Open Banking Sandbox
home
NextGenPSD2 XS2A Framework
Summary
The NextGenPSD2 Framework Version 1.3.11 offers a modern, open, harmonized and interoperable set of
Application Programming Interfaces (APIs) as the safest and most efficient way to provide data securely.
The NextGenPSD2 Framework reduces XS2A complexity and costs, addresses the problem of multiple competing standards
in Europe and, aligned with the goals of the Euro Retail Payments Board,
enables European banking customers to benefit from innovative products and services ('Banking as a Service')
by granting TPPs safe and secure (authenticated and authorized) access to their bank accounts and financial data.
The possible Approaches are:
* OAuth SCA Approach
To use the Sandbox APIs, headers useCaseGroupId and useCaseId must be added to all requests.
For successful responses, refer to the table below. In the case of errors, follow the instructions provided for each specific API.
| useCaseGroupId | API | useCaseId |
|---|---|---|
| 1 | POST /consents | 1200-1 |
| 2 | DELETE /consents/{Consent-ID} | 1200-1 |
| 3 | GET /consents/{Consent-ID} | 1200-1 |
| 4 | GET /consents/{Consent-ID}/status | 1200-1 |
| 5 | GET /loans | 1200-1 |
| 6 | GET /loans/{loan-account-id} | 1200-1 |
| 7 | GET /loans/{loan-account-id}/balances | 1200-1 |
/v1/consents:
POST:
summary: Create consent
description: |
This method create a consent resource, defining access rights to dedicated accounts of
a given PSU-ID. These accounts are addressed explicitly in the method as
parameters as a core function.
To use the Sandbox APIs, headers useCaseGroupId and useCaseId must be added to all requests.
| http code | http Description | code | useCaseGroupId | useCaseId | Change required for sandbox |
|---|---|---|---|---|---|
| 400 | Bad Request | RESOURCE_UNKNOWN | 1 | 1400-4 | Change iban number to 87654321 |
| 400 | Bad Request | RESOURCE_UNKNOWN | 1 | 1400-3 | Change PSI-ID to 211111112 |
| 400 | Bad Request | RESOURCE_EXPIRED | 1 | 1400-2 | Change iban number to 999999999 |
| 400 | Bad Request | TIMESTAMP_INVALID | 1 | 1400-5 | Change validUntil to "2028-12-31" |
| 400 | Bad Request | PERIOD_INVALID | 1 | 1400-1 | Change validUntil to "2020-12-31" |
| 401 | Unauthorized | PSU_CREDENTIALS_INVALID | 1 | 6401-1 | Change PSI-ID to 111111112 |
/v1/consents/{consentId}:
GET:
summary: Get consent request
description: |
Returns the content of an account information consent object.
This is returning the data for the TPP especially in cases,
where the consent was directly managed between ASPSP and PSU e.g. in a redirect SCA Approach.
operationId: getConsentInformation
tags:
- Account Information Service (AIS)
DELETE:
summary: Delete consent
description: The TPP can delete an account information consent object if needed.
operationId: deleteConsent
tags:
- Account Information Service (AIS)
/v1/consents/{consentId}/status:
GET:
summary: Consent status request
description: Read the status of an account information consent resource.
operationId: getConsentStatus
tags:
- Account Information Service (AIS)
/v1/loans:
get:
summary: Read list of loans accounts
description: |
Reads a list of loan accounts potentially with additional information, e.g. balance information.
It is assumed that a consent of the PSU to this access is already given and stored on the ASPSP system.
The addressed list of savings accounts depends then on the stored consent addressed by consentId,
respectively the OAuth2 accesstoken.
To use the Sandbox APIs, headers useCaseGroupId and useCaseId must be added to all requests.
| http code | http Description | code | useCaseGroupId | useCaseId | Change required for sandbox |
|---|---|---|---|---|---|
| 401 | Unauthorized | CONSENT_EXPIRED | 5 | 5401-1 | Consent-ID to A769C13F-F050-4E00-B27F-4B0EA80C3E93 |
| 400 | Conflict | CONFLICT | 5 | 1409-1 | Consent-ID to B769B13E-X050-6E00-B28F-4B0EA80C3E11 |
/v1/loans/{loan-account-id}:
get:
summary: Read loan account details
description: |
Reads details about a loan account.
It is assumed that a consent of the PSU to
this access is already given and stored on the ASPSP system.
The addressed details of this account depend then on the stored consent addressed by consentId,
respectively the OAuth2 access token.
To use the Sandbox APIs, headers useCaseGroupId and useCaseId must be added to all requests.
| http code | http Description | code | useCaseGroupId | useCaseId | Change required for sandbox |
|---|---|---|---|---|---|
| 401 | Unauthorized | CONSENT_EXPIRED | 5 | 5401-1 | Consent-ID to A769C13F-F050-4E00-B27F-4B0EA80C3E93 |
| 400 | Conflict | CONFLICT | 5 | 1409-1 | Consent-ID to B769B13E-X050-6E00-B28F-4B0EA80C3E11 |
| 403 | Forbidden | RESOURCE_UNKNOWN | 6 | 1403-2 | Change{loan-account-id} to12121212 |
| 403 | Forbidden | RESOURCE_EXPIRED | 6 | 1403-1 | Change{loan-account-id} to 22222222 |
| 404 | Not found | RESOURCE_UNKNOWN | 6 | 1404-1 | Change{loan-account-id} to 191919191 |
/v1/loans/{loan-account-id}/balances:
get:
summary: Read Loan Account Balances
description: |
Reads balance data from a given loan account addressed by "loan-account-id".
The loan-account-id is constant at least throughout the lifecycle of a given consent.To use the Sandbox APIs, headers useCaseGroupId and useCaseId must be added to all requests.
| http code | http Description | code | useCaseGroupId | useCaseId | Change required for sandbox |
|---|---|---|---|---|---|
| 401 | Unauthorized | CONSENT_INVALID | 7 | 5401-2 | Consent-ID to B769B13E-V8555-6W30-2545-4B0EA80C3E11 |
| 401 | Unauthorized | CONSENT_EXPIRED | 5 | 5401-1 | Consent-ID to A769C13F-F050-4E00-B27F-4B0EA80C3E93 |
| 400 | Conflict | CONFLICT | 5 | 1409-1 | Consent-ID to B769B13E-X050-6E00-B28F-4B0EA80C3E11 |
| 403 | Forbidden | RESOURCE_UNKNOWN | 6 | 1403-2 | Change{loan-account-id} to12121212 |
| 403 | Forbidden | RESOURCE_EXPIRED | 6 | 1403-1 | Change{loan-account-id} to 22222222 |
| 404 | Not found | RESOURCE_UNKNOWN | 6 | 1404-1 | Change{loan-account-id} to 191919191 |
OAUTH2 Errors:
To use the Sandbox APIs, headers useCaseGroupId and useCaseId must be added to all requests.
| http code | http Description | code | useCaseGroupId | useCaseId |
|---|---|---|---|---|
| 401 | Unauthorized | TOKEN_UNKNOWN | 10 | 4401-3 |
| 401 | Unauthorized | TOKEN_INVALID | 10 | 4401-2 |
| 401 | Unauthorized | TOKEN_EXPIRED | 10 | 4401-1 |
Certificate Errors:
To use the Sandbox APIs, headers useCaseGroupId and useCaseId must be added to all requests.
| http code | http Description | code | useCaseGroupId | useCaseId |
|---|---|---|---|---|
| 401 | Unauthorized | CERTIFICATE_EXPIRED | 10 | 1401-2 |
| 401 | Unauthorized | CERTIFICATE_BLOCKED | 10 | 1401-1 |
| 401 | Unauthorized | CERTIFICATE_REVOKE | 10 | 1401-5 |
| 401 | Unauthorized | CERTIFICATE_MISSING | 10 | 1401-4 |
| 401 | Unauthorized | CERTIFICATE_INVALID | 10 | 1401-3 |
Signature Errors:
To use the Sandbox APIs, headers useCaseGroupId and useCaseId must be added to all requests.
| http code | http Description | code | useCaseGroupId | useCaseId |
|---|---|---|---|---|
| 401 | Unauthorized | SIGNATURE_INVALID | 10 | 2401-1 |
| 401 | Unauthorized | SIGNATURE_MISSING | 10 | 2401-2 |