PIISP API Flow

Onboarding your user

Before your first call to Confirmation of Funds services API, your user should authorize you to access the user's personal data.

 

The flows for the Confirmation of Funds Consent are equal as for the Account Information Service Consent flows.

1. Register Consent

1.1 Your application initiates the flow by making a POST /consents/confirmation-of-funds request. 
1.2 The bank sends back to your application a consent ID.
1.3 Your application initiates the flow by directing the user’s browser to the authorization endpoint. Initiation is carried out by making a GET /oauth2/authorize request with scope for CISP = "PSP_IC"
1.4 The bank authenticates the user and establishes whether he grants or denies your access request.
1.5 Assuming the user grants access, the bank server redirects his browser back to your application using the redirection URI provided during your application registration. The redirection URI includes an authorization code.
1.6 Your application requests an access token from the bank server's token endpoint by including the authorization code received in the previous step. The authorization code exchange is carried out by making a POST /oauth2/token request.
1.7 The bank server authenticates your application, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect your application in step 3. If it is valid, the bank responds back with an access token and a refresh token.

2. Get funds confirmation

1.1 Your application initiate POST /funds-confirmation request with a valid access token.
1.2 The bank server validates access token and transaction details. If all data in the request are correct, the bank will return the response TRUE (for sufficient balance) or FALSE (for insufficient balance).

If instructedAmount = OR < balance, then respond with 200 OK, "fundsAvailable": true.

If instructedAmount > balance, then respond with 200 OK, "fundsAvailable": false.

3. Refresh Expired Access Token

When an access token obtained through an authorization code grant expires, your application should attempt to get a new access token by calling POST /oauth2/token. For more information see Section 6 Refreshing an Access Token in of the OAuth 2.0 specification.

 If your application fails to get an access token using a refresh token (ie due to removed consent by the user), you need to start consent flow from Step 1 again.