![](\"https://i.ibb.co/G7b4tzq/01-Register-Page.png\")
This API document will help to find all the details regarding the PSD2 Integration with the client application.
\nThis document consist of 3 vertical sections:
\nA developer's site has been created to provide an environment which will be a building block to stimulate innovation and start delivering great services for using the Payment Request API and Account Information API.
\nThrough the developer's site, any third party payment service providers (TPP) can register and create PSD2 API Clients to access the deVere APIs for retrieving their customer's account information, fund availability and creating payment requests.
\nOnce you will feel confident enough in your integration, the Developer Site will allow you to submit and publish your apps and integrations.
\n","schema":"https://schema.getpostman.com/json/collection/v2.0.0/collection.json","toc":[{"content":"What is Developer's Site?","slug":"what-is-developers-site"}],"owner":"7448417","collectionId":"475a0673-a703-4778-9da1-e1aed7061d95","publishedId":"SVmpXhc3","public":true,"customColor":{"top-bar":"FFFFFF","right-sidebar":"303030","highlight":"3767A0"},"publishDate":"2019-09-10T10:37:54.000Z"},"item":[{"name":"Developer's Site (Sandbox API)","item":[{"name":"User registration & Login","item":[],"id":"1ad218c2-ca6e-4593-b35f-8eefc67aa6f3","description":"For the user registration process, a valid format, existing email address and user pasword should be provided. The Organization/full name field is not mandatory. After successful registration you will be redirected to login page with success message .
\n | \n
|---|
| Registration Page | \n
![](\"https://i.ibb.co/TTTp70x/02-1-Login-Page.png\") | \n
|---|
| Login Page | \n
The user will be redirected to the main welcome page after successful login. On the left-hand side after the login, a menu column is displayed. There are only 2 menu options for this version. To start working with the PSD2 API, the TPP/user needs to get their application (client application) registered and after registration, the client credentials will be provided which will later be used with Oauth2 authorization code grant flow during the token request process.
\n![](\"https://i.ibb.co/WtS2fm9/04-Menu.png\") | \n
|---|
| Menu Item | \n
In the menu option, the 1st option is 'RegisterApplication', which on clicking will redirect the user to the client application add form. In the form, the user needs to fill in the mandatory fields for application details such as Application Name, Oauth Redirect URL, Authorization Number and Organization Name. The Application Name could be any text and an OAuth Redirect URL is a URL that the authorization server will redirect the user back to the application with either an authorization code or access token in the URL. Since the redirect URL will contain sensitive information, it is critical that the service doesn't redirect the user to arbitrary locations. The user has to use the same URL with third-party OAuth client during the authorization process. An OAuth error will occur if any mismatched URLs are used.
\n![](\"https://i.ibb.co/R61k0Wr/05-Application-Details.png\") | \n
|---|
| Application Details | \n
The certificate details section provides functionality for TPP QWAC, QSEAL self-signed certificate generation for testing purpose. Authorization field is the field which identifies TPP by the authorization number given by the local authority. It could consist of alphanumeric values. Other fields should be filled based on their requirement rules. A validity field is pre-filled with default 365 days value. This means that certificate after generation will be valid one year or 365 calendar days. After that period it should be regenerated again. The last step a user has to do is to choose certificate service roles. There are three roles (AISP, PISP, PIISP) which user can choose to include into a certificate. Every role gives a TPP client applications right to access to a certain group of endpoints. Deselecting service role will restrict access to related endpoints.
\n![](\"https://i.ibb.co/BfP1kKN/06-Certificate-Details.png\") | \n
|---|
| Certificate Details | \n
After submitting the form, certificate data will be saved for later use and the certificate with the private key will be displayed in the next window. You can copy or download certificate with private key values directly to the PC. The content of the certificate is not saved to backend it is only generated in memory for a current timestamp. Next time you will generate certificate it will be different and validation time will be counted from current generation timestamp. Generated certificate should be passed in mTLS transport layer.
\n![](\"https://i.ibb.co/4stv4gQ/07-Submit.png\") | \n
|---|
| Generated Certificate Page | \n
In the menu option, the 2nd option is 'View Applications', which on clicking will redirect user to the Registered Applications page. The user will be able to view the names of all the registered applications.
\n![](\"https://i.ibb.co/Yct9RmW/View-Applications.png\") | \n
|---|
| Registered Applications | \n
A developer's site has been created to provide an environment which will be a building block to stimulate innovation and start delivering great services for using the Payment Request API and Account Information API. Through the developer's site, any third party payment service providers (TPP) can register and create PSD2 API Clients to access the deVere APIs for retrieving their customer's account information, fund availability and creating payment requests. The developer's site can be accessed via deVere Vault PSD2 Integration link.
\n","event":[{"listen":"prerequest","script":{"id":"4d05c905-33cc-4c58-af5a-92666bd2614b","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"e9b70de8-093a-4876-b8b7-bb27c892bb3b","type":"text/javascript","exec":[""]}}],"_postman_id":"f41c3292-b316-44bc-8e07-1ac8c6050529"},{"name":"Production / Sandbox URL","item":[],"id":"a58309a8-6fa9-4b54-ba6e-b2fa5cbf109a","description":"| Production: | \nhttps://psd2.devere-vault.com | \n
| Sandbox: | \nhttps://psd2testcert.devere-vault.com | \n
| Production: | \nhttps://psd2.devere-vault.com/auth/.well-known/openid-configuration | \n
| Sandbox: | \nhttps://psd2testcert.devere-vault.com/.well-known/openid-configuration | \n
The 'Authorization Endpoint' is responsible for client authorization.
\nParams
\n| Key | \nMandatory/Optional | \nDescription | \n
| response_type | \nmandatory | \n\"code“ is only supported as response type | \n
| client_id | \nmandatory | \nGenerated application clientId from developer‘s site\n | \n
| scope | \nmandatory | \nScope should be the same as in developer‘s site | \n
| state | \nmandatory | \nA dynamical value set by the TPP and used to prevent XSRF attacks. | \n
| redirect_uri | \nmandatory | \nthe URI of the TPP where the OAuth2server is redirecting the Payment service user agent after the authorization. | \n
Executing the authorization call will redirect the client app to the login form where the user has to authorize themselves by entering one of the credentials. After successful user authorization client app will be redirected to the redirect_uri parameter URL with code and state parameters (?code=&state=). After this step TPP can request token by calling token issuing endpoint.
\n","urlObject":{"path":["auth","oauth","authorization"],"query":[],"variable":[]}},"response":[{"id":"364947c4-d936-431d-b8e7-506a7481cd46","name":"Sample Authorization Call ","originalRequest":{"method":"GET","header":[],"body":{"mode":"formdata","formdata":[]},"url":{"raw":"https://psd2.devere-vault.com/auth/oauth/authorization?response_type=code&client_id=585e1755-a184-4752-acfe-80f654c9bbcd&scope=accounts&state=5f5f69166666e3b4fa043860b54c69603e179d6bdcad423f5a56ccd530f84662&redirect_uri=https://psd2.devere-vault.com/login","protocol":"https","host":["psd2","devere-vault","com"],"path":["auth","oauth","authorization"],"query":[{"key":"response_type","value":"code"},{"key":"client_id","value":"585e1755-a184-4752-acfe-80f654c9bbcd"},{"key":"scope","value":"accounts"},{"key":"state","value":"5f5f69166666e3b4fa043860b54c69603e179d6bdcad423f5a56ccd530f84662"},{"key":"redirect_uri","value":"https://psd2.devere-vault.com/login"}]}},"_postman_previewlanguage":null,"header":[],"cookie":[],"responseTime":null,"body":null},{"id":"7540ee50-7b1d-4773-b844-c6ef90369087","name":"Authorization call format","originalRequest":{"method":"GET","header":[],"body":{"mode":"formdata","formdata":[]},"url":{"raw":"https://psd2.devere-vault.com/auth/oauth/authorization?response_type=code&client_id=The 'Token Endpoint' allows the client to get an access token.
\nParams
\n| Key | \nMandatory/Optional | \nDescription | \n
| grant_type | \nmandatory | \n\"authorization_code\" is only supported as grant type | \n
| client_id | \nmandatory | \nGenerated application clientId from developer‘s site\n | \n
| client_secret | \nmandatory | \nGenerated client secret from developer‘s site. | \n
| code | \nmandatory | \nA code that has been received by redirect_uri parameter. | \n
| redirect_uri | \nmandatory | \nthe URI of the TPP where the OAuth2server is redirecting the Payment service user agent after the authorization. | \n
After authorizing request call client\nwill be redirected to ASPSP login page where PSU‘s has to enter their credentials. During this stage, PSU has\nto authorize themselves.
\n","urlObject":{"path":["auth","oauth","token"],"query":[],"variable":[]}},"response":[{"id":"96b83e5c-bac4-4fae-bec7-8c7ac155af1a","name":"Token Call ","originalRequest":{"method":"POST","header":[{"key":"Content-Type","value":" application/x-www-form-urlencoded","type":"text"},{"key":"Authorization","value":" Basic Base64_encoded_string(clientId:clientSecret)","type":"text"}],"body":{"mode":"formdata","formdata":[]},"url":{"raw":"https://psd2.devere-vault.com/auth/oauth/token?grant_type=authorization_code&client_id=If client wants to get access to PSD2 API it should pass Authorization HTTP header parameter in every request. Authorization header contains bearer token issued by the oauth server. Before accessing Oauth server client has to register client application. After registering application client will get clientId and clientSecret params. These params should be passed to the Oauth server‘s /authorization and /token endpoints
\n","_postman_id":"2d9c0915-1575-45f6-ae0b-2656df990d47"},{"name":"Account Information Service (AIS) ","item":[{"name":"Consent API","id":"5a715209-1870-4456-92aa-eaf38e7a295b","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"auth":{"type":"bearer","bearer":{"basicConfig":[{"key":"token","value":"{{token}}"}]},"isInherited":false},"method":"POST","header":[],"body":{"mode":"raw","raw":"{\n \"access\": {\n \"accounts\": [],\n \"balances\": [],\n \"transactions\": []\n },\n \"frequencyPerDay\": 10,\n \"recurringIndicator\": true,\n \"validUntil\": \"2020-10-10\"\n}"},"url":"/auth/v1/consents","description":"Header
\n| Key | \nMandatory/Optional | \nDescription | \n
| X-Request-ID | \nmandatory | \nID of the request, unique to the call, as determined by the initiating party | \n
| Authorization | \nmandatory | \nauthorization bearer token | \n
| TPP-Redirect-Preferred | \nMandatory | \nIt should be Yes. The TPP prefers a redirect over an embedded SCA approach. | \n
| TPP-Redirect-URI | \nMandatory | \nIt should be yes, as it is a SCA Approach (including OAuth2 SCA approach) | \n
| Content-Type | \noptional | \nContent type application/json | \n
Headers
\n| Key | \nMandatory/Optional | \nDescription | \n
| X-Request-ID | \nmandatory | \nID of the request, unique to the call, as determined by the initiating party | \n
| Authorization | \nmandatory | \nauthorization bearer token | \n
Headers
\n| Key | \nMandatory/Optional | \nDescription | \n
| X-Request-ID | \nMandatory | \nID of the request, unique to the call, as determined by the initiating party | \n
| Authorization | \nMandatory | \nAuthorization bearer token | \n
| Consent-ID | \nMandatory | \nThe Consent ID of the customer | \n
Headers
\n| Key | \nMandatory/Optional | \nDescription | \n
| X-Request-ID | \nmandatory | \nID of the request, unique to the call, as determined by the initiating party | \n
| Authorization | \nmandatory | \nauthorization bearer token | \n
| Consent-ID | \nMandatory | \nThe Consent ID of the customer | \n
Params
\n| Key | \nMandatory/Optional | \nDescription | \n
| account-Id | \nMandatory | \nAccount number of the user | \n
Headers
\n| Key | \nMandatory/Optional | \nDescription | \n
| X-Request-ID | \nmandatory | \nID of the request, unique to the call, as determined by the initiating party | \n
| Authorization | \nmandatory | \nauthorization bearer token | \n
| Consent-ID | \nMandatory | \nThe Consent ID of the customer | \n
Params
\n| Key | \nMandatory/Optional | \nDescription | \n
| account-id | \nMandatory | \nAccount number of the user | \n
Headers
\n| Key | \nMandatory/Optional | \nDescription | \n
| X-Request-ID | \nmandatory | \nID of the request, unique to the call, as determined by the initiating party | \n
| Authorization | \nmandatory | \nauthorization bearer token | \n
| Consent-ID | \nMandatory | \nThe Consent ID of the customer | \n
Params
\n| Key | \nMandatory/Optional | \nDescription | \n
| account-id | \nMandatory | \nAccount number of the user | \n
The AIS allows to perform the following regarding the account information:
\nThe first step of PSD2 API is to establish account information consent for account data exchange process. An AIS role is required for accessing the endpoints.
\n","event":[{"listen":"prerequest","script":{"id":"00f38529-a485-42ce-b6bf-32b4cd6f99ce","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"66f54823-1f82-4f36-9e52-5a3e68be8eb1","type":"text/javascript","exec":[""]}}],"_postman_id":"69630f70-72d3-42fd-85a2-22610ad1c792"},{"name":"Consent Authorization","item":[],"id":"f551d423-e937-4f48-8d0d-cd8473c326c1","description":"During this approach TPP has to send Tpp-Redirect-Preffered header set to true. This means that consent\nwill be authorized in redirect approach. Also, there are two ways how consent authorization object will be\ncreated in redirect manner: implicit and explicit. Implicit method will create authorization object during\ncreate consent call. No sequential calls are needed. A scaRedirect steering link will be added to the create\nconsent JSON response. Following this redirect link a PSU will be redirect to the deVere Vault consent summary and SCA selection and approval form where PSU has to enter their PIN2 credentials. Also, Aspsp-Sca-Approach:\nREDIRECT header will be added to the response.
\n![](\"https://i.ibb.co/CmL7HtN/Consent-Authorisation.png\") | \n
|---|
| Consent Authorization | \n
Using explicit method TPP will have to make additional call for consent authorization object creation. A\nseparate call start the authorisation process for a consent will create consent authorization object and\nreturn scaRedirect steering link inside JSON response. Same as in implicit method following this redirect link\nwill redirect PSU to the deVere Vault consent summary and SCA selection, approval form. It’s highly recommended\nto use implicit method with SCA redirect approach.
\n","event":[{"listen":"prerequest","script":{"id":"a66bfba6-a117-40d0-808c-905bca6141aa","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"ab545547-0302-41dc-ba2a-6f52e421f5e2","type":"text/javascript","exec":[""]}}],"_postman_id":"f551d423-e937-4f48-8d0d-cd8473c326c1"},{"name":"Payment Initiation Service (PIS)","item":[{"name":"SEPA-Credit-Transfer (Initiation)","id":"6f0bbb4b-e89a-4126-8d91-6c20fa00ac36","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[],"body":{"mode":"raw","raw":"{\r\n\t\"entityType\":\"business\",\r\n\t\"debtorAccount\":\r\n\t{\r\n\t\t \"currency\":\"EUR\",\r\n\t\t \"iban\":\"123522522\"\r\n\t},\r\n \"instructedAmount\":\r\n {\r\n \t\"amount\":0.36,\r\n \t\"currency\":\"EUR\"\r\n },\r\n \"creditorAccount\":\r\n {\r\n \t\"firstName\":\"ram\",\r\n \t\"lastName\":\"raj\",\r\n \t\"accountHolderName\":\"xyz\",\r\n \t\"companyName\":\"test\",\r\n \"currency\":\"EUR\",\r\n \"iban\":\"1854512\",\r\n \"BIC/Swift\":\"XYZ123\",\r\n \"mobileCountryCode\":\"+91\",\r\n \"mobileNumber\":\"990855454\",\r\n \"emailAddress\":\"Robert@yopmail.com\"\r\n },\r\n \r\n \"creditorAddress\":\r\n {\r\n \"addressLine1\":\"test1\",\r\n \t\"addressLine2\":\"\",\r\n \t\"city\":\"test2\",\r\n \t\"country\":\"United Kingdom\",\r\n \t\"postalCode\":\"50407\"\r\n\t},\r\n \"transferReason\":\"Account deposit\",\r\n \"transferReference\":\"From my account \"\r\n}"},"url":"/api/v1/payments/sepa-credit-transfers","description":"Headers
\n| Key | \nMandatory/Optional | \nDescription | \n
| X-Request-ID | \nMandatory | \nID of the request, unique to the call, as determined by the initiating party | \n
| Authorization | \nMandatory | \nauthorization bearer token | \n
| TPP-Signature-Certificate | \nMandatory | \nTPP QSEAL/QWAC certificate | \n
| Content-Type | \nOptional | \nContent type application/json | \n
| PSU-IP-Address | \nMandatory | \nThe forwarded IP Address header field consists of thecorresponding HTTP request IP Address field between PSU and TPP. If not available, the TPP shall use the IP Address used by the TPP when submitting this request. | \n
| TPP-Redirect-Preferred | \nMandatory | \nIt should be Yes. The TPP prefers a redirect over an embedded SCA approach. | \n
| TPP-Nok-Redirect-URI | \nOptional | \nIf this URI is contained, the TPP is asking to redirect the transaction flow to this address instead of the TPP-RedirectURI in case of a negative result | \n
| TPP-Redirect-URI | \nMandatory | \nIt should be yes, as it is a SCA Approach (including OAuth2 SCA approach) | \n
Request Body
\n| Key | \nMandatory/Optional | \nDescription | \n
| entityType | \nMandatory | \nThe transfer type: Individual or Business | \n
| currency (debtorAccount) | \n Mandatory | \nThe currency of the Debtor. This will be an element of debtorAccount | \n
| iban (debtorAccount) | \n Mandatory | \nThe IBAN number of the Debtor. This will be an element of debtorAccount | \n
| amount (instructedAmount) | \n Mandatory | \nThe amount for the instructed payment. This will be an element of the instructedAmount | \n
| currency (instructedAmount) | \n Mandatory | \nThe currency for the instructed payment. This will be an element of the instructedAmount | \n
| firstName (creditorAccount) | \n Conditional | \nFirst name of the Creditor. If the entityType is 'individual' the it will be Mandatory else it will be optional. This will be an element of creditorAccount | \n
| lastName (creditorAccount) | \n Conditional | \nLast name of the Creditor.If the entityType is 'individial' then it will be Mandatory else it will be Optional.This will be an element of creditorAccount | \n
| accountHolderName (creditorAccount) | \n Mandatory | \nAccount holder name of the Creditor. This will be an element of creditorAccount | \n
| companyName (creditorAccount) | \n Conditional | \nCompany name of the Creditor. If the entityType is 'Business' then it will be Mandatory else it will be Optional. This will be an element of creditorAccount | \n
| currency (creditorAccount) | \n Mandatory | \nCurrency of the payment to be done for the Creditor. This will be an element of creditorAccount | \n
| iban (creditorAccount) | \n Mandatory | \nIBAN of the Creditor. This will be an element of creditorAccount | \n
| BIC/Swift (creditorAccount) | \n Mandatory | \nBIC Swift of the Creditor. This will be an element of creditorAccount | \n
| mobileCountryCode (creditorAccount) | \n Optional | \nMobile Country Code of the Creditor. This will be an element of creditorAccount | \n
| mobileNumber (creditorAccount) | \n Optional | \nMobile number of the Creditor. This will be an element of creditorAccount | \n
| emailAddress (creditorAccount) | \n Optional | \nEmail address of the Creditor. This will be an element of creditorAccount | \n
| addressLine1 (creditorAddress) | \n Mandatory | \nAddress details of the creditor. This will be an element of creditorAddress | \n
| addressLine2 (creditorAddress) | \n Optional | \nAdditional Address details of the creditor. This will be an element of creditorAddress | \n
| city (creditorAddress) | \n Mandatory | \nCity of the creditor. This will be an element of creditorAddress | \n
| country (creditorAddress) | \n Mandatory | \nCountry of the creditor. This will be an element of creditorAddress | \n
| postalCode (creditorAddress) | \n Mandatory | \nPostal Code of the creditor. This will be an element of creditorAddress | \n
| transferReason | \nMandatory | \nReason for transfer Options: - Account - load - Bill Payment - Deposit for purchase - Deposit for Services - Family Emergency - Funds for Family - Money for a friend - Others | \n
| transferReference | \nMandatory | \nReference for the transfer | \n
Response Headers
\n| Key | \nMandatory/Optional | \nDescription | \n
| X-Request-ID | \nMandatory | \nID of the request, unique to the call, as determined by the initiating party | \n
Headers
\n| Key | \nMandatory/Optional | \nDescription | \n
| X-Request-ID | \nMandatory | \nID of the request, unique to the call, as determined by the initiating party | \n
| Authorization | \nMandatory | \nauthorization bearer token | \n
Params
\n| Key | \nMandatory/Optional | \nDescription | \n
| payment-Id | \nMandatory | \nPayment ID of the payment transaction. | \n
Response Headers
\n| Key | \nMandatory/Optional | \nDescription | \n
| X-Request-ID | \nMandatory | \nID of the request, unique to the call, as determined by the initiating party | \n
Headers
\n| Key | \nMandatory/Optional | \nDescription | \n
| X-Request-ID | \nMandatory | \nID of the request, unique to the call, as determined by the initiating party | \n
| Authorization | \nMandatory | \nauthorization bearer token | \n
Params
\n| Key | \nMandatory/Optional | \nDescription | \n
| payment-Id | \nMandatory | \nPayment ID of the payment transaction. | \n
Response Headers
\n| Key | \nMandatory/Optional | \nDescription | \n
| X-Request-ID | \nMandatory | \nID of the request, unique to the call, as determined by the initiating party | \n
The PIS will be used to Initiate a single payment transaction.
\n","event":[{"listen":"prerequest","script":{"id":"fdc5b803-d844-4ec1-82e1-71ba3f443dc3","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"0881044a-e840-4db8-bce3-1e0bc4e9631b","type":"text/javascript","exec":[""]}}],"_postman_id":"f6668be0-1a04-4b07-89ad-34bb740ca4ed"},{"name":"Errors","item":[],"id":"cc2bc1bd-0f19-4a64-9ce3-717f9e8ca86c","description":"The API uses the following error codes:
\n| Code\n | Meaning\n |
| 400 | \nBad Request - Your request is invalid | \n
| 401 | \nUnauthorized - Your API key is wrong | \n
| 403 | \nForbidden - Access to the requested resource or action is forbidden | \n
| 404 | \nNot Found - The requested resource could not be found | \n
| 405 | \nMethod Not Allowed - You tried to access an endpoint with an invalid method | \n
| 406 | \nNot Acceptable - You requested a format that isn't JSON | \n
| 429 | \nToo Many Requests - You're sending too many requests | \n
| 500 | \nInternal Server Error - We had a problem with our server. Try again later | \n
| 503 | \nService Unavailable -- We're temporarily offline for maintenance. Please try again later | \n