We follow the standard Authorization Code grant flow from OAuth2 to authenticate a TPP acting on behalf of a PSU.
As an example, in production our URLs are:
- Authorization URL: https://client.memo.bank/authorize
- Token URL: https://api.memo.bank/nextgenpsd2/oauth2/token
- Refresh URL: https://api.memo.bank/nextgenpsd2/oauth2/token
access_token has a TTL of 2 hours and the
refresh_token has a TTL of 2 weeks.
Requests must be signed by TPPs using the private key associated to the certificate provided during the onboarding process.
We follow the draft-cavage-http-signatures-12 to authenticate a TPP.
keyId shall be formatted as follows:
XXX is the serial number of the certificate in hexadecimal coding and
YYYYYYYYYYYYYYYY is the full Distinguished Name of the Certification Authority encoded following RFC1779.
Here is an exhaustive list of headers that must be signed:
digest(only if the request has a body)
psu-corporate-id(only if included in the request)
psu-id(only if included in the request)
tpp-redirect-uri(only if included in the request)
x-request-id(only if included in the request)