This page outlines requirements for API Provider Developer Portals.
These requirements serve as a guideline on what information and functionality should be available for Third Parties.
Requirements that are mandated in the API standard are flagged in the Notes sections.
Requirements
These are the high level requirements identified by the API Centre Technical Working Group.
# | Data | Summary |
|---|---|---|
01 | Authentication flows | What authentication flows are enabled, what steps for registering a client, what data is required for registering a client, format of data required. |
02 | Available API functionality | What endpoints, optional fields etc that an API Provider has implemented. |
03 | Restrictions on payment functions | Specifically relating to creating a domestic-payment or creating an enduring-payment-consent. |
04 | Fair usage | The API Providers fair usage policy for APIs. |
05 | Release management | Any default release management behaviour that is outside of the API framework. |
06 | Archiving | Any archiving behaviours that are outside of the API framework. |
API URI structure
Metadata | Mandatory? | Implemented? | Notes |
|---|---|---|---|
Base API URI | Mandatory | ||
Discovery or .well-known endpoint URI | Mandatory |
Authentication Flows
Supported Authentication Flows
Method | Mandatory? | Implemented? | Notes |
|---|---|---|---|
Hybrid | Mandatory | ||
Decoupled | Optional |
Authenticating Confidential Client
Which of the following methods of authenticating a confidential client at the token endpoint have been implemented:
Method | Mandatory? | Implemented? | Notes |
|---|---|---|---|
Mutual TLS for OAuth Client Authentication as specified in section 2 of [MTLS] | Mandatory - OneOf | ||
| Mandatory - OneOf |
Holder of Key Mechanism
Method | Mandatory? | Implemented? | Notes |
|---|---|---|---|
OAUTB | Mandatory - OneOf | ||
MTLS | Mandatory - OneOf |
Hybrid Flow
Authorization Request Parameters
Parameter | Mandatory? | Implemented? | Notes |
|---|---|---|---|
scope | Mandatory | ||
response_type | Mandatory | ||
client_id | Mandatory | ||
redirect_uri | Mandatory | ||
state | Mandatory | ||
nonce | Mandatory | ||
request | Mandatory | ||
Out of specification..? |
Authorization Request Object
Field | Mandatory? | Implemented? | Notes |
|---|---|---|---|
aud | Mandatory | ||
iss | Mandatory | ||
scope | Mandatory | ||
response_type | Mandatory | ||
client_id | Mandatory | ||
redirect_uri | Mandatory | ||
state | Mandatory | ||
nonce | Mandatory | ||
max_age | Optional | ||
claims.id_token.ConsentId | Mandatory | ||
Out of specification..? |
ID Token Response
Field | Mandatory? | Implemented? | Notes |
|---|---|---|---|
aud | Mandatory | ||
iss | Mandatory | ||
sub | Mandatory | ||
ConsentId | Mandatory | ||
exp | Mandatory | ||
iat | Mandatory | ||
auth_time | Optional | ||
nonce | Mandatory | ||
c_hash | Mandatory | ||
s_hash | Mandatory | ||
Out of specification..? |
Timeouts
Action | Timeout | Implemented? | Notes |
|---|---|---|---|
Authorization request flow timeout | |||
Authorization code timeout | |||
Other…? |
Decoupled Flow
Notification Options
Mode | Mandatory? | Implemented? | Notes |
|---|---|---|---|
Poll | Optional | ||
Ping | Optional |
Authorization Request Object
Field | Mandatory? | Implemented? | Notes |
|---|---|---|---|
aud | Mandatory | ||
iss | Mandatory | ||
nbf | Mandatory | ||
exp | Mandatory | ||
iat | Mandatory | ||
jti | Mandatory | ||
scope | Mandatory | ||
ConsentId | Mandatory | ||
client_notification_token | Optional | ||
login_hint_token | Mandatory - OneOf | ||
id_token_hint | Mandatory - OneOf | ||
requested_expiry | Optional | ||
Out of specification..? |
login_hint_token
Field | Mandatory? | Implemented? | Notes |
|---|---|---|---|
subject_type | Mandatory | ||
username | Optional | ||
phone | Optional | ||
Optional | |||
api_provider_token | Optional | ||
third_party_token | Optional | ||
Out of specification..? |
ID Token Response
Field | Mandatory? | Implemented? | Notes |
|---|---|---|---|
aud | Mandatory | ||
iss | Mandatory | ||
sub | Mandatory | ||
ConsentId | Mandatory | ||
exp | Mandatory | ||
iat | Mandatory | ||
Out of specification..? |
Timeouts
Action | Timeout | Implemented? | Notes |
|---|---|---|---|
Authorization request flow timeout | |||
Token request timeout | |||
Other…? |
JWS Algorithms
Which JWS algorithms are used for signing?
Algorithm | Mandatory? | Implemented? | Notes |
|---|---|---|---|
PS256 | Mandatory - OneOf | ||
PS384 | Mandatory - OneOf | ||
PS512 | Mandatory - OneOf | ||
ES256 | Mandatory - OneOf | ||
ES384 | Mandatory - OneOf | ||
ES512 | Mandatory - OneOf |
Endpoints Implemented
Endpoint | Mandatory? | Implemented? | Notes |
|---|---|---|---|
POST /account-access-consents | Mandatory | API Provider must specify implementation of endpoint. | |
GET /account-access-consents/{ConsentId} | Mandatory | API Provider must specify implementation of endpoint. | |
DELETE /account-access-consents/{ConsentId} | Mandatory | API Provider must specify implementation of endpoint. | |
GET /accounts | Mandatory | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId} | Mandatory | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/balances | Mandatory | API Provider must specify implementation of endpoint. | |
GET /balances | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/transactions | Mandatory | API Provider must specify implementation of endpoint. | |
GET /transactions | Optional | API Provider must specify implementation of endpoint. | |
GET/accounts/{AccountId}/beneficiaries | Optional | API Provider must specify implementation of endpoint. | |
GET /beneficiaries | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/direct-debits | Optional | API Provider must specify implementation of endpoint. | |
GET /direct-debits | Optional | API Provider must specify implementation of endpoint. | |
GET/accounts/{AccountId}/standing-orders | Optional | API Provider must specify implementation of endpoint. | |
GET/standing-orders | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/offers | Optional | API Provider must specify implementation of endpoint. | |
GET /offers | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/party | Optional | API Provider must specify implementation of endpoint. | |
GET /party | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/scheduled-payments | Optional | API Provider must specify implementation of endpoint. | |
GET /scheduled-payments | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/statements | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/statements/{StatementId} | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/statements/{StatementId}/file | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/statements/{StatementId}/transactions | Optional | API Provider must specify implementation of endpoint. | |
GET /statements | Optional | API Provider must specify implementation of endpoint. |
Restrictions
Any global restrictions on using API endpoints.
Notes:
An API Provider must determine appropriate restrictions that they support based on their individual practices, standards and limitations. These restrictions must be documented on API Provider developer portals.
Fair Usage
Any global fair usage restrictions.
Notes:
API Providers must document their fair usage policies in their developer portals.
Release Management
Any API Provider specific release management guidance.
Archiving
Any archiving rules on resources.
Notes:
An API Provider must allow a domestic-payment created on a lower version, to be accessed via a higher version. Retention will depend on an API Provider's legal requirement for data retention. In the case where a payment-order type is the same, but the structure has changed in a higher version, sensible defaults must be used, with the API Provider's developer portal clearly specifying the behaviour.
An API Provider must document the behaviour on the accessibility of a payment-order in a higher version on the API Provider's developer portal.
An API Provider must allow an account-access-consent created on a lower version, to be accessed via a higher version. In the case where the account-access-consent is the same, but the structure has changed in a higher version, sensible defaults must be used, with the API Provider's developer portal clearly specifying the behaviour.
Testing
Any API Provider guidance, contacts or information on testing (environments, credentials etc).
Credential Management
Functionality for the management of credentials and onboarding clients. Includes any information and processes.