Flow
Authentication:
TPP Authentication
Authentication is performed with QWAC client certificate.
With every TPP request to API certificate is validated, ensuring it is valid and allows to access specific information.
PSU Authentication with oAuth2
Payment Service User (PSU) authentication is implemented via OAuth2 flow.
Diagram
Authentication URLs for OAuth2 initiation can be obtained from Authentication API.
Scope – area of resources, to which PSU grants the TPP access;
Possible values:
-
accounts – access to AIS resources (/v1/open-banking/accounts)
-
payments – access to PIS resources (/v1/open-banking/payments)
-
accounts:list – access to list of accounts resource (/v1/open-banking/accounts-list)
-
funds:confirmations – access to confirmation of funds resources (/v1/open-banking/funds-confirmations)
Following URL parameters should be provided by TPP:
| param | required | description |
|---|---|---|
| client_id | true | Public identifier |
| scope | true | Requested scopes |
| redirect_uri | true | URL address on TPP side, where PSU will be redirected after successful authentication |
| state | false | Used to protect against XSRF |
Example: https://api.open-banking.bigwallet.com/v1/open-banking/authentication-url?client_id=tpp&scope=accounts:list accounts payments consents funds:confirmation&redirect_uri=https://tpp.com/authredirect&state=1234
PSU should be redirected to BigWallet Authentication page.
User authenticates using SCA (Strong Customer Authentication) and is being redirected to TPP.
After permissions granted, PSU is redirected to TPP page with code
With this code you can request access token, following URL parameters should be provided by TPP:
| param | required | description |
|---|---|---|
| client_id | true | Public identifier |
| client_secret | true | Secret |
| code | true | Public identifier |
| grant_type | true | authorization_code |
| redirect_uri | true | URL address on TPP side, where PSU will be redirected after successful authentication |
Example:
POST https://api.open-banking.bigwallet.com/v1/open-banking/token
{
"client_id": "tpp",
"client_secret": "secret",
"code": "qwerty",
"grant_type": "authorization_code",
"redirect_uri": "https://tpp.com/authredirect"
}
After successful OAuth2 authorization flow 2 Tokens are issued:
| param | description |
|---|---|
| access_token | Short term token |
| refresh_token | Long term token to retrieve new access token |
| expires_in | Access token lifetime |
| token_type | Bearer |
If access_token has expired, and you have valid refresh_token, you can retrieve new access_token using https://api.open-banking.bigwallet.com/v1/open-banking/token
Example:
POST https://api.open-banking.bigwallet.com/v1/open-banking/token
{
"client_id": "tpp",
"client_secret": "secret",
"refresh_token": "very_very_long_token",
"grant_type": "refresh_token"
}
Payments (PIS) flow
Payments API is available for PISPs to initiate such types of payments:
- Internal BigWallet transfers
- Sepa transfers
- Swift transfers
Diagram:
Payment authorization - SCA
Every created payment should be authorized (SCA - Secure Customer Authentication) by PSU. Authorization could be executed using redirect method (PSU should be redirected to BigWallet authorization page)
Managing payments state
Payment has two status fields which can be used for managing state:
- status: the one about payment initiation itself which shows either payment initiation confirmed or not.
- transaction_status: the one which shows state of a related to the payment transaction.
Statuses and descriptions provided below
Payment statuses
| status | description |
|---|---|
| created | PISP created payment, but user not confirmed it |
| confirmed | User confirmed payment |
Payment transaction statuses
| status | description |
|---|---|
| null | Payment not confirmed |
| created | Payment transaction created |
| processing | Payment transaction is being processed |
| completed | Payment transaction completed |
| declined | Payment transaction failed |
Accounts (AIS) flow
The Account Information Service (AIS) offers:
- A list of available accounts
- List of all accessible accounts relative to a granted consent
- Account details of a given account or of the
- Balances of a given account
- Transaction reports for a given account including balances if applicable
Diagram
Funds confirmation (PIIS) flow
The Payment Instrument Issuing Service (PIIS) offers:
- Has account enough balance
Diagram
