Customer authentication is a crucial part of the consent journey, this is where an API Provider validates that a customer has authorised a Third Party’s consent request, before providing access to a protected resource.

This can be carried out using one of two flows defined in the specification. Using the redirect flow, a Customer authorises a consent in the same end to end flow in the same instance as it was submitted. The decoupled flow allows a Customer to authorise a consent at a later date or time and/or using a different device.

More information about decoupled flow and redirect flow can be seen here.