Memo Bank NextGenPSD2 API allows Third Party Providers to access account information on behalf of customers.
The API follows BerlinGroup NextGenPSD2 Implementation Guidelines as of version 1.3.11.
This document describe our implementation choices and where we have drifted away from the guidelines.
All non-absolute paths described in this document are relatives to the base URL of the server (https://api.memo.bank/nextgenpsd2).
For TPPs to be able to make a request on the API, they must follow the onboarding process. For that, it is required for them to provide the following elements :
- a logo
- a redirect URI for OAuth2 authentication
- a valid QSealC certificate
In exchange of what they will receive :
client_secretto be used with OAuth2 authentication
usernameto be used with HTTP Signature authentication
We use OAuth2 as a pre-step to authenticate the PSU.
access_token has a TTL of 2 hours and the
refresh_token has a TTL of 2 weeks.
The TPP should refresh the token before expiration in order to reuse the same consent for the next requests.
Requests must be signed by TPPs using the private key associated to the certificate provided during the onboarding process.
Here is an exhaustive list of headers that must be signed :
digest(only if the request has a body)
psu-corporate-id(only if included in the request)
psu-id(only if included in the request)
tpp-redirect-uri(only if included in the request)
x-request-id(only if included in the request)
The special header
@request-target should be used in place of
(request-target) described in draft-cavage-http-signatures-12.
Signature header, a
username field must be provided instead of a
keyId field. This username is obtained during the onboarding process.
Consent is given during the OAuth2 pre-step authentication and linked to an
Every consent gives access to its accounts balances and transactions history. They also have an unlimited usage frequency.
/consents endpoints are not implemented yet.
The API only support
application/json content type.
In case of processing error, the API will use NextGenPSD2 specific solution to give additional error information in the response.
Some errors won't follow this format if they are sent by a proxy between the client and the application. This is the case with most authentication errors as of now.
There is no support for the
application/problem+json content type from RFC7807.
This is the documentation for version
of the API. Last update on Aug 3, 2022.