Skip to main content

Consents Service Berlin Group v1.3 - SMBC Group v1.2

About this service

This service is a prerequisite to enable the third-party provider (TPP) to request access to accounts held at SMBC Group, on behalf of a payment service user (PSU). Additionally, this service allows the TPP to delete or query existing consents.

It is used by the TPP, as required, to obtain a consents resource prior to interacting with the Bank account information and payment services on behalf of the PSU; and subsequently every 90 days to create a replacement consents resource. It is also used by the TPP to query and delete previously created consents resources.

How to use this service

To use this service, the TPP will first:

  • use the token service to obtain a TPP access token;

Using this service, The TPP can then:

  • use this TPP access token to create a consents resource and receive a redirect;

The TPP can then:

  • (sandbox only) use the token service to request an authorisation code via a dedicated authorisation service, exclusive to the sandbox;
  • (production only) redirect the PSU to perform strong customer authentication (SCA) against the Bank's online web portal, receive an authorisation code and be redirected back to the TPP with the authorisation code; and
  • provide the returned authorisation code to the token service to obtain a PSU access token and a PSU refresh token.

The POST /consent, GET /authorize, and POST /token requests all feature OAuth2 and PKCE parameters. See the Token Service Description for the mandatory parameters and see the PSU Token Tutorial for an example.

Maximum time period

The maximum allowed time period for a Consent Resource (i.e. the maximum validUntil date) is 180 days in the future.

Requests for transaction history older than 90 days:

  • Historical transaction or payment requests (where the dateFrom parameter is earlier than 90 days in the past or if the Requested Execution Date is earlier than 90 days in the past) are not exemption from SCA. To access this data, the TPP must creating a one-off Consent Resource which will provide them with a PSU Access Token lasting 20 minutes. Using the consentId of the one-off Consent Resource and the short-lived access token, the TPP may make any number of request required for historical transaction history up to the limit of 730 days in the past.
  • The one-off Consent request body must contain:
    • recurringIndicator = false;
    • validUntil = current date plus 2 (e.g. a call made on 1 Jan must have the date 3 Jan)
  • Creating a one-off Consent Resource will not expire any existing recurring Consent Resource for that user

Need help?

Check our FAQs for common queries, otherwise please get in touch with our API support team to discuss your on-boarding.