Learn more about how Yapily can help you unlock Open Banking for PIS.
In order to facilitate a payment on behalf of the user, the user will need to authenticate with their financial institution and give explicit consent. In most cases, this will involve redirecting users to the Institution authorisation screen either in the web browser or if on a mobile through the user's mobile banking application by redirecting to the link provided by the Authorisation Url or QR Code Url. In any case, the goal is to obtain a consentToken which is supplied as the Consent header parameter to sign payments requests.
The Payment Authorisation Flow starts when your user (PSU) indicates their intent to make a payment. To formally obtain the user's authorisation, simply follow these steps:
institutionIdof their bank and
callback, which is the URL to return the user to after authorisation.
qrCodeUrl, which you should redirect the user to.
consent-tokenwill be returned to your
consent-tokencan be used to call the
Create Paymentendpoint to request the payment.
consent-token, you call the
Get Payment Detailsendpoint to get the status of the payment.
It is also possible to complete the Payment Authorisation Flow without a callback URL. Instead of redirecting the user back to your callback URL, you can poll the
GET consent endpoint. See Decoupled Account Authorisation Flow for more information.
The Dashboard allows you to add multiple callbacks if this is required for your application. If you have multiple callbacks at the same domain, you can simply add one callback at the domain with a trailing forward slash e.g. If your domain was https://tpp-application and you wanted to register the following two callbacks:
You could add
https://tpp-application/ as a single callback rather than individually defining both of these callbacks:
For testing, you can use the small utility created by Yapily (https://display-parameters.herokuapp.com/) as a callback to make consuming the consent-token easier for you when testing the authorisation flows (Remember to first add this as a callback to your application in the Yapily Dashboard).
As an addition, when using the above flow you can make use of the one-time-token when executing POST Create Payment Authorisation Request to retrieve a consent-token without exposing it as a query string parameter at the callback:
PIS Consent tokens are valid for a single payment request.