API Provider developer portal requirements
This page outlines requirements for API Provider Developer Portals.
These requirements serve as a guideline on what information and functionality should be available for Third Parties.
Requirements that are mandated in the API standard are flagged in the Notes sections.
Requirements
These are the high level requirements identified by the API Centre Technical Working Group.
# | Data | Summary |
|---|---|---|
01 | Authentication flows | What authentication flows are enabled, what steps for registering a client, what data is required for registering a client, format of data required. |
02 | Available API functionality | What endpoints, optional fields etc that an API Provider has implemented. |
03 | Restrictions on payment functions | Specifically relating to creating a domestic-payment or creating an enduring-payment-consent. |
04 | Fair usage | The API Providers fair usage policy for APIs. |
05 | Release management | Any default release management behaviour that is outside of the API framework. |
06 | Archiving | Any archiving behaviours that are outside of the API framework. |
API URI structure
Metadata | Mandatory? | Implemented? | Notes |
|---|---|---|---|
Base API URI | Mandatory |
|
|
Discovery or .well-known endpoint URI | Mandatory |
|
|
Authentication Flows
Supported Authentication Flows
Method | Mandatory? | Implemented? | Notes |
|---|---|---|---|
Hybrid | Mandatory |
|
|
Decoupled | Optional |
|
|
Authenticating Confidential Client
Which of the following methods of authenticating a confidential client at the token endpoint have been implemented:
Method | Mandatory? | Implemented? | Notes |
|---|---|---|---|
Mutual TLS for OAuth Client Authentication as specified in section 2 of [MTLS] | Mandatory - OneOf |
|
|
| Mandatory - OneOf |
|
|
Holder of Key Mechanism
Method | Mandatory? | Implemented? | Notes |
|---|---|---|---|
OAUTB | Mandatory - OneOf |
|
|
MTLS | Mandatory - OneOf |
|
|
Hybrid Flow
Authorization Request Parameters
Parameter | Mandatory? | Implemented? | Notes |
|---|---|---|---|
scope | Mandatory |
|
|
response_type | Mandatory |
|
|
client_id | Mandatory |
|
|
redirect_uri | Mandatory |
|
|
state | Mandatory |
|
|
nonce | Mandatory |
|
|
request | Mandatory |
|
|
Out of specification..? |
|
|
|
Authorization Request Object
Field | Mandatory? | Implemented? | Notes |
|---|---|---|---|
aud | Mandatory |
|
|
iss | Mandatory |
|
|
scope | Mandatory |
|
|
response_type | Mandatory |
|
|
client_id | Mandatory |
|
|
redirect_uri | Mandatory |
|
|
state | Mandatory |
|
|
nonce | Mandatory |
|
|
max_age | Optional |
|
|
claims.id_token.ConsentId | Mandatory |
|
|
Out of specification..? |
|
|
|
ID Token Response
Field | Mandatory? | Implemented? | Notes |
|---|---|---|---|
aud | Mandatory |
|
|
iss | Mandatory |
|
|
sub | Mandatory |
|
|
ConsentId | Mandatory |
|
|
exp | Mandatory |
|
|
iat | Mandatory |
|
|
auth_time | Optional |
|
|
nonce | Mandatory |
|
|
c_hash | Mandatory |
|
|
s_hash | Mandatory |
|
|
Out of specification..? |
|
|
|
Timeouts
Action | Timeout | Implemented? | Notes |
|---|---|---|---|
Authorization request flow timeout |
|
|
|
Authorization code timeout |
|
|
|
Other…? |
|
|
|
Decoupled Flow
Notification Options
Mode | Mandatory? | Implemented? | Notes |
|---|---|---|---|
Poll | Optional |
|
|
Ping | Optional |
|
|
Authorization Request Object
Field | Mandatory? | Implemented? | Notes |
|---|---|---|---|
aud | Mandatory |
|
|
iss | Mandatory |
|
|
nbf | Mandatory |
|
|
exp | Mandatory |
|
|
iat | Mandatory |
|
|
jti | Mandatory |
|
|
scope | Mandatory |
|
|
ConsentId | Mandatory |
|
|
client_notification_token | Optional |
|
|
login_hint_token | Mandatory - OneOf |
|
|
id_token_hint | Mandatory - OneOf |
|
|
requested_expiry | Optional |
|
|
Out of specification..? |
|
|
|
login_hint_token
Field | Mandatory? | Implemented? | Notes |
|---|---|---|---|
subject_type | Mandatory |
|
|
username | Optional |
|
|
phone | Optional |
|
|
Optional |
|
| |
api_provider_token | Optional |
|
|
third_party_token | Optional |
|
|
Out of specification..? |
|
|
|
ID Token Response
Field | Mandatory? | Implemented? | Notes |
|---|---|---|---|
aud | Mandatory |
|
|
iss | Mandatory |
|
|
sub | Mandatory |
|
|
ConsentId | Mandatory |
|
|
exp | Mandatory |
|
|
iat | Mandatory |
|
|
Out of specification..? |
|
|
|
Timeouts
Action | Timeout | Implemented? | Notes |
|---|---|---|---|
Authorization request flow timeout |
|
|
|
Token request timeout |
|
|
|
Other…? |
|
|
|
JWS Algorithms
Which JWS algorithms are used for signing?
Algorithm | Mandatory? | Implemented? | Notes |
|---|---|---|---|
PS256 | Mandatory - OneOf |
|
|
PS384 | Mandatory - OneOf |
|
|
PS512 | Mandatory - OneOf |
|
|
ES256 | Mandatory - OneOf |
|
|
ES384 | Mandatory - OneOf |
|
|
ES512 | Mandatory - OneOf |
|
|
Endpoints Implemented
Payment Initiation
Account types in scope and available for Payment Initiation to be documented.
Endpoint | Mandatory? | Implemented? | Notes |
|---|---|---|---|
POST /enduring-payment-consents | Optional |
| API Provider must specify implementation of endpoint. |
GET /enduring-payment-consents/{ConsentId} | Optional |
| API Provider must specify implementation of endpoint. |
DELETE /enduring-payment-consents/{ConsentId} | Optional |
| API Provider must specify implementation of endpoint. |
POST /domestic-payment-consents | Mandatory |
| API Provider must specify implementation of endpoint. |
GET /domestic-payment-consents/{ConsentId} | Mandatory |
| API Provider must specify implementation of endpoint. |
POST /domestic-payments | Mandatory |
| API Provider must specify implementation of endpoint. |
GET /domestic-payments/{DomesticPaymentId} | Mandatory |