Implement OAuth 2.0
All services are protected with an industry-standard OAuth 2.0 protocol. Before you can access any account-related services, you need to obtain an access token.
To configure your OAuth 2.0 client, use the following settings:
Production Environment
In order to access our production environment, you need to first obtain OAuth 2.0 credentials.
In the case of services regulated by the PSD2 legislation (AISP, PISP), you also need to have a proper license from the national regulator and certificate for the client authentication for accessing API resources.
OAuth 2.0 Setting | Setting Value |
|---|---|
Authorization URL | |
Token URL | |
Client ID | Obtained using the application registration API. |
Client Secret | Obtained using the application registration API. |
Base API URL | |
Mutual TLS required | Yes |
OAuth 2.0 Scopes
When asking for an access token, you can use one of the following scopes (depending on your PSD2 license coverage):
Scope | Description |
|---|---|
| Related to resources for payment account access based on AISP mandate. |
| Related to resources for payment initiation based on PISP mandate. |
Sandbox Environment
You can develop your application easily by using our live sandbox environment. The sandbox environment offers several prepared OAuth 2.0 tokens and automatically includes valid client certificate on the background.
In the API requests ensure to include the header Authorization: Bearer {token-value} where the token-value can be one of:
OAuth 2.0 Token | Description |
|---|---|
token-aisp | scope aisp |
token-pisp | scope pisp |
token-no-scope | no scope user |
To override the default valid client certificate you can try some certificate validations as well by using the header X-Client-Certificate: {certificate-value} where the {certificate-value} can be any of the following ones:
Certificate | Description |
|---|---|
certificate-aisp | PSP_AI mandate (Account Information Service Provider) |
certificate-pisp | PSP_PI mandate (Payment Initiation Service Provider) |
certificate-all | both PSP_AI and PSP_PI mandates |
certificate-no-psd | without PSD2 license |
Updated 21 days ago