Confirmation of funds service
In order to perform a confirmation of funds request, a confirmation of funds consent if required. The information on this page describes the steps required to obtain a confirmation of funds consent and the way such a consent can be used to perform the confirmation of funds request.
NOTE: To use these APIs, a valid TLS certificate is required.
The following methods are supported:
- Create consent
- Approve consent
- Retrieve access token
- Retrieve consent status
- Retrieve consent details
- Retrieve consent authorisations
- Retrieve consent authorisation details
- Perform confirmation of funds request
- Delete consent
Create consent
In order to perform a confirmation of funds request, a confirmation of funds consent is required. This chapter describes the steps required to create such a consent. The created consent has to be approved in the next step before it can be used.
- Create JSON body
- Generate signature and set headers
- Perform request
Create JSON body
{
"account": {
"iban": "NL34BNGT5532530633"
}
}
| field | description |
|---|---|
| account | Account, where the confirmation of funds service is aimed to be submitted to. |
| account.iban | Required, a valid IBAN |
Generate signature and set headers
The generate a signature, see Signature setup
The following headers must be provided
| Header | Example | Description |
|---|---|---|
| Content-Type | application/json | Only application/json is supported. |
| Date | Fri, 09 Apr 2021 15:12:16 GMT | The date of the request. |
| X-Request-ID | 2ca1b6b4-82b3-4fe3-a7ea-9ccae9700329 | An identifier chosen by the TPP to identify the request. This id is passed back in the X-Request-ID header of the response |
| PSU-IP-Address | 123.12.12.12 | The forwarded IP Address header field consists of the corresponding http request IP Address field between PSU and TPP. |
| PSU-User-Agent | Chrome OS | The forwarded Agent header field of the HTTP request between PSU and TPP, if available. |
| PSU-Geo-Location | 51.20,4.2 | The forwarded Geo Location of the corresponding http request between PSU and TPP if available. |
| TPP-Redirect-URI | https://tpp.com/some-redirect | URI of the TPP, where the transaction flow shall be redirected to after a Redirect. |
| Accept | application/json | The content type the client is able to understand. Must be application/json. |
| Digest | SHA-256=262LaJygmoifcl5pVlhlUXW1QNUfGhfryy03ud/uxMs= | Digest of the body of the request. This field is mandatory, because the ASPSP mandates the use of a signature. |
| Signature | A signature of the request. The ASPSP mandates the use of a signature. | |
| TPP-Signature-Certificate | The certificate used for signing the request, in base64 encoding. This field is mandatory, because the ASPSP mandates the use of a signature. |
Perform request
| Endpoint | https://api.xs2a.bngbank.nl/api/v1/consents/confirmation-of-funds |
| Method | POST |
After a successful consent creation, status code 201 is returned along with the create consent response.
{
"consentStatus": "received",
"consentId": "55bf9167-0e5a-47a9-8b18-2c8bb3bd6732",
"_links": {
"scaOAuth": {
"href": "https://w2.api.xs2a.bngbank.nl/well-known/oauth-configuration"
},
"self": {
"href": "/api/v1/consents/confirmation-of-funds/55bf9167-0e5a-47a9-8b18-2c8bb3bd6732"
},
"status": {
"href": "/api/v1/consents/confirmation-of-funds/55bf9167-0e5a-47a9-8b18-2c8bb3bd6732/status"
}
}
}
consentId is needed in later steps.
Approve consent
After a confirmation of funds consent has been created, it has to be approved by the PSU. To do so, the following steps have to be taken:
- Redirect to OAuth2.0 endpoint
- Login
- Review consent
- Approve consent
Redirect to OAuth2.0 endpoint
To create an OAuth2.0 redirect URI, please refer to the Oauth2.0 page.
When creating an OAuth2.0 redirect, a scope is required. This scope should look like: "PIIS:[consent-id]". Where consent-id is the id returned in the previous step. For example: "PIIS:55bf9167-0e5a-47a9-8b18-2c8bb3bd6732".
NOTE: when testing multiple scenarios in quick succession, it is advised to use an incognito browser when navigating to the OAuth2.0 redirect URI. This is because after logging in, the user remains signed in for a period of time.
Login
After navigating to the OAuth2.0 redirect URI, a login page is displayed. The login page will only appear if the user is not authenticated.
Review consent
After successfully signing in, the consent details will be displayed.
Approve consent
If the user has sufficient authorisation to approve the consent, the consent can be approved. To approve the consent, click "Allow". To decline the consent, click "Back" to return to redirect_uri without approving. No access code will be returned.
Redirect
After the consent has been approved, the user is redirected back to the redirect_uri that has been passed on the query string. This redirect_uri will contain an additional query string parameter "Code". This code can be used to obtain an access token. With this access token, data regarding this consent can be retrieved.
Retrieve access token
An access code from the previous step can be exchanged for an access token by the following API
Body
Example of request body. Note: line breaks are for clarifying the example.
client_id=PSDNL-AUT-SANDBOX& grant_type=authorization_code& code=f1084fea123e4bc3bcca0a1e5a0a54e5b70e91811dce483aa2168dc539c5f70f& code_verifier=someverifierdata1234& state=438b3d36666341019366cf190b57a349& redirect_uri=redirect_uri
| Field | Example value | Description |
|---|---|---|
| client_id | PSDNL-AUT-SANDBOX | The same client id as present in the TLS certificate. |
| grant_type | authorization_code | The grant type requested |
| code | f10...70f | The access code as returned by the confirmation site. |
| code_verifier | someverifierdata1234 | The code_verifier as passed to the OAuth2.0 authorisation request. |
| state | 438b3d36666341019366cf190b57a349 | The state |
| redirect_uri | https://tpp.com/access_token | The redirect_uri as passed to the OAuth2.0 authorisation request. |
Headers
The following headers are required for the request
| Header | Example value | Description |
|---|---|---|
| Content-Type | application/x-www-form-urlencoded | |
| Accept | application/json |
Perform request
| Endpoint | https://api.xs2a.bngbank.nl/token |
| Method | POST |
If the call was successful, a 201 status is returned along with the response body. See below an example of a response.
{
"access_token": "eyJh...R49Q",
"token_type": "Bearer",
"expires_in": "604782",
"refresh_token": "91f557fe-e01d-4498-bcb9-46dba668de08",
"scope": "PIIS:ec1bff9e-79d2-4588-9112-2ae65ae2a14b"
}
For other possible return codes, see the API DOCUMENTATION page.
Please store access_token somewhere, for example in Notepad, as it is required in later steps. Note that the access token gives access to all API methods for the corresponding paymentInitiationId. In case a paymentInitiationBatchGroupId was used in a redirect, the access token will give access to all paymentInitiationIds that were generated from the bulk payment file, e.g. in a bulk payment file containing multiple bulk-payments/batches.
Retrieve consent status
To retrieve the status of a confirmation of funds consent, a confirmation of funds consent-id as well as an access_token is required, please see previous steps for directions on how to obtain those.
Headers
The following headers must be provided
| Header | Example | Description |
|---|---|---|
| Content-Type | application/json | |
| Date | Fri, 09 Apr 2021 15:12:16 GMT | The date of the request. |
| X-Request-ID | 2ca1b6b4-82b3-4fe3-a7ea-9ccae9700329 | An identifier chosen by the TPP to identify the request. This id is passed back in the X-Request-ID header of the response |
| Authorization | Bearer ACCESS_TOKEN | Replace ACCESS_TOKEN with the access token obtained in a previous step. |
| Accept | application/json | |
| Digest | SHA-256=spt...rrI | Digest of the body |
| Signature | keyId=\"SN=...Yiow==\ | The signature of the request, see Signature setup |
| TPP-Signature-Certificate | -----BEGIN CERTIFICATE-----MII...UjY=-----END CERTIFICATE----- | The certificate used to sign the request. |
Perform request
| Endpoint | https://api.xs2a.bngbank.nl/api/v1/consents/confirmation-of-funds/CONSENT_ID/status | Replace CONSENT_ID with the id of a confirmation of funds consent, for example: 2ca1b6b4-82b3-4fe3-a7ea-9ccae9700329 |
| Method | GET |
If the call was successful, a 200 status is returned along with the response body. See below an example of a response.
{
"consentStatus": "valid"
}
For other possible return codes, see the API DOCUMENTATION page.
Retrieve consent details
To retrieve details of a confirmation of funds consent, a consent-id as well as an access_token is required, please see previous steps for directions on how to obtain those.
Headers
The following headers must be provided
| Header | Example | Description |
|---|---|---|
| Content-Type | application/json | |
| Date | Fri, 09 Apr 2021 15:12:16 GMT | The date of the request. |
| X-Request-ID | 2ca1b6b4-82b3-4fe3-a7ea-9ccae9700329 | An identifier chosen by the TPP to identify the request. This id is passed back in the X-Request-ID header of the response |
| Authorization | Bearer ACCESS_TOKEN | Replace ACCESS_TOKEN with the access token obtained in a previous step. |
| Accept | application/json | |
| Digest | SHA-256=spt...rrI | Digest of the body |
| Signature | keyId=\"SN=...Yiow==\ | The signature of the request, see Signature setup |
| TPP-Signature-Certificate | -----BEGIN CERTIFICATE-----MII...UjY=-----END CERTIFICATE----- | The certificate used to sign the request. |
Perform request
| Endpoint | https://api.xs2a.bngbank.nl/api/v1/consents/confirmation-of-funds/CONSENT_ID | Replace CONSENT_ID with the id of a confirmation of funds consent, for example: 2ca1b6b4-82b3-4fe3-a7ea-9ccae9700329 |
| Method | GET |
If the call was successful, a 200 status is returned along with the response body. See below an example of a response.
{
"account": {
"iban": "NL34BNGT5532530633"
},
"lastActionDate": "2019-06-25T09:21:23.197Z",
"consentStatus": "valid"
}
For other possible return codes, see the API DOCUMENTATION page.
Retrieve consent authorisations
To retrieve authorisations (confirmations) of a confirmation of funds consent, a consent-id as well as an access_token is required, please see previous steps for directions on how to obtain those.
Headers
The following headers must be provided
| Header | Example | Description |
|---|---|---|
| Content-Type | application/json | |
| Date | Fri, 09 Apr 2021 15:12:16 GMT | The date of the request. |
| X-Request-ID | 2ca1b6b4-82b3-4fe3-a7ea-9ccae9700329 | An identifier chosen by the TPP to identify the request. This id is passed back in the X-Request-ID header of the response |
| Authorization | Bearer ACCESS_TOKEN | Replace ACCESS_TOKEN with the access token obtained in a previous step. |
| Accept | application/json | |
| Digest | SHA-256=spt...rrI | Digest of the body |
| Signature | keyId=\"SN=...Yiow==\ | The signature of the request, see Signature setup |
| TPP-Signature-Certificate | -----BEGIN CERTIFICATE-----MII...UjY=-----END CERTIFICATE----- | The certificate used to sign the request. |
Perform request
| Endpoint | https://api.xs2a.bngbank.nl/api/v1/consents/confirmation-of-funds/CONSENT_ID/authorisations | Replace CONSENT_ID with the id of a confirmation of funds consent, for example: 2ca1b6b4-82b3-4fe3-a7ea-9ccae9700329 |
| Method | GET |
If the call was successful, a 200 status is returned along with the response body. See below an example of a response.
{
"authorisationIds": [
"19e54cc4-400e-4ba5-a9cd-0bfd39753f64"
]
}
Store an authorisation-id, it is required for the next step.
For other possible return codes, see the API DOCUMENTATION page.
Retrieve consent authorisation details
To retrieve the details of an authorisation (confirmation) of a confirmation of funds consent, a consent-id as well as an access_token and an authorisation-id is required, please see previous steps for directions on how to obtain those.
Headers
The following headers must be provided
| Header | Example | Description |
|---|---|---|
| Content-Type | application/json | |
| Date | Fri, 09 Apr 2021 15:12:16 GMT | The date of the request. |
| X-Request-ID | 2ca1b6b4-82b3-4fe3-a7ea-9ccae9700329 | An identifier chosen by the TPP to identify the request. This id is passed back in the X-Request-ID header of the response |
| Authorization | Bearer ACCESS_TOKEN | Replace ACCESS_TOKEN with the access token obtained in a previous step. |
| Accept | application/json | |
| Digest | SHA-256=spt...rrI | Digest of the body |
| Signature | keyId=\"SN=...Yiow==\ | The signature of the request, see Signature setup |
| TPP-Signature-Certificate | -----BEGIN CERTIFICATE-----MII...UjY=-----END CERTIFICATE----- | The certificate used to sign the request. |
Perform request
| Endpoint | https://api.xs2a.bngbank.nl/api/v1/consents/confirmation-of-funds/CONSENT_ID/authorisations/AUTHORISATION_ID | Replace CONSENT_ID with the id of a confirmation of funds consent, for example: 2ca1b6b4-82b3-4fe3-a7ea-9ccae9700329. Also replace AUTHORISATION_ID for the id of the authorisation (confirmation), for example: fb74e2f0-6807-4c2a-8662-8d519d87e0a4 |
| Method | GET |
If the call was successful, a 200 status is returned along with the response body. See below an example of a response.
{
"scaStatus": "finalised"
}
For other possible return codes, see the API DOCUMENTATION page.
Perform confirmation of funds request
Checks whether a specific amount is available at point of time of the request on an account. To perform this request a confirmation of funds consent-id as well as an access_token is required, please see previous steps for directions on how to obtain those.
- Create JSON body
- Generate signature and set headers
- Perform request
Create JSON body
{
"account": {
"iban": "NL34NEMO1560818072"
},
"instructedAmount": {
"amount": 123.45
"currency": "EUR",
}
}
| field | description |
|---|---|
| account | Account, where the confirmation of funds service is aimed to be submitted to. |
| account.iban | Required, a valid IBAN |
| instructedAmount | |
| instructedAmount.iban | A valid IBAN, this IBAN must match the IBAN in the created consent |
| instructedAmount.currency | The currency, only EUR is supported. |
Generate signature and set headers
The generate a signature, see Signature setup
The following headers must be provided
| Header | Example | Description |
|---|---|---|
| Content-Type | application/json | Only application/json is supported. |
| Date | Fri, 09 Apr 2021 15:12:16 GMT | The date of the request. |
| X-Request-ID | 2ca1b6b4-82b3-4fe3-a7ea-9ccae9700329 | An identifier chosen by the TPP to identify the request. This id is passed back in the X-Request-ID header of the response |
| Authorization | Bearer ACCESS_TOKEN | Replace ACCESS_TOKEN with the access token obtained in a previous step. |
| Accept | application/json | The content type the client is able to understand. Must be application/json. |
| Digest | SHA-256=262LaJygmoifcl5pVlhlUXW1QNUfGhfryy03ud/uxMs= | Digest of the body of the request. This field is mandatory, because the ASPSP mandates the use of a signature. |
| Signature | keyId=\"SN=...Yiow==\ | The signature of the request, see Signature setup |
| TPP-Signature-Certificate | -----BEGIN CERTIFICATE-----MII...UjY=-----END CERTIFICATE----- | The certificate used to sign the request. |
Perform request
| Endpoint | https://api.xs2a.bngbank.nl/api/v1/funds-confirmations |
| Method | POST |
After a successful confirmation of funds check, status code 200 is returned along the following JSON response.
{
"fundsAvailable": true
}
For other possible return codes, see the API DOCUMENTATION page.
Delete consent
To delete a confirmation of funds consent, a confirmation of funds consent-id as well as an access_token is required, please see previous steps for directions on how to obtain those.
After calling this API, the status of the consent will be set to "terminatedByTpp", the consent can no longer be used.
Headers
The following headers must be provided
| Header | Example | Description |
|---|---|---|
| Content-Type | application/json | |
| Date | Fri, 09 Apr 2021 15:12:16 GMT | The date of the request. |
| X-Request-ID | 2ca1b6b4-82b3-4fe3-a7ea-9ccae9700329 | An identifier chosen by the TPP to identify the request. This id is passed back in the X-Request-ID header of the response |
| Authorization | Bearer ACCESS_TOKEN | Replace ACCESS_TOKEN with the access token obtained in a previous step. |
| Accept | application/json | |
| Digest | SHA-256=spt...rrI | Digest of the body |
| Signature | keyId=\"SN=...Yiow==\ | The signature of the request, see Signature setup |
| TPP-Signature-Certificate | -----BEGIN CERTIFICATE-----MII...UjY=-----END CERTIFICATE----- | The certificate used to sign the request. |
Perform request
| Endpoint | https://api.xs2a.bngbank.nl/api/v1/consents/confirmation-of-funds/CONSENT_ID | Replace CONSENT_ID with the id of a confirmation of funds consent, for example: 2ca1b6b4-82b3-4fe3-a7ea-9ccae9700329 |
| Method | DELETE |
If the call was successful, an empty body and status 204 is returned.
For other possible return codes, see the API DOCUMENTATION page.