To interact with the Open Banking Service securely, you need to retrieve an access token. At the moment a version 2 token can only be used for the VOP service, in the future you will be able to use the same v2 token for multiple services. Via this API JSON Web Tokens (JWT) are granted by the Central Authentication Service, as specified by RFC 7253.
You can retrieve a version 2 token in 2 steps:
Step 1 - Get your Client Id/Secret
The Client Id and the secret will be provided to you by Worldline.
Step 2 - Retrieve an access token using Client Id/Secret
Endpoint : POST /token
Base URL: /realms/merchant-clients/protocol/openid-connect
The tables below explain which fields have to be filled when requesting a token with Client Id/Secret.
Request
| Header fields | Mult. | Type | Description |
| Content-Type | 1..1 | String | Must be filled with "application/x-www-form-urlencoded" If not provided, the Initiating Party can expect to come across the error "415, Unsupported Media Type". |
The URL encoded form fields to be provided in the body of the request can be found in the table below:
| Body fields | Mult. | Type | Description |
| grant_type | 1..1 | String | Must be filled with: client_credentials |
| client_id | 1..1 | String | The Id of the client. The value will be provided to you by Worldline. |
| client_secret | 1..1 | String | Must be filled with the secret. The secret will be provided to you by Worldline. |
| scope | 1..1 | String | The list of the services. At the moment only VOP is allowed. The Open Banking Service checks if you have a valid subscription for the requested service. |
Response
| Body fields | Mult. | Type | Description |
| access_token | 1..1 | String | Json Web Token to be used in further API calls. The contents of the access_token can be viewed by base64 decoding the text between the dots, or a tool like https://jwt.io/ can be used. |
| expires_in | 1..1 | Integer | Expiration time in seconds, relative to when the token was issued. The time the token was issued is stored within the access_token string. Name of the field is 'iat', which is filled with a unix timestamp |
| refresh_expires_in | 1..1 | Integer | There is no refresh supported for Initiating Party Access Tokens. The field will always be filled with: 0 |
| token_type | 1..1 | String | Type of the token. The field will always be filled with: Bearer |
| not-before-policy | 1..1 | Integer | Filled with a unix timestamp. The token cannot be used before this timestamp. This feature is not used at the moment, the token will be valid immediately. The field will be filled with: 0 |
| scope | 1..1 | String | The list of the services for which the token is valid, it's a space separated list. |
Upon a successful request, the Open Banking Service provides you with an access token, which must be used in all future API interactions. The access token allows the Open Banking Service to validate and authorize your API requests.
The Authorization header is constructed as follows:
Authorization: Bearer {access_token}The {access_token} part must be replaced by the value of access_token, for example:
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2l...qaVI-mQ3XeEqDcf4P3OrzMJBiQExample Post /token
Request
grant_type: "client_credentials"
client_id: "ExampleClient-000001"
client_secret: "testtest"
scope: "VOP"Response
ResponseCode: 200Headers: {X-Request-ID=2aa0dc88-21dd-4034-a027-1d98123596f1, MessageCreateDateTime=2024-02-08T18:31:38.385Z, Date=Thu, 08 Feb 2024 18:31:38 GMT, Content-Type=application/json;charset=UTF-8}Payload: {
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJnWEpSa0VzdGVHMjVoYnVTU0lOS1ZPZEdGV3B6NkstMlg2MklkVzVOc1BFIn0.eyJleHAiOjE3MjY1MDEzMTIsImlhdCI6MTcyNjUwMTAxMiwianRpIjoiOTU4N2FkYTQtMGI3NC00NjcxLWI5OWItZmU3YjBiMWRkZWQ0IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MjgwL2F1dGgvcmVhbG1zL21lcmNoYW50LWNsaWVudHMiLCJzdWIiOiI0ZDllYmUxNi1kZTkwLTRiMjctYjk4ZC1jNWVmYmE0M2E3NDYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJXb3JsZGxpbmUtMDAwMDIyIiwiYWNyIjoiMSIsInNjb3BlIjoiQUlTIiwiY2xpZW50SWQiOiJXb3JsZGxpbmUtMDAwMDIyIiwiY2xpZW50SG9zdCI6IjE5Mi4xNjguMS4xIiwicm9sZXMiOlsiSU5JVFAiXSwiZW52IjoibWVyY2hhbnQtY2xpZW50cyIsImluaXRpYXRpbmdQYXJ0eSI6IjAwMDAyMiIsImNsaWVudEFkZHJlc3MiOiIxOTIuMTY4LjEuMSIsInRlbmFudCI6IldvcmxkbGluZSJ9.pjro9uLmDcQiqzpIaE2JxpyIbRyVAQ-_CWzoWB0nxzuWXBIzpwWZ__R9RYl6zdNYb2_wBoVNs_bt6mQiTIWn-0oQ-5te5LujLehvCbVJZntK_C9mD80mobEuhDXnJiZCxPVS2hWD4FwYeSpy7mM0Vm3iCMZqtsIERmzm5QFQAY6N1Ym1al_gLIkFgYtaAo1hM-8ZpNCacEB4J8HtBzkOIvNsNegUZ4qdPp7N_Vl2u4pyecxrpNe_VdXPNQftncbQUE9JBOM12jp8G7ncEKW9PH29yKlapKWX_ssMvngGwGSTfZNR-GsQKrcnzef5A_rOjbv8ozUsHeMbLPA4Lh0yDA",
"expires_in": 300,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0,
"scope": "VOP"
}The token in the example will grant access to the VOP service.
Validity of access tokens
If you ask for a new token you will get a new token. Older tokens which are valid can still be used.