API Provider developer portal requirements

This page outlines requirements for API Provider Developer Portals.

These requirements serve as a guideline on what information and functionality should be available for Third Parties.

Requirements that are mandated in the API standard are flagged in the Notes sections.

Requirements

These are the high level requirements identified by the API Centre Technical Working Group.

#

Data

Summary

#

Data

Summary

01

Authentication flows

What authentication flows are enabled, what steps for registering a client, what data is required for registering a client, format of data required.

02

Available API functionality

What endpoints, optional fields etc that an API Provider has implemented.

03

Restrictions on payment functions

Specifically relating to creating a domestic-payment or creating an enduring-payment-consent.

04

Fair usage

The API Providers fair usage policy for APIs.

05

Release management

Any default release management behaviour that is outside of the API framework.

06

Archiving

Any archiving behaviours that are outside of the API framework.

API URI structure

Metadata

Mandatory?

Implemented?

Notes

Metadata

Mandatory?

Implemented?

Notes

Base API URI

Mandatory

 

 

Discovery or .well-known endpoint URI

Mandatory

 

 

Authentication Flows

Supported Authentication Flows

Method

Mandatory?

Implemented?

Notes

Method

Mandatory?

Implemented?

Notes

Hybrid

Mandatory

 

 

Decoupled

Optional

 

 

Authenticating Confidential Client

Which of the following methods of authenticating a confidential client at the token endpoint have been implemented:

Method

Mandatory?

Implemented?

Notes

Method

Mandatory?

Implemented?

Notes

Mutual TLS for OAuth Client Authentication as specified in section 2 of [MTLS]

Mandatory - OneOf

 

 

private_key_jwt as specified in section 9 of [OIDC]

Mandatory - OneOf 

 

 

Holder of Key Mechanism

Method

Mandatory?

Implemented?

Notes

Method

Mandatory?

Implemented?

Notes

OAUTB

Mandatory - OneOf

 

 

MTLS

Mandatory - OneOf

 

 

Hybrid Flow

Authorization Request Parameters

Parameter

Mandatory?

Implemented?

Notes

Parameter

Mandatory?

Implemented?

Notes

scope

Mandatory

 

 

response_type

Mandatory

 

 

client_id

Mandatory

 

 

redirect_uri

Mandatory

 

 

state

Mandatory

 

 

nonce

Mandatory

 

 

request

Mandatory

 

 

Out of specification..?

 

 

 

Authorization Request Object

Field

Mandatory?

Implemented?

Notes

Field

Mandatory?

Implemented?

Notes

aud

Mandatory

 

 

iss

Mandatory

 

 

scope

Mandatory

 

 

response_type

Mandatory

 

 

client_id

Mandatory

 

 

redirect_uri

Mandatory

 

 

state

Mandatory

 

 

nonce

Mandatory

 

 

max_age

Optional

 

 

claims.id_token.ConsentId

Mandatory

 

 

Out of specification..?

 

 

 

ID Token Response

Field

Mandatory?

Implemented?

Notes

Field

Mandatory?

Implemented?

Notes

aud

Mandatory

 

 

iss

Mandatory

 

 

sub

Mandatory

 

 

ConsentId

Mandatory

 

 

exp

Mandatory

 

 

iat

Mandatory

 

 

auth_time

Optional

 

 

nonce

Mandatory

 

 

c_hash

Mandatory

 

 

s_hash

Mandatory

 

 

Out of specification..?

 

 

 

Timeouts

Action

Timeout

Implemented?

Notes

Action

Timeout

Implemented?

Notes

Authorization request flow timeout

 

 

 

Authorization code timeout

 

 

 

Other…?

 

 

 

Decoupled Flow

Notification Options

Mode

Mandatory?

Implemented?

Notes

Mode

Mandatory?

Implemented?

Notes

Poll

Optional 

 

 

Ping

Optional 

 

 

Authorization Request Object

Field

Mandatory?

Implemented?

Notes

Field

Mandatory?

Implemented?

Notes

aud

Mandatory

 

 

iss

Mandatory

 

 

nbf

Mandatory

 

 

exp

Mandatory

 

 

iat

Mandatory

 

 

jti

Mandatory

 

 

scope

Mandatory

 

 

ConsentId

Mandatory

 

 

client_notification_token

Optional

 

 

login_hint_token

Mandatory - OneOf

 

 

id_token_hint

Mandatory - OneOf

 

 

requested_expiry

Optional

 

 

Out of specification..?

 

 

 

login_hint_token

Field

Mandatory?

Implemented?

Notes

Field

Mandatory?

Implemented?

Notes

subject_type

Mandatory

 

 

username

Optional

 

 

phone

Optional

 

 

email

Optional

 

 

api_provider_token

Optional

 

 

third_party_token

Optional

 

 

Out of specification..?

 

 

 

ID Token Response

Field

Mandatory?

Implemented?

Notes

Field

Mandatory?

Implemented?

Notes

aud

Mandatory

 

 

iss

Mandatory

 

 

sub

Mandatory

 

 

ConsentId

Mandatory

 

 

exp

Mandatory

 

 

iat

Mandatory

 

 

Out of specification..?

 

 

 

Timeouts

Action

Timeout

Implemented?

Notes

Action

Timeout

Implemented?

Notes

Authorization request flow timeout

 

 

 

Token request timeout

 

 

 

Other…?

 

 

 

JWS Algorithms

Which JWS algorithms are used for signing?

Algorithm

Mandatory?

Implemented?

Notes

Algorithm

Mandatory?

Implemented?

Notes

PS256

Mandatory - OneOf

 

 

PS384

Mandatory - OneOf

 

 

PS512

Mandatory - OneOf

 

 

ES256

Mandatory - OneOf

 

 

ES384

Mandatory - OneOf

 

 

ES512

Mandatory - OneOf

 

 

Endpoints Implemented

Payment Initiation

  • Account types in scope and available for Payment Initiation to be documented.

Endpoint

Mandatory?

Implemented?

Notes

Endpoint

Mandatory?

Implemented?

Notes

POST /enduring-payment-consents

Optional

 

API Provider must specify implementation of endpoint.

GET /enduring-payment-consents/{ConsentId}

Optional

 

API Provider must specify implementation of endpoint.

DELETE /enduring-payment-consents/{ConsentId}

Optional

 

API Provider must specify implementation of endpoint.

POST /domestic-payment-consents

Mandatory

 

API Provider must specify implementation of endpoint.

GET /domestic-payment-consents/{ConsentId}

Mandatory

 

API Provider must specify implementation of endpoint.

POST /domestic-payments

Mandatory

 

API Provider must specify implementation of endpoint.

GET /domestic-payments/{DomesticPaymentId}

Mandatory

 

API Provider must specify implementation of endpoint.

GET /domestic-payments/{DomesticPaymentId}/debtor-account

Mandatory

 

API Provider must specify implementation of endpoint.

Account Information

  • Account types in scope and available for Account Information to be documented.

  • API Providers must publish information on the format of their masked credit card number.

Endpoint

Mandatory?

Implemented?

Notes

Endpoint

Mandatory?

Implemented?

Notes

POST /account-access-consents

Mandatory 

 

API Provider must specify implementation of endpoint.

GET /account-access-consents/{ConsentId} 

Mandatory 

 

API Provider must specify implementation of endpoint.

DELETE /account-access-consents/{ConsentId} 

Mandatory 

 

API Provider must specify implementation of endpoint.

GET /accounts 

Mandatory 

 

API Provider must specify implementation of endpoint.

GET /accounts/{AccountId} 

Mandatory 

 

API Provider must specify implementation of endpoint.

GET /accounts/{AccountId}/balances 

Mandatory 

 

API Provider must specify implementation of endpoint.

GET /balances 

Optional 

 

API Provider must specify implementation of endpoint.

GET /accounts/{AccountId}/transactions 

Mandatory 

 

API Provider must specify implementation of endpoint.

GET /transactions 

Optional 

 

API Provider must specify implementation of endpoint.

GET/accounts/{AccountId}/beneficiaries 

Optional 

 

API Provider must specify implementation of endpoint.

GET /beneficiaries 

Optional 

 

API Provider must specify implementation of endpoint.

GET /accounts/{AccountId}/direct-debits 

Optional 

 

API Provider must specify implementation of endpoint.

GET /direct-debits 

Optional 

 

API Provider must specify implementation of endpoint.

GET/accounts/{AccountId}/standing-orders 

Optional 

 

API Provider must specify implementation of endpoint.

GET/standing-orders 

Optional 

 

API Provider must specify implementation of endpoint.

GET /accounts/{AccountId}/offers 

Optional 

 

API Provider must specify implementation of endpoint.

GET /offers 

Optional 

 

API Provider must specify implementation of endpoint.

GET /accounts/{AccountId}/party 

Optional 

 

API Provider must specify implementation of endpoint.

GET /party 

Optional 

 

API Provider must specify implementation of endpoint.

GET /accounts/{AccountId}/scheduled-payments 

Optional 

 

API Provider must specify implementation of endpoint.

GET /scheduled-payments 

Optional 

 

API Provider must specify implementation of endpoint.

GET /accounts/{AccountId}/statements 

Optional 

 

API Provider must specify implementation of endpoint.

GET /accounts/{AccountId}/statements/{StatementId} 

Optional 

 

API Provider must specify implementation of endpoint.

GET /accounts/{AccountId}/statements/{StatementId}/file

Optional 

 

API Provider must specify implementation of endpoint.

GET /accounts/{AccountId}/statements/{StatementId}/transactions 

Optional 

 

API Provider must specify implementation of endpoint.

GET /statements 

Optional 

 

API Provider must specify implementation of endpoint.

Restrictions

Any global restrictions on using API endpoints.

Notes:

  • An API Provider must determine appropriate restrictions that they support based on their individual practices, standards and limitations. These restrictions must be documented on API Provider developer portals.

Fair Usage

Any global fair usage restrictions.

Notes:

  • API Providers must document their fair usage policies in their developer portals.

Release Management

Any API Provider specific release management guidance.

Archiving

Any archiving rules on resources.

Notes:

  • An API Provider must allow a domestic-payment created on a lower version, to be accessed via a higher version. Retention will depend on an API Provider's legal requirement for data retention. In the case where a payment-order type is the same, but the structure has changed in a higher version, sensible defaults must be used, with the API Provider's developer portal clearly specifying the behaviour.

  • An API Provider must document the behaviour on the accessibility of a payment-order in a higher version on the API Provider's developer portal.

  • An API Provider must allow an account-access-consent created on a lower version, to be accessed via a higher version. In the case where the account-access-consent is the same, but the structure has changed in a higher version, sensible defaults must be used, with the API Provider's developer portal clearly specifying the behaviour.

Testing

Any API Provider guidance, contacts or information on testing (environments, credentials etc).

Credential Management

Functionality for the management of credentials and onboarding clients. Includes any information and processes.