Flow

Authentication:

TPP Authentication

Authentication is performed with QWAC client certificate.

With every TPP request to API certificate is validated, ensuring it is valid and allows to access specific information.

PSU Authentication with oAuth2

Payment Service User (PSU) authentication is implemented via OAuth2 flow.

Diagram

alt text

Authentication URLs for OAuth2 initiation can be obtained from Authentication API.

Scope – area of resources, to which PSU grants the TPP access;

Possible values:

  • accounts – access to AIS resources (/v1/open-banking/accounts)

  • payments – access to PIS resources (/v1/open-banking/payments)

  • accounts:list – access to list of accounts resource (/v1/open-banking/accounts-list)

  • funds:confirmations – access to confirmation of funds resources (/v1/open-banking/funds-confirmations)

Following URL parameters should be provided by TPP:

param required description
client_id true Public identifier
scope true Requested scopes
redirect_uri true URL address on TPP side, where PSU will be redirected after successful authentication
state false Used to protect against XSRF

Example: https://api.open-banking.bigwallet.com/v1/open-banking/authentication-url?client_id=tpp&scope=accounts:list accounts payments consents funds:confirmation&redirect_uri=https://tpp.com/authredirect&state=1234

PSU should be redirected to BigWallet Authentication page.

User authenticates using SCA (Strong Customer Authentication) and is being redirected to TPP.

After permissions granted, PSU is redirected to TPP page with code

With this code you can request access token, following URL parameters should be provided by TPP:

param required description
client_id true Public identifier
client_secret true Secret
code true Public identifier
grant_type true authorization_code
redirect_uri true URL address on TPP side, where PSU will be redirected after successful authentication

Example:

POST https://api.open-banking.bigwallet.com/v1/open-banking/token

{
    "client_id": "tpp",
    "client_secret": "secret",
    "code": "qwerty",
    "grant_type": "authorization_code",
    "redirect_uri": "https://tpp.com/authredirect"
}

After successful OAuth2 authorization flow 2 Tokens are issued:

param description
access_token Short term token
refresh_token Long term token to retrieve new access token
expires_in Access token lifetime
token_type Bearer

If access_token has expired, and you have valid refresh_token, you can retrieve new access_token using https://api.open-banking.bigwallet.com/v1/open-banking/token

Example:

POST https://api.open-banking.bigwallet.com/v1/open-banking/token

{
    "client_id": "tpp",
    "client_secret": "secret",
    "refresh_token": "very_very_long_token",
    "grant_type": "refresh_token"
}

Payments (PIS) flow

Payments API is available for PISPs to initiate such types of payments:

  • Internal BigWallet transfers
  • Sepa transfers
  • Swift transfers

Diagram:

alt text

Payment authorization - SCA

Every created payment should be authorized (SCA - Secure Customer Authentication) by PSU. Authorization could be executed using redirect method (PSU should be redirected to BigWallet authorization page)

Managing payments state

All transactions(confirmed payments) can be obtained via accounts transaction consent. With list you can track and match payments completion.

Payment statuses

status description
created PISP created payment, but user not confirmed it
confirmed User confirmed payment

Accounts (AIS) flow

The Account Information Service (AIS) offers:

  • A list of available accounts
  • List of all accessible accounts relative to a granted consent
  • Account details of a given account or of the
  • Balances of a given account
  • Transaction reports for a given account including balances if applicable

Diagram

alt text

Funds confirmation (PIIS) flow

The Payment Instrument Issuing Service (PIIS) offers:

  • Has account enough balance

Diagram

alt text