8ca8a7e4-6d02-40e3-a129-0b2bf89de9f0",
"view_id": "owner"
}
],
"entitlements": [
{
"bank_id": "GENODEM1GLS",
"role_name": "CanGetCustomer"
}
],
"consumer_id": "7uy8a7e4-6d02-40e3-a129-0b2bf89de8uh",
"email": "eveline@example.com",
"valid_from": "2020-02-07T08:43:34Z",
"time_to_live": 3600
}
Please note that only optional fields are: consumer_id, valid_from and time_to_live.
In case you omit they the default values are used:
consumer_id = consumer of current user
valid_from = current time
time_to_live = consents.max_time_to_live
Authentication is Mandatory
Example 1:
{
"everything": true,
"views": [],
"entitlements": [],
"consumer_id": "7uy8a7e4-6d02-40e3-a129-0b2bf89de8uh",
"email": "eveline@example.com"
}
Please note that consumer_id is optional field
Example 2:
{
"everything": true,
"views": [],
"entitlements": [],
"email": "eveline@example.com"
}
Please note if everything=false you need to explicitly specify views and entitlements
Example 3:
{
"everything": false,
"views": [
{
"bank_id": "GENODEM1GLS",
"account_id": "8ca8a7e4-6d02-40e3-a129-0b2bf89de9f0",
"view_id": "owner"
}
],
"entitlements": [
{
"bank_id": "GENODEM1GLS",
"role_name": "CanGetCustomer"
}
],
"consumer_id": "7uy8a7e4-6d02-40e3-a129-0b2bf89de8uh",
"email": "eveline@example.com"
}
URL Parameters:
BANK_ID: gh.29.uk
SMS:
JSON request body fields:
account_id: 8ca8a7e4-6d02-40e3-a129-0b2bf89de9f0
bank_id: gh.29.uk
view_id: owner
consumer_id: 7uy8a7e4-6d02-40e3-a129-0b2bf89de8uh
valid_from: 2020-01-27
JSON response body fields:
jwt:
{
"consent_id":"9d429899-24f5-42c8-8565-943ffa6a7945",
"jwt":"eyJhbGciOiJIUzI1NiJ9.eyJlbnRpdGxlbWVudHMiOltdLCJjcmVhdGVkQnlVc2VySWQiOiJhYjY1MzlhOS1iMTA1LTQ0ODktYTg4My0wYWQ4ZDZjNjE2NTciLCJzdWIiOiIyMWUxYzhjYy1mOTE4LTRlYWMtYjhlMy01ZTVlZWM2YjNiNGIiLCJhdWQiOiJlanpuazUwNWQxMzJyeW9tbmhieDFxbXRvaHVyYnNiYjBraWphanNrIiwibmJmIjoxNTUzNTU0ODk5LCJpc3MiOiJodHRwczpcL1wvd3d3Lm9wZW5iYW5rcHJvamVjdC5jb20iLCJleHAiOjE1NTM1NTg0OTksImlhdCI6MTU1MzU1NDg5OSwianRpIjoiMDlmODhkNWYtZWNlNi00Mzk4LThlOTktNjYxMWZhMWNkYmQ1Iiwidmlld3MiOlt7ImFjY291bnRfaWQiOiJtYXJrb19wcml2aXRlXzAxIiwiYmFua19pZCI6ImdoLjI5LnVrLngiLCJ2aWV3X2lkIjoib3duZXIifSx7ImFjY291bnRfaWQiOiJtYXJrb19wcml2aXRlXzAyIiwiYmFua19pZCI6ImdoLjI5LnVrLngiLCJ2aWV3X2lkIjoib3duZXIifV19.8cc7cBEf2NyQvJoukBCmDLT7LXYcuzTcSYLqSpbxLp4",
"status":"INITIATED"
}
- Required JSON Validation: No
- Allowed Authentication Types: Not set
- OBP-20001: User not logged in. Authentication is required!
- OBP-30001: Bank not found. Please specify a valid value for BANK_ID.
- OBP-10001: Incorrect json format.
- OBP-35009: Only SMS, EMAIL and IMPLICIT are supported as SCA methods.
- OBP-35013: Consents can only contain Roles that you already have access to.
- OBP-35014: Consents can only contain Views that you already have access to.
- OBP-30019: Consumer not found. Please specify a valid value for CONSUMER_ID.
- OBP-20058: Consumer is disabled.
- OBP-00010: Missing props value at this API instance -
- OBP-35010: SMS server is not working or SMS server can not send the message to the phone number:
- OBP-50200: Connector cannot return the data we requested.
- OBP-50000: Unknown Error.
Get Consents
{
"consents":[{
"consent_id":"9d429899-24f5-42c8-8565-943ffa6a7945",
"jwt":"eyJhbGciOiJIUzI1NiJ9.eyJlbnRpdGxlbWVudHMiOltdLCJjcmVhdGVkQnlVc2VySWQiOiJhYjY1MzlhOS1iMTA1LTQ0ODktYTg4My0wYWQ4ZDZjNjE2NTciLCJzdWIiOiIyMWUxYzhjYy1mOTE4LTRlYWMtYjhlMy01ZTVlZWM2YjNiNGIiLCJhdWQiOiJlanpuazUwNWQxMzJyeW9tbmhieDFxbXRvaHVyYnNiYjBraWphanNrIiwibmJmIjoxNTUzNTU0ODk5LCJpc3MiOiJodHRwczpcL1wvd3d3Lm9wZW5iYW5rcHJvamVjdC5jb20iLCJleHAiOjE1NTM1NTg0OTksImlhdCI6MTU1MzU1NDg5OSwianRpIjoiMDlmODhkNWYtZWNlNi00Mzk4LThlOTktNjYxMWZhMWNkYmQ1Iiwidmlld3MiOlt7ImFjY291bnRfaWQiOiJtYXJrb19wcml2aXRlXzAxIiwiYmFua19pZCI6ImdoLjI5LnVrLngiLCJ2aWV3X2lkIjoib3duZXIifSx7ImFjY291bnRfaWQiOiJtYXJrb19wcml2aXRlXzAyIiwiYmFua19pZCI6ImdoLjI5LnVrLngiLCJ2aWV3X2lkIjoib3duZXIifV19.8cc7cBEf2NyQvJoukBCmDLT7LXYcuzTcSYLqSpbxLp4",
"status":"INITIATED"
}]
}
- Required JSON Validation: No
- Allowed Authentication Types: Not set
- OBP-20001: User not logged in. Authentication is required!
- OBP-30001: Bank not found. Please specify a valid value for BANK_ID.
- OBP-50000: Unknown Error.
Revoke Consent
Revoke Consent for current user specified by CONSENT_ID
There are a few reasons you might need to revoke an application’s access to a user’s account:
- The user explicitly wishes to revoke the application’s access
- You as the service provider have determined an application is compromised or malicious, and want to disable it
- etc.
Please note that this endpoint only supports the case:: "The user explicitly wishes to revoke the application’s access"
OBP as a resource server stores access tokens in a database, then it is relatively easy to revoke some token that belongs to a particular user.
The status of the token is changed to "REVOKED" so the next time the revoked client makes a request, their token will fail to validate.
Authentication is Mandatory
URL Parameters:
BANK_ID: gh.29.uk
JSON response body fields:
jwt:
{
"consent_id":"9d429899-24f5-42c8-8565-943ffa6a7945",
"jwt":"eyJhbGciOiJIUzI1NiJ9.eyJlbnRpdGxlbWVudHMiOltdLCJjcmVhdGVkQnlVc2VySWQiOiJhYjY1MzlhOS1iMTA1LTQ0ODktYTg4My0wYWQ4ZDZjNjE2NTciLCJzdWIiOiIyMWUxYzhjYy1mOTE4LTRlYWMtYjhlMy01ZTVlZWM2YjNiNGIiLCJhdWQiOiJlanpuazUwNWQxMzJyeW9tbmhieDFxbXRvaHVyYnNiYjBraWphanNrIiwibmJmIjoxNTUzNTU0ODk5LCJpc3MiOiJodHRwczpcL1wvd3d3Lm9wZW5iYW5rcHJvamVjdC5jb20iLCJleHAiOjE1NTM1NTg0OTksImlhdCI6MTU1MzU1NDg5OSwianRpIjoiMDlmODhkNWYtZWNlNi00Mzk4LThlOTktNjYxMWZhMWNkYmQ1Iiwidmlld3MiOlt7ImFjY291bnRfaWQiOiJtYXJrb19wcml2aXRlXzAxIiwiYmFua19pZCI6ImdoLjI5LnVrLngiLCJ2aWV3X2lkIjoib3duZXIifSx7ImFjY291bnRfaWQiOiJtYXJrb19wcml2aXRlXzAyIiwiYmFua19pZCI6ImdoLjI5LnVrLngiLCJ2aWV3X2lkIjoib3duZXIifV19.8cc7cBEf2NyQvJoukBCmDLT7LXYcuzTcSYLqSpbxLp4",
"status":"REJECTED"
}
- Required JSON Validation: No
- Allowed Authentication Types: Not set
- OBP-20001: User not logged in. Authentication is required!
- OBP-30001: Bank not found. Please specify a valid value for BANK_ID.
- OBP-50000: Unknown Error.