This page outlines requirements for API Provider Developer Portals.
These requirements serve as a guideline on what information and functionality should be available for Third Parties.
Requirements that are mandated in the API standard are flagged in the Notes sections.
These are the high level requirements identified by the API Centre Technical Working Group.
# | Data | Summary |
---|---|---|
01 | Authentication flows | What authentication flows are enabled, what steps for registering a client, what data is required for registering a client, format of data required. |
02 | Available API functionality | What endpoints, optional fields etc that an API Provider has implemented. |
03 | Restrictions on payment functions | Specifically relating to creating a domestic-payment or creating an enduring-payment-consent. |
04 | Fair usage | The API Providers fair usage policy for APIs. |
05 | Release management | Any default release management behaviour that is outside of the API framework. |
06 | Archiving | Any archiving behaviours that are outside of the API framework. |
Metadata | Mandatory? | Implemented? | Notes |
---|---|---|---|
Base API URI | Mandatory | ||
Discovery or .well-known endpoint URI | Mandatory |
Method | Mandatory? | Implemented? | Notes |
---|---|---|---|
Hybrid | Mandatory | ||
Decoupled | Optional |
Which of the following methods of authenticating a confidential client at the token endpoint have been implemented:
Method | Mandatory? | Implemented? | Notes |
---|---|---|---|
Mutual TLS for OAuth Client Authentication as specified in section 2 of [MTLS] | Mandatory - OneOf | ||
| Mandatory - OneOf |
Method | Mandatory? | Implemented? | Notes |
---|---|---|---|
OAUTB | Mandatory - OneOf | ||
MTLS | Mandatory - OneOf |
Parameter | Mandatory? | Implemented? | Notes |
---|---|---|---|
scope | Mandatory | ||
response_type | Mandatory | ||
client_id | Mandatory | ||
redirect_uri | Mandatory | ||
state | Mandatory | ||
nonce | Mandatory | ||
request | Mandatory | ||
Out of specification..? |
Field | Mandatory? | Implemented? | Notes |
---|---|---|---|
aud | Mandatory | ||
iss | Mandatory | ||
scope | Mandatory | ||
response_type | Mandatory | ||
client_id | Mandatory | ||
redirect_uri | Mandatory | ||
state | Mandatory | ||
nonce | Mandatory | ||
max_age | Optional | ||
claims.id_token.ConsentId | Mandatory | ||
Out of specification..? |
Field | Mandatory? | Implemented? | Notes |
---|---|---|---|
aud | Mandatory | ||
iss | Mandatory | ||
sub | Mandatory | ||
ConsentId | Mandatory | ||
exp | Mandatory | ||
iat | Mandatory | ||
auth_time | Optional | ||
nonce | Mandatory | ||
c_hash | Mandatory | ||
s_hash | Mandatory | ||
Out of specification..? |
Action | Timeout | Implemented? | Notes |
---|---|---|---|
Authorization request flow timeout | |||
Authorization code timeout | |||
Other…? |
Mode | Mandatory? | Implemented? | Notes |
---|---|---|---|
Poll | Optional | ||
Ping | Optional |
Field | Mandatory? | Implemented? | Notes |
---|---|---|---|
aud | Mandatory | ||
iss | Mandatory | ||
nbf | Mandatory | ||
exp | Mandatory | ||
iat | Mandatory | ||
jti | Mandatory | ||
scope | Mandatory | ||
ConsentId | Mandatory | ||
client_notification_token | Optional | ||
login_hint_token | Mandatory - OneOf | ||
id_token_hint | Mandatory - OneOf | ||
requested_expiry | Optional | ||
Out of specification..? |
Field | Mandatory? | Implemented? | Notes |
---|---|---|---|
subject_type | Mandatory | ||
username | Optional | ||
phone | Optional | ||
Optional | |||
api_provider_token | Optional | ||
third_party_token | Optional | ||
Out of specification..? |
Field | Mandatory? | Implemented? | Notes |
---|---|---|---|
aud | Mandatory | ||
iss | Mandatory | ||
sub | Mandatory | ||
ConsentId | Mandatory | ||
exp | Mandatory | ||
iat | Mandatory | ||
Out of specification..? |
Action | Timeout | Implemented? | Notes |
---|---|---|---|
Authorization request flow timeout | |||
Token request timeout | |||
Other…? |
Which JWS algorithms are used for signing?
Algorithm | Mandatory? | Implemented? | Notes |
---|---|---|---|
PS256 | Mandatory - OneOf | ||
PS384 | Mandatory - OneOf | ||
PS512 | Mandatory - OneOf | ||
ES256 | Mandatory - OneOf | ||
ES384 | Mandatory - OneOf | ||
ES512 | Mandatory - OneOf |
Account types in scope and available for Payment Initiation to be documented.
Endpoint | Mandatory? | Implemented? | Notes |
---|---|---|---|
POST /enduring-payment-consents | Optional | API Provider must specify implementation of endpoint. | |
GET /enduring-payment-consents/{ConsentId} | Optional | API Provider must specify implementation of endpoint. | |
DELETE /enduring-payment-consents/{ConsentId} | Optional | API Provider must specify implementation of endpoint. | |
POST /domestic-payment-consents | Mandatory | API Provider must specify implementation of endpoint. | |
GET /domestic-payment-consents/{ConsentId} | Mandatory | API Provider must specify implementation of endpoint. | |
POST /domestic-payments | Mandatory | API Provider must specify implementation of endpoint. | |
GET /domestic-payments/{DomesticPaymentId} | Mandatory | API Provider must specify implementation of endpoint. | |
GET /domestic-payments/{DomesticPaymentId}/debtor-account | Mandatory | API Provider must specify implementation of endpoint. |
Account types in scope and available for Account Information to be documented.
API Providers must publish information on the format of their masked credit card number.
Endpoint | Mandatory? | Implemented? | Notes |
---|---|---|---|
POST /account-access-consents | Mandatory | API Provider must specify implementation of endpoint. | |
GET /account-access-consents/{ConsentId} | Mandatory | API Provider must specify implementation of endpoint. | |
DELETE /account-access-consents/{ConsentId} | Mandatory | API Provider must specify implementation of endpoint. | |
GET /accounts | Mandatory | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId} | Mandatory | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/balances | Mandatory | API Provider must specify implementation of endpoint. | |
GET /balances | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/transactions | Mandatory | API Provider must specify implementation of endpoint. | |
GET /transactions | Optional | API Provider must specify implementation of endpoint. | |
GET/accounts/{AccountId}/beneficiaries | Optional | API Provider must specify implementation of endpoint. | |
GET /beneficiaries | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/direct-debits | Optional | API Provider must specify implementation of endpoint. | |
GET /direct-debits | Optional | API Provider must specify implementation of endpoint. | |
GET/accounts/{AccountId}/standing-orders | Optional | API Provider must specify implementation of endpoint. | |
GET/standing-orders | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/offers | Optional | API Provider must specify implementation of endpoint. | |
GET /offers | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/party | Optional | API Provider must specify implementation of endpoint. | |
GET /party | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/scheduled-payments | Optional | API Provider must specify implementation of endpoint. | |
GET /scheduled-payments | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/statements | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/statements/{StatementId} | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/statements/{StatementId}/file | Optional | API Provider must specify implementation of endpoint. | |
GET /accounts/{AccountId}/statements/{StatementId}/transactions | Optional | API Provider must specify implementation of endpoint. | |
GET /statements | Optional | API Provider must specify implementation of endpoint. |
Any global restrictions on using API endpoints.
Notes:
An API Provider must determine appropriate restrictions that they support based on their individual practices, standards and limitations. These restrictions must be documented on API Provider developer portals.
Any global fair usage restrictions.
Notes:
API Providers must document their fair usage policies in their developer portals.
Any API Provider specific release management guidance.
Any archiving rules on resources.
Notes:
An API Provider must allow a domestic-payment created on a lower version, to be accessed via a higher version. Retention will depend on an API Provider's legal requirement for data retention. In the case where a payment-order type is the same, but the structure has changed in a higher version, sensible defaults must be used, with the API Provider's developer portal clearly specifying the behaviour.
An API Provider must document the behaviour on the accessibility of a payment-order in a higher version on the API Provider's developer portal.
An API Provider must allow an account-access-consent created on a lower version, to be accessed via a higher version. In the case where the account-access-consent is the same, but the structure has changed in a higher version, sensible defaults must be used, with the API Provider's developer portal clearly specifying the behaviour.
Any API Provider guidance, contacts or information on testing (environments, credentials etc).
Functionality for the management of credentials and onboarding clients. Includes any information and processes.