Token Service Berlin Group v1.3 - SMBC Group v1.0.2

Obtaining a PSU Token

Important notes:

  1. For the sandbox, the App Client Credentials are for the App created in the Developer Portal UI
  2. For Production, the App Client Credentials are for the App created by the Dynamic Client Registration Service
  3. The code_challenge should be SHA256(code_verifier) in hexadecimal bytes. Do not base64-encode the code_challenge
  4. The GET /authorize endpoint in the sandbox is https://api-sandbox.smbcdigital.com/sandboxauth/v1/authorize
  5. The GET /authorize endpoint in production is given in scaRedirect in the POST /consents response body
Step Action Sandbox Example Production Example
1 Create a TPP Token

Request

curl --location --request POST 'https://api-sandbox.smbcdigital.com/oauth/v1/token
?grant_type=client_credentials' \
--header 'Authorization: Basic {Credentials for app created on Developer Portal}'

Reseponse

{
    "refresh_token_expires_in": "0",
    "token_type": "BearerToken",
    "issued_at": "1680797262857",
    "access_token": "N8rF22wXmBbmaEb2ONGhdsMFfuGp",
    "AccessTokenType": "TPP",
    "expires_in": "599",
    "status": "approved",
    "client_id": "{App Client Id}"
}

Request

curl --location --request POST 'https://api.smbcdigital.com/oauth/v1/token
?grant_type=client_credentials' \
--header 'Authorization: Basic {Credentials for production app created using Dynamic Client Registration}'

Reseponse

{
    "refresh_token_expires_in": "0",
    "token_type": "BearerToken",
    "issued_at": "1680797262857",
    "access_token": "N8rF22wXmBbmaEb2ONGhdsMFfuGp",
    "AccessTokenType": "TPP",
    "expires_in": "599",
    "status": "approved",
    "client_id": "{TPP Authorisation Number e.g. PSDXX-TEST-00001}"
}
2 Create a Consent Resource

Request

curl --location --request POST 'https://api-sandbox.smbcdigital.com/berlingroup/v1/consents' \
--header 'X-Request-ID: c2f6b53b-9bd4-487c-b008-5ec737907546' \
--header 'smbc-jurisdiction: GB,DE,BE,FR' \
--header 'PSU-ID: psu_01' \
--header 'TPP-Redirect-URI: https://tppredirecturi.com' \
--header 'PSU-IP-Address: 12.34.56.78' \
--header 'PSU-Device-ID: 978b7212-f28e-4b2d-a4a7-ac98ebddc5cf' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer N8rF22wXmBbmaEb2ONGhdsMFfuGp' \
--data-raw '{
    "validUntil": "2023-09-30",
    "recurringIndicator": true
}'

Response

{
    "consentStatus": "received",
    "consentId": "d3a7cbff-76da-42b3-a90e-58ef0bff6f25",
    "_links": {
        "self": {
            "href": "https://api-sandbox.smbcdigital.com/berlingroup/v1/consents/
d3a7cbff-76da-42b3-a90e-58ef0bff6f25"
        },
        "status": {
            "href": "https://api-sandbox.smbcdigital.com/berlingroup/v1/consents/
d3a7cbff-76da-42b3-a90e-58ef0bff6f25/status"
        },
        "scaRedirect": {
            "href": "https://sca.smbcdigital.com/8e2b7dd15e0d44b"
        },
        "scaStatus": {
            "href": "https://api-sandbox.smbcdigital.com/berlingroup/v1/consents/
d3a7cbff-76da-42b3-a90e-58ef0bff6f25/status"
        }
    }
}

Request

  • For long-term recurring consent, use:
    • recurringIndicator=true
    • validUntil=Any date within the SCA exemption maximum period
  • For one-off (20 minutes) access to account data older than 90 days, use:
    • recurringIndicator=false
    • validUntil=Today+2 days (e.g. 2023-01-20 if requesting on 2023-01-18)

curl --location --request POST 'https://api.smbcdigital.com/berlingroup/v1/consents' \
--header 'X-Request-ID: c2f6b53b-9bd4-487c-b008-5ec737907546' \
--header 'smbc-jurisdiction: GB,DE,BE,FR' \
--header 'PSU-ID: psu_01' \
--header 'TPP-Redirect-URI: https://tppredirecturi.com' \
--header 'PSU-IP-Address: 12.34.56.78' \
--header 'PSU-Device-ID: 978b7212-f28e-4b2d-a4a7-ac98ebddc5cf' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer N8rF22wXmBbmaEb2ONGhdsMFfuGp' \
--data-raw '{
    "validUntil": "2023-09-30",
    "recurringIndicator": true
}'

Response

{
    "consentStatus": "received",
    "consentId": "d3a7cbff-76da-42b3-a90e-58ef0bff6f25",
    "_links": {
        "self": {
            "href": "https://api.smbcdigital.com/berlingroup/v1/consents/
d3a7cbff-76da-42b3-a90e-58ef0bff6f25"
        },
        "status": {
            "href": "https://api.smbcdigital.com/berlingroup/v1/consents/
d3a7cbff-76da-42b3-a90e-58ef0bff6f25/status"
        },
        "scaRedirect": {
            "href": "https://www.smbcdigital.com/ezsign/get?requestId=NLNWFpBiKIUMztqxBFMazA…"
        },
        "scaStatus": {
            "href": "https://api.smbcdigital.com/berlingroup/v1/consents/
d3a7cbff-76da-42b3-a90e-58ef0bff6f25/status"
        }
    }
}
3 Redirect to SMBC and back to TPP

Nb: The GET /authorize link in the sandbox does not match the scaRedirect given in the mock response to POST /consents

Nb: The code_challenge is SHA256(code_verifier) in hexadeximal bytes

Request

curl --location --request GET 'https://api-sandbox.smbcdigital.com/sandboxauth/v1/authorize
?response_type=code
&scope=d3a7cbff-76da-42b3-a90e-58ef0bff6f25
&code_challenge=68b96fc0ddfd0017c788b1e8a5c256d72d31
f1e68da53fd339b9b123cd95996e (without newline character)
&code_challenge_method=S256
&state=123456
&clientId={App Client Id/TPP Authorisation Number}
&redirect_uri=https://tppredirecturi.com'

Response Header

Location: https://tppredirecturi.com?code=AOoHFOxc&state=123456

Nb: In the sandbox, the GET /authorize link does not start with ?requestId. Ensure to add OAuth2 parameters after this parameter.

Nb: The code_challenge is SHA256(code_verifier) in hexadeximal bytes.

Nb: All the query parameters included below are mandatory.

Request

curl --location --request GET 'https://www.smbcdigital.com/ezsign/get
?requestId=NLNWFpBiKIUMztqxBFMazA==
&response_type=code
&scope=d3a7cbff-76da-42b3-a90e-58ef0bff6f25
&code_challenge=68b96fc0ddfd0017c788b1e8a5c256d72d31
f1e68da53fd339b9b123cd95996e (without newline character)
&code_challenge_method=S256
&state=123456
&clientId={TPP Authorisation Number e.g. PSDXX-TEST-00001}
&redirect_uri=https://tppredirecturi.com'

Response

The user is presented with the SCA challenge. On successful or unsuccessful completion, the user is redirected back to the TPP. If given in the request, the state will be included:
4 Create a PSU Token

Request

curl --location --request POST 'https://api-sandbox.smbcdigital.com/oauth/v1/token
?grant_type=authorization_code
&code=AOoHFOxc
&redirect_uri=https://tppredirecturi.com
&code_verifier=SMBC' \
--header 'Authorization: Basic {App client credentials}=='

Response

{
    "refresh_token_expires_in": "15428221",
    "token_type": "BearerToken",
    "issued_at": "1686824634615",
    "refresh_token_issued_at": "1686824634615",
    "expires_in": "35999",
    "refresh_token_status": "approved",
    "access_token": "G5FZfA46aNeTpNPbN2z1UYO1RKFa",
    "refresh_token": "hZNF2l4v2paz2D3xcVxNVO3AtiUGm24W",
    "AccessTokenType": "PSU",
    "status": "approved",
    "client_id": "{App Client Id}"
}

Request

curl --location --request POST 'https://api.smbcdigital.com/oauth/v1/token
?grant_type=authorization_code
&code=AOoHFOxc
&redirect_uri=https://tppredirecturi.com
&code_verifier=SMBC' \
--header 'Authorization: Basic {Credentials for production app created using Dynamic Client Registration}=='

Response

{
    "refresh_token_expires_in": "15428221",
    "token_type": "BearerToken",
    "issued_at": "1686824634615",
    "refresh_token_issued_at": "1686824634615",
    "expires_in": "35999",
    "refresh_token_status": "approved",
    "access_token": "G5FZfA46aNeTpNPbN2z1UYO1RKFa",
    "refresh_token": "hZNF2l4v2paz2D3xcVxNVO3AtiUGm24W",
    "AccessTokenType": "PSU",
    "status": "approved",
    "client_id": "{TPP Authorisation Number e.g. PSDXX-TEST-00001}"
}

About us

Visit the main website to learn more about SMBC.

Need help?

Check our FAQs for common queries, otherwise please get in touch with our API support team to discuss your on-boarding.