Summary
The NextGenPSD2 Framework Version 1.3 offers a modern, open, harmonised and interoperable set of Application Programming Interfaces (APIs) as the safest and most efficient way to provide data securely. The NextGenPSD2 Framework reduces XS2A complexity and costs, addresses the problem of multiple competing standards in Europe and, aligned with the goals of the Euro Retail Payments Board, enables European banking customers to benefit from innovative products and services ('Banking as a Service') by granting TPPs safe and secure (authenticated and authorised) access to their bank accounts and financial data.
The possible Approaches are:
- Redirect SCA Approach
- OAuth SCA Approach
- Decoupled SCA Approach
- Embedded SCA Approach without SCA method
- Embedded SCA Approach with only one SCA method available
- Embedded SCA Approach with Selection of a SCA method
Not every message defined in this API definition is necessary for all approaches. Furthermore this API definition does not differ between methods which are mandatory, conditional, or optional Therefore for a particular implementation of a Berlin Group PSD2 compliant API it is only necessary to support a certain subset of the methods defined in this API definition.
Please have a look at the implementation guidelines if you are not sure which message has to be used for the approach you are going to use.
Some General Remarks Related to this version of the OpenAPI Specification:
- This API definition is based on the Implementation Guidelines of the Berlin Group PSD2 API. It is not an replacement in any sense. The main specification is (at the moment) always the Implementation Guidelines of the Berlin Group PSD2 API.
- This API definition contains the REST-API for requests from the PISP to the ASPSP.
- This API definition contains the messages for all different approaches defined in the Implementation Guidelines.
According to the OpenAPI-Specification [https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.1.md]
"If in is "header" and the name field is "Accept", "Content-Type" or "Authorization", the parameter definition SHALL be ignored."
The element "Accept" will not be defined in this file at any place.
The elements "Content-Type" and "Authorization" are implicitly defined by the OpenApi tags "content" and "security".
There are several predefined types which might occur in payment initiation messages, but are not used in the standard JSON messages in the Implementation Guidelines. Therefore they are not used in the corresponding messages in this file either. We added them for the convenience of the user. If there is a payment product, which need these field, one can easily use the predefined types. But the ASPSP need not to accept them in general.
We omit the definition of all standard HTTP header elements (mandatory/optional/conditional) except they are mention in the Implementation Guidelines. Therefore the implementer might add the in his own realisation of a PSD2 comlient API in addition to the elements define in this file.
General Remarks on Data Types
The Berlin Group definition of UTF-8 strings in context of the PSD2 API have to support at least the following characters
a b c d e f g h i j k l m n o p q r s t u v w x y z
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9
/ - ? : ( ) . , ' +
Space
Paths
/v1/accounts
getAccountList
Read the identifiers of the available payment account together with booking balance information, depending on the consent granted.
It is assumed that a consent of the PSU to this access is already given and stored on the ASPSP system. The addressed list of accounts depends then on the PSU ID and the stored consent addressed by consentId, respectively the OAuth2 access token.
Returns all identifiers of the accounts, to which an account access has been granted to through the /consents endpoint by the PSU. In addition, relevant information about the accounts and hyperlinks to corresponding account information resources are provided if a related consent has been already granted.
Remark: Note that the /consents endpoint optionally offers to grant an access on all available payment accounts of a PSU. In this case, this endpoint will deliver the information about all available payment accounts of the PSU at this ASPSP.
ID of the request, unique to the call, as determined by the initiating party.
This then contains the consentId of the related AIS consent, which was performed prior to this payment initiation.
If contained, this function reads the list of accessible payment accounts including the booking balance, if granted by the PSU in the related consent and available by the ASPSP. This parameter might be ignored by the ASPSP.
Is contained if and only if the "Signature" element is contained in the header of the request.
A signature of the request by the TPP on application level. This might be mandated by ASPSP.
The certificate used for signing the request, in base64 encoding. Must be contained if a signature is contained.
The forwarded IP Address header field consists of the corresponding HTTP request IP Address field between PSU and TPP. It shall be contained if and only if this request was actively initiated by the PSU.
The forwarded IP Port header field consists of the corresponding HTTP request IP Port field between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded Agent header field of the HTTP request between PSU and TPP, if available.
HTTP method used at the PSU ? TPP interface, if available. Valid values are:
- GET
- POST
- PUT
- PATCH
- DELETE
{
"enum": [
"GET",
"POST",
"PUT",
"PATCH",
"DELETE"
]
}UUID (Universally Unique Identifier) for a device, which is used by the PSU, if available. UUID identifies either a device or a device dependant application installation. In case of an installation identification this ID need to be unaltered until removal from device.
The forwarded Geo Location of the corresponding http request between PSU and TPP if available.
{
"pattern": "(GEO:)[0-9]{1,3}\\.[-][0-9]{6}\\,[-][0-9]{1,3}\\.[0-9]{6}"
}OK
Bad Request
Unauthorized
Forbidden
Not found
Method Not Allowed
Not Acceptable
Request Timeout
Unsupported Media Type
Too Many Requests
Service Unavailable
Internal Server Error
/v1/accounts/{account-id}
readAccountDetails
Reads details about an account, with balances where required. It is assumed that a consent of the PSU to this access is already given and stored on the ASPSP system. The addressed details of this account depends then on the stored consent addressed by consentId, respectively the OAuth2 access token.
NOTE: The account-id can represent a multicurrency account. In this case the currency code is set to "XXX".
Give detailed information about the addressed account.
Give detailed information about the addressed account together with balance information
This identification is denoting the addressed account. The account-id is retrieved by using a "Read Account List" call. The account-id is the "id" attribute of the account structure. Its value is constant at least throughout the lifecycle of a given consent.
ID of the request, unique to the call, as determined by the initiating party.
This then contains the consentId of the related AIS consent, which was performed prior to this payment initiation.
If contained, this function reads the list of accessible payment accounts including the booking balance, if granted by the PSU in the related consent and available by the ASPSP. This parameter might be ignored by the ASPSP.
Is contained if and only if the "Signature" element is contained in the header of the request.
A signature of the request by the TPP on application level. This might be mandated by ASPSP.
The certificate used for signing the request, in base64 encoding. Must be contained if a signature is contained.
The forwarded IP Address header field consists of the corresponding HTTP request IP Address field between PSU and TPP. It shall be contained if and only if this request was actively initiated by the PSU.
The forwarded IP Port header field consists of the corresponding HTTP request IP Port field between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded Agent header field of the HTTP request between PSU and TPP, if available.
HTTP method used at the PSU ? TPP interface, if available. Valid values are:
- GET
- POST
- PUT
- PATCH
- DELETE
{
"enum": [
"GET",
"POST",
"PUT",
"PATCH",
"DELETE"
]
}UUID (Universally Unique Identifier) for a device, which is used by the PSU, if available. UUID identifies either a device or a device dependant application installation. In case of an installation identification this ID need to be unaltered until removal from device.
The forwarded Geo Location of the corresponding http request between PSU and TPP if available.
{
"pattern": "(GEO:)[0-9]{1,3}\\.[-][0-9]{6}\\,[-][0-9]{1,3}\\.[0-9]{6}"
}Bad Request
Unauthorized
Forbidden
Not found
Method Not Allowed
Not Acceptable
Request Timeout
Unsupported Media Type
Too Many Requests
Service Unavailable
Internal Server Error
/v1/accounts/{account-id}/balances
getBalances
Reads account data from a given account addressed by "account-id".
Remark: This account-id can be a tokenised identification due to data protection reason since the path information might be logged on intermediary servers within the ASPSP sphere. This account-id then can be retrieved by the "GET Account List" call.
The account-id is constant at least throughout the lifecycle of a given consent.
This identification is denoting the addressed account. The account-id is retrieved by using a "Read Account List" call. The account-id is the "id" attribute of the account structure. Its value is constant at least throughout the lifecycle of a given consent.
ID of the request, unique to the call, as determined by the initiating party.
This then contains the consentId of the related AIS consent, which was performed prior to this payment initiation.
Is contained if and only if the "Signature" element is contained in the header of the request.
A signature of the request by the TPP on application level. This might be mandated by ASPSP.
The certificate used for signing the request, in base64 encoding. Must be contained if a signature is contained.
The forwarded IP Address header field consists of the corresponding HTTP request IP Address field between PSU and TPP. It shall be contained if and only if this request was actively initiated by the PSU.
The forwarded IP Port header field consists of the corresponding HTTP request IP Port field between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded Agent header field of the HTTP request between PSU and TPP, if available.
HTTP method used at the PSU ? TPP interface, if available. Valid values are:
- GET
- POST
- PUT
- PATCH
- DELETE
{
"enum": [
"GET",
"POST",
"PUT",
"PATCH",
"DELETE"
]
}UUID (Universally Unique Identifier) for a device, which is used by the PSU, if available. UUID identifies either a device or a device dependant application installation. In case of an installation identification this ID need to be unaltered until removal from device.
The forwarded Geo Location of the corresponding http request between PSU and TPP if available.
{
"pattern": "(GEO:)[0-9]{1,3}\\.[-][0-9]{6}\\,[-][0-9]{1,3}\\.[0-9]{6}"
}Bad Request
Unauthorized
Forbidden
Not found
Method Not Allowed
Not Acceptable
Request Timeout
Unsupported Media Type
Too Many Requests
Service Unavailable
Internal Server Error
/v1/accounts/{account-id}/transactions/{resourceId}
getTransactionDetails
Reads transaction details from a given transaction addressed by "resourceId" on a given account addressed by "account-id". This call is only available on transactions as reported in a JSON format.
Remark: Please note that the PATH might be already given in detail by the corresponding entry of the response of the "Read Transaction List" call within the _links subfield.
This identification is denoting the addressed account. The account-id is retrieved by using a "Read Account List" call. The account-id is the "id" attribute of the account structure. Its value is constant at least throughout the lifecycle of a given consent.
This identification is given by the attribute resourceId of the corresponding entry of a transaction list.
ID of the request, unique to the call, as determined by the initiating party.
This then contains the consentId of the related AIS consent, which was performed prior to this payment initiation.
Is contained if and only if the "Signature" element is contained in the header of the request.
A signature of the request by the TPP on application level. This might be mandated by ASPSP.
The certificate used for signing the request, in base64 encoding. Must be contained if a signature is contained.
The forwarded IP Address header field consists of the corresponding HTTP request IP Address field between PSU and TPP. It shall be contained if and only if this request was actively initiated by the PSU.
The forwarded IP Port header field consists of the corresponding HTTP request IP Port field between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded Agent header field of the HTTP request between PSU and TPP, if available.
HTTP method used at the PSU ? TPP interface, if available. Valid values are:
- GET
- POST
- PUT
- PATCH
- DELETE
{
"enum": [
"GET",
"POST",
"PUT",
"PATCH",
"DELETE"
]
}UUID (Universally Unique Identifier) for a device, which is used by the PSU, if available. UUID identifies either a device or a device dependant application installation. In case of an installation identification this ID need to be unaltered until removal from device.
The forwarded Geo Location of the corresponding http request between PSU and TPP if available.
{
"pattern": "(GEO:)[0-9]{1,3}\\.[-][0-9]{6}\\,[-][0-9]{1,3}\\.[0-9]{6}"
}Bad Request
Unauthorized
Forbidden
Not found
Method Not Allowed
Not Acceptable
Request Timeout
Unsupported Media Type
Too Many Requests
Service Unavailable
Internal Server Error
/card-accounts
getCardAccount
Reads a list of card accounts with additional information, e.g. balance information. It is assumed that a consent of the PSU to this access is already given and stored on the ASPSP system. The addressed list of card accounts depends then on the PSU ID and the stored consent addressed by consentId, respectively the OAuth2 access token.
ID of the request, unique to the call, as determined by the initiating party.
This then contains the consentId of the related AIS consent, which was performed prior to this payment initiation.
Is contained if and only if the "Signature" element is contained in the header of the request.
A signature of the request by the TPP on application level. This might be mandated by ASPSP.
The certificate used for signing the request, in base64 encoding. Must be contained if a signature is contained.
The forwarded IP Address header field consists of the corresponding HTTP request IP Address field between PSU and TPP. It shall be contained if and only if this request was actively initiated by the PSU.
The forwarded IP Port header field consists of the corresponding HTTP request IP Port field between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded Agent header field of the HTTP request between PSU and TPP, if available.
HTTP method used at the PSU ? TPP interface, if available. Valid values are:
- GET
- POST
- PUT
- PATCH
- DELETE
{
"enum": [
"GET",
"POST",
"PUT",
"PATCH",
"DELETE"
]
}UUID (Universally Unique Identifier) for a device, which is used by the PSU, if available. UUID identifies either a device or a device dependant application installation. In case of an installation identification this ID need to be unaltered until removal from device.
The forwarded Geo Location of the corresponding http request between PSU and TPP if available.
{
"pattern": "(GEO:)[0-9]{1,3}\\.[-][0-9]{6}\\,[-][0-9]{1,3}\\.[0-9]{6}"
}Bad Request
Unauthorized
Forbidden
Not found
Method Not Allowed
Not Acceptable
Request Timeout
Unsupported Media Type
Too Many Requests
Service Unavailable
Internal Server Error
/card-accounts/{account-id}
ReadCardAccount
Reads details about a card account. It is assumed that a consent of the PSU to this access is already given and stored on the ASPSP system. The addressed details of this account depends then on the stored consent addressed by consentId, respectively the OAuth2 access token.
This identification is denoting the addressed account. The account-id is retrieved by using a "Read Account List" call. The account-id is the "id" attribute of the account structure. Its value is constant at least throughout the lifecycle of a given consent.
ID of the request, unique to the call, as determined by the initiating party.
This then contains the consentId of the related AIS consent, which was performed prior to this payment initiation.
Is contained if and only if the "Signature" element is contained in the header of the request.
A signature of the request by the TPP on application level. This might be mandated by ASPSP.
The certificate used for signing the request, in base64 encoding. Must be contained if a signature is contained.
The forwarded IP Address header field consists of the corresponding HTTP request IP Address field between PSU and TPP. It shall be contained if and only if this request was actively initiated by the PSU.
The forwarded IP Port header field consists of the corresponding HTTP request IP Port field between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded Agent header field of the HTTP request between PSU and TPP, if available.
HTTP method used at the PSU ? TPP interface, if available. Valid values are:
- GET
- POST
- PUT
- PATCH
- DELETE
{
"enum": [
"GET",
"POST",
"PUT",
"PATCH",
"DELETE"
]
}UUID (Universally Unique Identifier) for a device, which is used by the PSU, if available. UUID identifies either a device or a device dependant application installation. In case of an installation identification this ID need to be unaltered until removal from device.
The forwarded Geo Location of the corresponding http request between PSU and TPP if available.
{
"pattern": "(GEO:)[0-9]{1,3}\\.[-][0-9]{6}\\,[-][0-9]{1,3}\\.[0-9]{6}"
}Bad Request
Unauthorized
Forbidden
Not found
Method Not Allowed
Not Acceptable
Request Timeout
Unsupported Media Type
Too Many Requests
Service Unavailable
Internal Server Error
/card-accounts/{account-id}/balances
getCardAccountBalances
Reads balance data from a given card account addressed by "account-id".
Remark: This account-id can be a tokenised identification due to data protection reason since the path information might be logged on intermediary servers within the ASPSP sphere. This account-id then can be retrieved by the "GET Card Account List" call
This identification is denoting the addressed account. The account-id is retrieved by using a "Read Account List" call. The account-id is the "id" attribute of the account structure. Its value is constant at least throughout the lifecycle of a given consent.
ID of the request, unique to the call, as determined by the initiating party.
This then contains the consentId of the related AIS consent, which was performed prior to this payment initiation.
Is contained if and only if the "Signature" element is contained in the header of the request.
A signature of the request by the TPP on application level. This might be mandated by ASPSP.
The certificate used for signing the request, in base64 encoding. Must be contained if a signature is contained.
The forwarded IP Address header field consists of the corresponding HTTP request IP Address field between PSU and TPP. It shall be contained if and only if this request was actively initiated by the PSU.
The forwarded IP Port header field consists of the corresponding HTTP request IP Port field between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded Agent header field of the HTTP request between PSU and TPP, if available.
HTTP method used at the PSU ? TPP interface, if available. Valid values are:
- GET
- POST
- PUT
- PATCH
- DELETE
{
"enum": [
"GET",
"POST",
"PUT",
"PATCH",
"DELETE"
]
}UUID (Universally Unique Identifier) for a device, which is used by the PSU, if available. UUID identifies either a device or a device dependant application installation. In case of an installation identification this ID need to be unaltered until removal from device.
The forwarded Geo Location of the corresponding http request between PSU and TPP if available.
{
"pattern": "(GEO:)[0-9]{1,3}\\.[-][0-9]{6}\\,[-][0-9]{1,3}\\.[0-9]{6}"
}Bad Request
Unauthorized
Forbidden
Not found
Method Not Allowed
Not Acceptable
Request Timeout
Unsupported Media Type
Too Many Requests
Service Unavailable
Internal Server Error
/card-accounts/{account-id}/transactions
getCardAccountTransactionList
Reads account data from a given card account addressed by "account-id".
This identification is denoting the addressed account. The account-id is retrieved by using a "Read Account List" call. The account-id is the "id" attribute of the account structure. Its value is constant at least throughout the lifecycle of a given consent.
Permitted codes are
- "booked",
- "pending" and
- "both" "booked" shall be supported by the ASPSP. To support the "pending" and "both" feature is optional for the ASPSP, Error code if not supported in the online banking frontend
{
"enum": [
"booked",
"pending",
"both"
]
}ID of the request, unique to the call, as determined by the initiating party.
This then contains the consentId of the related AIS consent, which was performed prior to this payment initiation.
Conditional: Starting date (inclusive the date dateFrom) of the transaction list, mandated if no delta access is required.
For booked transactions, the relevant date is the booking date.
For pending transactions, the relevant date is the entry date, which may not be transparent neither in this API nor other channels of the ASPSP.
End date (inclusive the data dateTo) of the transaction list, default is "now" if not given.
Might be ignored if a delta function is used.
For booked transactions, the relevant date is the booking date.
For pending transactions, the relevant date is the entry date, which may not be transparent neither in this API nor other channels of the ASPSP.
This data attribute is indicating that the AISP is in favour to get all transactions after the transaction with identification entryReferenceFrom alternatively to the above defined period. This is a implementation of a delta access. If this data element is contained, the entries "dateFrom" and "dateTo" might be ignored by the ASPSP if a delta report is supported.
Optional if supported by API provider.
This data attribute is indicating that the AISP is in favour to get all transactions after the last report access for this PSU on the addressed account. This is another implementation of a delta access-report. This delta indicator might be rejected by the ASPSP if this function is not supported. Optional if supported by API provider
If contained, this function reads the list of accessible payment accounts including the booking balance, if granted by the PSU in the related consent and available by the ASPSP. This parameter might be ignored by the ASPSP.
Is contained if and only if the "Signature" element is contained in the header of the request.
A signature of the request by the TPP on application level. This might be mandated by ASPSP.
The certificate used for signing the request, in base64 encoding. Must be contained if a signature is contained.
The forwarded IP Address header field consists of the corresponding HTTP request IP Address field between PSU and TPP. It shall be contained if and only if this request was actively initiated by the PSU.
The forwarded IP Port header field consists of the corresponding HTTP request IP Port field between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded IP Accept header fields consist of the corresponding HTTP request Accept header fields between PSU and TPP, if available.
The forwarded Agent header field of the HTTP request between PSU and TPP, if available.
HTTP method used at the PSU ? TPP interface, if available. Valid values are:
- GET
- POST
- PUT
- PATCH
- DELETE
{
"enum": [
"GET",
"POST",
"PUT",
"PATCH",
"DELETE"
]
}UUID (Universally Unique Identifier) for a device, which is used by the PSU, if available. UUID identifies either a device or a device dependant application installation. In case of an installation identification this ID need to be unaltered until removal from device.
The forwarded Geo Location of the corresponding http request between PSU and TPP if available.
{
"pattern": "(GEO:)[0-9]{1,3}\\.[-][0-9]{6}\\,[-][0-9]{1,3}\\.[0-9]{6}"
}Bad Request
Unauthorized
Forbidden
Not found
Method Not Allowed
Not Acceptable
Request Timeout
Unsupported Media Type
Too Many Requests
Service Unavailable
Internal Server Error