Quick Start Guide

How developers can simply start consuming secured Open Banking APIs

Overview

This guide walks you through the WSO2 Open Banking solution.

If you want to start from scratch by creating your own application, start from STEP 1 - Create an Application. If not, start from the STEP 2 - Subscribe to APIs section where you can use our default application.

AISP flow

STEP 1: Create an Application

  1. In the main menu, go to Try Developer Portal > App (Sandbox) - UK.

  2. If you already have a user account at wso2.com click Sign in. Else, click Sign-up to create an account.

    • When you create an account, provide a valid phone number with the country code to complete the two factor authentication, for example, +44 xxx xxx xxxx for a UK phone number.
    • Once you create and verify the user account at wso2.com, use those credentials to sign in to WSO2 Open Banking App (Sandbox) - UK.
  3. In the left menu, click Applications to see all the applications. NOTE: WSO2 Open Banking comes with a sample application named DefaultApplication.

  4. Click Add Application.

    • Enter a name for the application.
    • Set the Throttling Tier.

    NOTE: You can select an SLA via the dropdown. By default, this value is set to unlimited. If you do not select an SLA, the default SLA value is applied.

    • Add a brief description of the application.

    • Click Add.


STEP 2: Subscribe to APIs

  1. In the left menu, click APIs to see all available APIs.

    The API store displays all available APIs. These APIs can be consumed by AISPs and PISPs. Some APIs require proper authorisation and consumer consent to provide data.

  2. Browse the Accounts and Transaction API.

  3. To subscribe to the API:

    • Select the application you created in STEP 1 from the Applications drop-down.
    • Set the Tiers accordingly.
    • Click Subscribe.

    NOTE: If you did not create your own application, select DefaultApplication.


STEP 3: Authentication

The APIs are secured using the OAuth2.0 protocol. In order to invoke secured APIs, you should submit a valid OAuth2.0 token with required authorisation levels. Depending on the security requirements, we use the Authorization Code grant type and Client Credentials grant type to generate access tokens.

In this guide, the application directs the consumer to the website of the customer’s bank to perform authentication, delegate authorisation, and get consent for the application to retrieve data or perform a transaction on the consumer’s account.


Generate keys

The application requires a Client ID (Consumer Key) and a Client Secret (Consumer Secret) to access the subscribed APIs.

  1. Go to the Applications tab.

  2. Choose your application from the Application List and go to the Sandbox Keys tab to generate access tokens in the sandbox environment.

  3. Provide the requested information as defined below:

    • Grant Types: Determine the credentials used to generate the access token. You may use the selected default Grant Types.

    • Callback URL: The URL used by the application to receive the authorisation code sent from the bank. The authorisation code can be used later to generate an OAuth2 access token.

    • Scopes: The access tokens required for accessing the APIs must have relevant scopes. The drop-down contains the scopes available for the APIs, the application has subscribed for. For an AISP application, set this value to accounts.
      NOTE: An application access token can have multiple scopes.

    • Access token validity period: By default, the token validity periods are set to 3600 seconds.

    • Application Certificate: To validate whether the TPP is registered in a governing entity. You can download a sample application certificate from here. Copy the content between the BEGIN CERTIFICATE and END CERTIFICATE strings of the application certificate.

  4. Click Generate Keys.

NOTE: Follow the above steps to regenerate the access token.


Create a new consent

  1. In the left menu, click APIs.

  2. Select the Accounts and Transaction API.

  3. Go to the API Console tab.

    • Select your application from the drop-down lists.
    • Select Sandbox as the environment.
    • The request header is set by the API Store.
  4. Mutual Transport Layer Security (MTLS) is a protocol recommended by the Open Banking Implementation Entity. In the WSO2 Open Banking solution, MTLS is enforced by using handlers in order to ensure that the authenticated client uses the pre-registered transport certificate to communicate with APIs.

    • To invoke the APIs in the demo, download the certificate available here and import it into your web browser.
  5. Create a consent using the POST /account-access-consents resource. Use the Try it out option.

    • Replace the request payload with the sample payload available here.
    • Set the x-fapi-financial-id value to open-bank.
  6. Click Execute to create a consent resource. If the creation is successful, the response body will contain a unique ID for the consent named ConsentId.


This step explains authorising account consents. The AISP redirects the bank customer to authenticate and approve/deny application-provided consents.

  1. In the left menu, click APIs and browse the Authorize API.

  2. Go to the API Console tab and click Generate signed request.

  3. Fill the expanded form.

    • Client ID: The Consumer Key of the application.
    • Scopes: To invoke the Accounts API, set the value as accounts openid.
    • Redirect URI: The Callback URL of the application.
    • Consent ID: The unique ID of the consent resource created in STEP 3.
    • Use the default values for the State, Nonce, and Response type fields.
  4. Click Generate.

    NOTE: Once you generate a signed request, you can simply regenerate by clicking Regenerate.

  5. To obtain an authorization code use the Try it out option.

    • Copy the response_type, client_id, scope, redirect_uri, state, and nonce values from the form above.
    • Fill the request field with the Generated token.

    • Click Execute to generate the Request URL.
  6. Copy the Request URL to a browser. You are redirected to a login page, sign in using the credentials of your WSO2 account.

  7. As SMSOTP is configured as the second step of Two-factor authentication, enter the code sent to your mobile phone.

  8. Upon successful authentication, the PSU is redirected to the consent management page.

  9. PSU needs to select the accounts to which the consent is granted; click Approve.

  10. The browser is redirected to the redirect URL of the application and an authorization code is generated. Note down the authorization code.



Generate user access token

  1. In the left menu, click APIs and browse the Token API.

  2. Go to the API Console tab and click Generate signed request.

  3. Fill the expanded form.

    • Client ID: The Consumer Key of the application.
  4. Click Generate.

    NOTE: Once you generate a signed request, you can simply regenerate by clicking Regenerate.

  5. To obtain an OAuth2 access token use the Try it out option.

    • The value of grant_type field should be authorization_code.
    • Set the scope to accounts.
    • code is the authorization code generated in the above step.
    • redirect_uri should be the Callback URL of the application.
    • client_id is the Consumer Key of the application.
    • Set the client_assertion_type to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
    • client_assertion is the Generated token in the Generate client assertion form.
  6. Click Execute. Note down the user access token in the response.


STEP 5: Consume APIs

  1. In the left menu, click APIs.

  2. Browse the Accounts and Transaction API.

  3. Go to the API Console tab.

    • Select your application from the drop-down lists.
    • Select Sandbox as the environment.
    • Replace the token in the request header with the user access token obtained in STEP 4.
  4. Invoke the submission resources using the Try It Out option.

    For example, retrieve the accounts using the GET /accounts resource.

    • Select the resource and click Try It Out.

    • Set the x-fapi-financial-id value to open-bank.
    • Click Execute to retrieve a full list of accounts that the PSU has authorised the AISP to access.

PISP flow

STEP 1: Create an Application

  1. In the main menu, go to Try Developer Portal > App (Sandbox) - UK.

  2. If you already have a user account at wso2.com click Sign in. Else, click Sign-up to create an account.

    • When you create an account, provide a valid phone number with the country code to complete the two factor authentication, for example, +44 xxx xxx xxxx for a UK phone number.
    • Once you create and verify the user account at wso2.com, use those credentials to sign in to WSO2 Open Banking App (Sandbox) - UK.
  3. In the left menu, click Applications to see all the applications. NOTE: WSO2 Open Banking comes with a sample application named DefaultApplication.

  4. Click Add Application.

    • Enter a name for the application.
    • Set the Throttling Tier.

    NOTE: You can select an SLA via the dropdown. By default, this value is set to unlimited. If you do not select an SLA, the default SLA value is applied.

    • Add a brief description of the application.

    • Click Add.


STEP 2: Subscribe to APIs

  1. In the left menu, click APIs to see all available APIs.

    The API store displays all available APIs. These APIs can be consumed by AISPs and PISPs. Some APIs require proper authorisation and consumer consent to provide data.

  2. Browse the Payment Initiation API.

  3. To subscribe to the API:

    • Select the application you created in STEP 1 from the Applications drop-down.
    • Set the Tiers accordingly.
    • Click Subscribe.

    NOTE: If you did not create your own application, select DefaultApplication.


STEP 3: Authentication

The APIs are secured using the OAuth2.0 protocol. In order to invoke secured APIs, you should submit a valid OAuth2.0 token with required authorisation levels. Depending on the security requirements, we use the Authorization Code grant type and Client Credentials grant type to generate access tokens.

In this guide, the application directs the consumer to the website of the customer’s bank to perform authentication, delegate authorisation, and get consent for the application to retrieve data or perform a transaction on the consumer’s account.


Generate keys

The application requires a Client ID (Consumer Key) and a Client Secret (Consumer Secret) to access the subscribed APIs.

  1. Go to the Applications tab.

  2. Choose your application from the Application List and go to the Sandbox Keys tab to generate access tokens in the sandbox environment.

  3. Provide the requested information as defined below:

    • Grant Types: Determine the credentials used to generate the access token. You may use the selected default Grant Types.

    • Callback URL: The URL used by the application to receive the authorisation code sent from the bank. The authorisation code can be used later to generate an OAuth2 access token.

    • Scopes: The access tokens required for accessing the APIs must have relevant scopes. The drop-down contains the scopes available for the APIs, the application has subscribed for. For a PISP application, set this value to payments.
      NOTE: An application access token can have multiple scopes.

    • Access token validity period: By default, the token validity periods are set to 3600 seconds.

    • Application Certificate: To validate whether the TPP is registered in a governing entity. You can download a sample application certificate from here. Copy the content between the BEGIN CERTIFICATE and END CERTIFICATE strings of the application certificate.

  4. Click Generate Keys.

NOTE: Follow the above steps to regenerate the access token.


Create a new consent

  1. In the left menu, click APIs.

  2. Browse the Payment Initiation API.

  3. Go to the API Console tab.

    • Select your application from the drop-down lists.
    • Select Sandbox as the environment.
    • The request header is set by the API Store.
  4. Click Generate JWS signature to expand the form. Provide the requested information as defined below:

    • Client ID: The Consumer Key of the application.
    • Payload: The payload of the create consent request. A sample payload is available here.
  5. Click Generate.

    NOTE: Once you generate a signed request, you can simply regenerate by clicking Regenerate.

  6. Mutual Transport Layer Security (MTLS) is a protocol recommended by the Open Banking Implementation Entity. In the WSO2 Open Banking solution, MTLS is enforced by using handlers in order to ensure that the authenticated client uses the pre-registered transport certificate to communicate with APIs.

    • To invoke the APIs in the demo, download the certificate available here and import it into your web browser.
  7. For example, create a Domestic Payment Consent using the POST /domestic-payment-consents resource.

    • Use the Try it out option.

    • Replace the request payload with the sample payload available here.
    • Every request will be processed only once per x-idempotency-key. This needs to be a unique value.
    • Set the x-fapi-financial-id value to open-bank.
    • The x-jws-signature is the JWS signature of the request payload generated in Generate JWS signature.
  8. Click Execute to create a consent resource. If the creation is successful, the response body will contain a unique ID for the consent named ConsentId.


This step explains authorising payment consents. The PISP redirects the bank customer to authenticate and approve/deny application-provided consents.

  1. In the left menu, click APIs and browse the Authorize API.

  2. Go to the API Console tab and click Generate signed request.

  3. Fill the expanded form.

    • Client ID: The Consumer Key of the application.
    • Scopes: To invoke the Payments API, set the value as payments openid.
    • Redirect URI: The Callback URL of the application.
    • Consent ID: The unique ID of the consent resource created in STEP 3.
    • Use the default values for the State, Nonce, and Response type fields.
  4. Click Generate.

    NOTE: Once you generate a signed request, you can simply regenerate by clicking Regenerate.

  5. To obtain an authorization code use the Try it out option.

    • Copy the response_type, client_id, scope, redirect_uri, state, and nonce values from the form above.
    • Fill the request field with the Generated token.

    • Click Execute to generate the Request URL.
  6. Copy the Request URL to a browser. You are redirected to a login page, sign in using the credentials of your WSO2 account.

  7. As SMSOTP is configured as the second step of Two-factor authentication, enter the code sent to your mobile phone.

  8. Upon successful authentication, the PSU is redirected to the consent management page.

  9. Since the sample payload contains the debtor account details the PSU only needs to grant the consent; click Approve.

  10. The browser is redirected to the redirect URL of the application and an authorization code is generated. Note down the authorization code.



Generate user access token

  1. In the left menu, click APIs and browse the Token API.

  2. Go to the API Console tab and click Generate signed request.

  3. Fill the expanded form.

    • Client ID: The Consumer Key of the application.
  4. Click Generate.

    NOTE: Once you generate a signed request, you can simply regenerate by clicking Regenerate.

  5. To obtain an OAuth2 access token use the Try it out option.

    • The value of grant_type field should be authorization_code.
    • Set the scope to payments.
    • code is the authorization code generated in the above step.
    • redirect_uri should be the Callback URL of the application.
    • client_id is the Consumer Key of the application.
    • Set the client_assertion_type to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
    • client_assertion is the Generated token in the Generate client assertion form.
  6. Click Execute. Note down the user access token in the response.


STEP 5: Consume APIs

  1. In the left menu, click APIs.

  2. Browse the Payment Initiation API.

  3. Go to the API Console tab.

    • Select your application from the drop-down lists.
    • Select Sandbox as the environment.
    • Replace the token in the request header with the user access token obtained in STEP 4.
  4. Click Generate JWS signature to expand the form. Provide the requested information as defined below:

    • Client ID: The Consumer Key of the application.
    • Payload: The payload of the create payment resource request. A sample payload is available here. Replace the value of ConsentId with the payment consent generated in STEP 3.

  5. Click Generate.

    NOTE: Once you generate a signed request, you can simply regenerate by clicking Regenerate.

  6. Invoke the submission resources using the Try It Out option.

    For example, create a Domestic Payment using the POST /domestic-payments resource.

    • Select the resource and click Try It Out.

    • Replace the request payload with the sample payload available here. Update the value of ConsentId with the payment consent generated in STEP 3.
    • Every request will be processed only once per x-idempotency-key. This needs to be a unique value.
    • Set the x-fapi-financial-id value to open-bank.
    • The x-jws-signature is the JWS signature of the request payload generated in Generate JWS signature.
  7. Click Execute to create a Domestic Payment resource. If the creation is successful, the response will contain a unique ID for the payment resource.

CBPII flow

STEP 1: Create an Application

  1. In the main menu, go to Try Developer Portal > App (Sandbox) - UK.

  2. If you already have a user account at wso2.com click Sign in. Else, click Sign-up to create an account.

    • When you create an account, provide a valid phone number with the country code to complete the two factor authentication, for example, +44 xxx xxx xxxx for a UK phone number.
    • Once you create and verify the user account at wso2.com, use those credentials to sign in to WSO2 Open Banking App (Sandbox) - UK.
  3. In the left menu, click Applications to see all the applications. NOTE: WSO2 Open Banking comes with a sample application named DefaultApplication.

  4. Click Add Application.

    • Enter a name for the application.
    • Set the Throttling Tier.

    NOTE: You can select an SLA via the dropdown. By default, this value is set to unlimited. If you do not select an SLA, the default SLA value is applied.

    • Add a brief description of the application.

    • Click Add.


STEP 2: Subscribe to APIs

  1. In the left menu, click APIs to see all available APIs.

    The API store displays all available APIs. These APIs can be consumed by CBPIIs. Some APIs require proper authorisation and consumer consent to provide data.

  2. Browse the Confirmation Of Funds API.

  3. To subscribe to the API:

    • Select the application you created in STEP 1 from the Applications drop-down.
    • Set the Tiers accordingly.
    • Click Subscribe.

    NOTE: If you did not create your own application, select DefaultApplication.


STEP 3: Authentication

The APIs are secured using the OAuth2.0 protocol. In order to invoke secured APIs, you should submit a valid OAuth2.0 token with required authorisation levels. Depending on the security requirements, we use the Authorization Code grant type and Client Credentials grant type to generate access tokens.

In this guide, the application directs the consumer to the website of the customer’s bank to perform authentication, delegate authorisation, and get consent for the application to retrieve data or perform a transaction on the consumer’s account.


Generate keys

The application requires a Client ID (Consumer Key) and a Client Secret (Consumer Secret) to access the subscribed APIs.

  1. Go to the Applications tab.

  2. Choose your application from the Application List and go to the Sandbox Keys tab to generate access tokens in the sandbox environment.

  3. Provide the requested information as defined below:

    • Grant Types: Determine the credentials used to generate the access token. You may use the selected default Grant Types.

    • Callback URL: The URL used by the application to receive the authorisation code sent from the bank. The authorisation code can be used later to generate an OAuth2 access token.

    • Scopes: The access tokens required for accessing the APIs must have relevant scopes. The drop-down contains the scopes available for the APIs, the application has subscribed for. For a CBPII application, set this value to fundsconfirmations.
      NOTE: An application access token can have multiple scopes.

    • Access token validity period: By default, the token validity periods are set to 3600 seconds.

    • Application Certificate: To validate whether the TPP is registered in a governing entity. You can download a sample application certificate from here. Copy the content between the BEGIN CERTIFICATE and END CERTIFICATE strings of the application certificate.

  4. Click Generate Keys.

NOTE: Follow the above steps to regenerate the access token.


Create a new consent

  1. In the left menu, click APIs.

  2. Browse the Confirmation Of Funds API.

  3. Go to the API Console tab.

    • Select your application from the drop-down lists.
    • Select Sandbox as the environment.
    • The request header is set by the API Store.
  4. Mutual Transport Layer Security (MTLS) is a protocol recommended by the Open Banking Implementation Entity. In the WSO2 Open Banking solution, MTLS is enforced by using handlers in order to ensure that the authenticated client uses the pre-registered transport certificate to communicate with APIs.

    • To invoke the APIs in the demo, download the certificate available here and import it into your web browser.
  5. Create a consent using the POST /funds-confirmation-consents resource. Use the Try it out option.

    • Replace the request payload with the sample payload available here.
    • Set the x-fapi-financial-id value to open-bank.
  6. Click Execute to create a consent resource. If the creation is successful, the response body will contain a unique ID for the consent named ConsentId.


This step explains authorising account consents. The AISP redirects the bank customer to authenticate and approve/deny application-provided consents.

  1. In the left menu, click APIs and browse the Authorize API.

  2. Go to the API Console tab and click Generate signed request.

  3. Fill the expanded form.

    • Client ID: The Consumer Key of the application.
    • Scopes: To invoke the Accounts API, set the value as fundsconfirmation openid.
    • Redirect URI: The Callback URL of the application.
    • Consent ID: The unique ID of the consent resource created in STEP 3.
    • Use the default values for the State, Nonce, and Response type fields.
  4. Click Generate.

    NOTE: Once you generate a signed request, you can simply regenerate by clicking Regenerate.

  5. To obtain an authorization code use the Try it out option.

    • Copy the response_type, client_id, scope, redirect_uri, state, and nonce values from the form above.
    • Fill the request field with the Generated token.

    • Click Execute to generate the Request URL.
  6. Copy the Request URL to a browser. You are redirected to a login page, sign in using the credentials of your WSO2 account.

  7. As SMSOTP is configured as the second step of Two-factor authentication, enter the code sent to your mobile phone.

  8. Upon successful authentication, the PSU is redirected to the consent management page.

  9. PSU needs to select the accounts to which the consent is granted; click Approve.

  10. The browser is redirected to the redirect URL of the application and an authorization code is generated. Note down the authorization code.



Generate user access token

  1. In the left menu, click APIs and browse the Token API.

  2. Go to the API Console tab and click Generate signed request.

  3. Fill the expanded form.

    • Client ID: The Consumer Key of the application.
  4. Click Generate.

    NOTE: Once you generate a signed request, you can simply regenerate by clicking Regenerate.

  5. To obtain an OAuth2 access token use the Try it out option.

    • The value of grant_type field should be authorization_code.
    • Set the scope to accounts.
    • code is the authorization code generated in the above step.
    • redirect_uri should be the Callback URL of the application.
    • client_id is the Consumer Key of the application.
    • Set the client_assertion_type to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
    • client_assertion is the Generated token in the Generate client assertion form.
  6. Click Execute. Note down the user access token in the response.


STEP 5: Consume APIs

  1. In the left menu, click APIs.

  2. Browse the Confirmation Of Funds API.

  3. Go to the API Console tab.

    • Select your application from the drop-down lists.
    • Select Sandbox as the environment.
    • Replace the token in the request header with the user access token obtained in STEP 4.
  4. Invoke the submission resources using the Try It Out option.

    For example, create a Funds Confirmation resource using the POST /funds-confirmations resource.

    • Select the resource and click Try It Out.

    • Replace the request payload with the sample payload available here. Update the value of ConsentId with the consent generated in STEP 3.
    • Set the x-fapi-financial-id value to open-bank.
    • Click Execute.

WSO2 Open Banking | ©