Before proceeding with the following steps please create an application and subscribe it to the psd2 sandbox api (see Getting started).
According to the Berlin Group’s NextGenPSD2-Standard, Third Party Providers (TPPs) are attributed the OAuth-role “client”. As set out from the Internet Engineering Task Force, the “Client Credentials Grant“ is used to generate an access token.
STEP 1: GET AN OAUTH ACCESS TOKEN FROM SSO.HYPO.AT
The Basic Authorization is the Base64 encoded value of ClientId:ClientSecret, in this case: APISBX-1234:Pwd-123
The following example shows an OAuth Access Token request in “cURL” and “HTTP” format:
curl -X POST \ https://sso.hypo.at/as/token.oauth2 \
-H 'Authorization: Basic [Insert your Base64-encoded client credentials here, e.g. "QVBJU0JYLTEyMzQ6UHdkLTEyMw=="]' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Cache-Control: no-cache' \
-d 'grant_type=client_credentials&scope=apic-sbx-psd2'
POST /as/token.oauth2 HTTP/1.1
Host: sso.hypo.at
Content-Type: application/x-www-form-urlencoded
Authorization: Basic [Insert your Base64-encoded client credentials here, e.g. "QVBJU0JYLTEyMzQ6UHdkLTEyMw=="]
Cache-Control: no-cache
grant_type=client_credentials&scope=apic-sbx-psd2
The following is an example response body you would receive:
{
"access_token": "ulHtZOyTjh8m0aq8QtQ8beEueMbH",
"token_type": "Bearer",
"expires_in": 599
}
STEP 2: USE THE OAUTH ACCESS TOKEN FOR SANDBOX.HYPO.AT
For all subsequent calls to our APIs you have to transmit the generated Access Token in the "Authorization: Bearer" header field.
The following example shows a request in “cURL” and “HTTP” format:
curl -X GET \ https://sandbox.hypo.at/api/psd2-xs2a/rest/v1/accounts \
-H 'Authorization: Bearer ulHtZOyTjh8m0aq8QtQ8beEueMbH' \
-H 'X-Request-ID: 99391c7e-ad88-49ec-a2ad-99ddcb1f7721' \
-H 'Consent-ID: 4711' \
-H 'Cache-Control: no-cache'
GET /api/psd2-xs2a/rest/v1/accounts HTTP/1.1
Host: sandbox.hypo.at
Authorization: Bearer ulHtZOyTjh8m0aq8QtQ8beEueMbH
X-Request-ID: 99391c7e-ad88-49ec-a2ad-99ddcb1f7721
Consent-ID: e6151d43-dca8-4fe1-b139-3a89bfeb57a2
Cache-Control: no-cache
The following is an example response body you would receive:
{
"accounts": [
{
"resourceId": "AT099900000000001511",
"iban": "AT099900000000001511",
"bban": null,
"msisdn": null,
"currency": "EUR",
"name": "Marianne Mustermann",
"product": "Giro",
"cashAccountType": null,
"status": null,
"bic": "TESTAT99",
"linkedAccounts": null,
"usage": null,
"details": null,
"balances": null,
"_links": {
"balances": {
"href": "/v1/accounts/AT099900000000001511/balances"
},
"transactions": {
"href": "/v1/accounts/AT099900000000001511/transactions"
}
}
},
{
"resourceId": "AT439900000000010017",
"iban": "AT439900000000010017",
"bban": null,
"msisdn": null,
"currency": "EUR",
"name": "Georg Mustermann",
"product": "Giro",
"cashAccountType": null,
"status": null,
"bic": "TESTAT99",
"linkedAccounts": null,
"usage": null,
"details": null,
"balances": null,
"_links": {
"balances": {
"href": "/v1/accounts/AT439900000000010017/balances"
},
"transactions": {
"href": "/v1/accounts/AT439900000000010017/transactions"
}
}
}
]
}
STEP 3: PSD2-LIVE - TESTING YOUR EIDAS QWAC CERTIFICATE / GETTING A CLIENT-ID
You will have to call the first-contact endpoint once to receive a Client-ID. This step also ensures that your eIDAS certificate is valid. You can send this request multiple times - as long as your certificate's subject DN does not change, you will receive the same Client-ID.
Please note that our APIs only support certificates with a maximum key length of 2048 bits.
The following example shows a request in "cURL" format:
curl -X POST "https://psd2.hypo.at/api/psd2-xs2a/first-contact/" \
-H "Content-Type: application/json" \
-H "Cache-Control: no-cache" \
--cert "/path/to/cert.pem" \
--key "/path/to/key.key"
The following is an example response body you would receive:
{
"clientId": "API-7d6f204b-3219-4b63-b66e-5f7a0be1d067"
}