OAuth2
We follow the standard Authorization Code grant flow from OAuth2 to authenticate a TPP acting on behalf of a PSU.
As an example, in production our URLs are:
- Authorization URL: https://client.memo.bank/authorize
- Token URL: https://api.memo.bank/nextgenpsd2/oauth2/token
- Refresh URL: https://api.memo.bank/nextgenpsd2/oauth2/token
We strongly recommend that you send your requests to these endpoints using application/json or application/x-www-form-urlencoded as content type since query params are considered unsafe.
The access_token has a TTL of 2 hours and the refresh_token has a TTL of 2 weeks.
HTTP Signature
Requests must be signed by TPPs using the private key associated to the certificate provided during the onboarding process.
We follow the draft-cavage-http-signatures-12 to authenticate a TPP.
Here is an exhaustive list of headers that must be signed:
(request-target)(mandatory)authorization(mandatory)date(mandatory)digest(only if the request has a body)host(mandatory)psu-corporate-id(only if included in the request)psu-id(only if included in the request)tpp-redirect-uri(only if included in the request)x-request-id(only if included in the request)