Domestic Payment Consents - v2.1.0
- 1 Version Control
- 2 Definition
- 3 Endpoints
- 4 State Model
- 4.1 Diagram
- 4.2 Definitions
- 5 Data Model
- 5.1 Reused Classes
- 5.1.1 NZDomesticConsent1
- 5.2 Domestic Payment Consent - Request
- 5.2.1 UML Diagram
- 5.2.2 Notes
- 5.2.3 Data Dictionary
- 5.3 Domestic Payment Consent - Response
- 5.3.1 UML Diagram
- 5.3.2 Notes
- 5.3.3 Data Dictionary
- 5.1 Reused Classes
- 6 Usage Examples
- 6.1 Generic Flow
- 6.1.1 Sequence Diagram
- 6.1.2 Illustrative Interactions
- 6.2 Merchant
- 6.3 Person To Person
- 6.1 Generic Flow
Version Control
Version | Date | Author | Comments |
---|---|---|---|
2.0.0 | Apr 30, 2020 | Payments NZ API Working Group | Baseline |
2.1-draft1 | Jun 15, 2020 | @Gavin Wong (Unlicensed) | Updated:
|
Definition
The domestic-payment-consents resource represents short lived payment-order consents that have been agreed between the Customer and the Third Party, and contains fields which describe the parameters for a single domestic-payment that may be initiated by a Third Party on behalf of a Customer.
The Status of a domestic-payment-consent represents the authentication and authorisation stage with the API Provider.
Endpoints
Resource | HTTP Operation | End-point | Mandatory ? | Scope | Grant Type | Idempotency Key | Request Object | Response Object |
---|---|---|---|---|---|---|---|---|
domestic-payment-consents | POST | POST /domestic-payment-consents | Mandatory | payments | Client Credentials | Yes | NZWriteDomesticConsent1 | NZWriteDomesticConsentResponse1 |
domestic-payment-consents | GET | GET /domestic-payment-consents/{ConsentId} | Mandatory | payments | Client Credentials | NA | NA | NZWriteDomesticConsentResponse1 |
POST /domestic-payment-consents
The API endpoint allows a Third Party to ask an API Provider to create a new domestic-payment-consent.
The Third Party does this with the POST /domestic-payment-consents action.
The Third Party must have an access token issued by the API Provider using a client credentials grant.
The API endpoint allows the Third Party to send a copy of the consent (between Customer and Third Party) to the API Provider.
The API Provider creates the domestic-payment-consent and responds with a unique ConsentId to refer to the consent.
At the point the consent is created, the consent has not been authorised.
The domestic-payment-consent is only valid for 24 hours if not authorised by the Customer.
Flow
The Third Party uses the ConsentId to initiate an authorisation flow (as described in the Security Profile).
As part of the authorisation flow:
The API Provider authenticates the Customer.
The API Provider plays back the consent (registered by the Third Party) back to the Customer - to get consent authorisation. The Customer may accept or reject the consent in its entirety (but not selectively).
If the domestic-payment-consent does not indicate a debtor account, the API Provider presents the Customer a list of accounts from which the Customer must select one.
Once these steps are complete, the consent is considered to have been authorised by the Customer and the Status is updated to Authorised
.
Status
The Status is AwaitingAuthorisation
immediately after the domestic-payment-consent has been created.
GET /domestic-payment-consents/{ConsentId}
The API endpoint allows a Third Party to optionally retrieve a domestic-payment-consent that they have created with an API Provider, to check its status.
The Third Party does this with the GET /domestic-payment-consents/{ConsentId} action - where the ConsentId relates to the domestic-payment-consent to be retrieved.
The Third Party must have an access token issued by the API Provider using a client credentials grant.
Status
The available status codes for a domestic-payment-consent are:
AwaitingAuthorisation
Rejected
Authorised
Consumed
State Model
The state model for a domestic-payment-consent follows a short lived consent state model.
When the Third Party creates the payment-order consent with the API Provider, the Status of the payment-order consent will be set to
AwaitingAuthorisation
.When the Customer authorises the payment-order consent with the API Provider, the Status of the payment-order consent will be updated with
Authorised
.If the Customer rejects the consent or the payment-order consent has failed some other API Provider validation, the Status of the payment-order consent will be set to
Rejected
.If the Third Party uses a payment-order consent in an
Authorised
Status to create a payment-order, the Status of the payment-order consent used will be set toConsumed
.
Diagram
This is the state diagram for the status of a domestic-payment-consent.