openapi: 3.0.1 info: title: Open Banking Notification description: | The APIs defined to be implemented on the Initiating Party side. So the Open Banking Service will request to such endpoint to provide the information on the operation status update and debtor identification information. version: "3.8.0" x-tpp-buildversion: '1.46' servers: - url: /v3/notification paths: /status: post: security: - Authorization: [] tags: - Notification Service summary: Notification service for IP on status changes of consents or payments operationId: postNotification parameters: - $ref: '#/components/parameters/X-Request-ID' - $ref: '#/components/parameters/MessageCreateDateTime' - $ref: '#/components/parameters/Signature' - $ref: "#/components/parameters/Digest" - $ref: "#/components/parameters/PaymentStatusSource" - $ref: "#/components/parameters/DebtorDataSource" requestBody: $ref: '#/components/requestBodies/notificationRequest' responses: 204: $ref: '#/components/responses/204' 400: $ref: '#/components/responses/400' 401: $ref: '#/components/responses/401' 404: $ref: '#/components/responses/404' 415: $ref: '#/components/responses/415' 500: $ref: '#/components/responses/500' 503: $ref: '#/components/responses/503' 511: $ref: '#/components/responses/511' /debtorToken: post: security: - Authorization: [] tags: - Notification Service summary: Notification service for IP for iDEAL debtor token update operationId: postDebtorsToken parameters: - $ref: '#/components/parameters/X-Request-ID' - $ref: '#/components/parameters/MessageCreateDateTime' - $ref: '#/components/parameters/Signature' - $ref: "#/components/parameters/Digest" requestBody: $ref: '#/components/requestBodies/debtorTokenRequest' responses: 204: $ref: '#/components/responses/204' 400: $ref: '#/components/responses/400' 401: $ref: '#/components/responses/401' 404: $ref: '#/components/responses/404' 415: $ref: '#/components/responses/415' 500: $ref: '#/components/responses/500' 503: $ref: '#/components/responses/503' 511: $ref: '#/components/responses/511' components: securitySchemes: Authorization: type: http scheme: bearer schemas: ConsentDetailedInformation: required: - ConsentId - ConsentStatus type: object additionalProperties: false properties: ConsentId: maxLength: 1024 minLength: 1 type: string description: | Id generated by the Open Banking Service. This should be used to refer to this consent. ConsentStatus: $ref: '#/components/schemas/ConsentStatusEnum' AspspId: type: string minLength: 1 description: | The Id of the ASPSP. The Open Banking Service needs this information to route the consent and accounts information requests. AuthorisationRequiredData: $ref: '#/components/schemas/AuthorisationRequiredData' PermissionInformation: type: string description: | Optionally a text for detailed information on the permission handling of the ASPSP is given. E.g. by default a consent is allowing a frequency of up to 4 requests per day. This default is set implicitly by the Open Banking Service. If this parameter is not supported by the ASPSP the initiating party is informed by this. FrequencyPerDay: type: integer description: | This field indicates the maximum frequency for an access per day. For a one-off access, this attribute is set to "1. RecurringIndicator: type: boolean description: | "true", if the consent is for recurring access to the account data. "false", if the consent is for one access to the account data. ValidUntilDate: type: string format: date-time description: | Date to which the consent is valid. LastActionDate: type: string description: | The string has to be converted to a Date in ISO Format. TransactionFromDateTime: type: string format: date-time description: | Specified start date and time for the transaction query period. TransactionToDateTime: type: string format: date-time description: | Specified end date and time for the transaction query period. Links: $ref: '#/components/schemas/ConsentStatusLinks' PsuMessage: description: | Text to be displayed to the PSU. maxLength: 1024 minLength: 1 type: string description: | ConsentStatusResponse ConsentStatusEnum: description: | Consent status type: string enum: - Open - Pending - Rejected - Authorised - Expired - Revoked - Error - Inactive - RevokedAtTpp - TimeoutAtTpp - PartiallyAuthorised ConsentStatusLinks: type: object additionalProperties: false description: | A list of hyperlinks to be recognized by the Initiating Party. The actual hyperlinks used in the response depend on the dynamical decisions on authorization approach for example. Remark - All links are full links. * 'RedirectUrl': In case of an Redirect approach, the Initiating Party has to use this link to redirect the PSU’s browser session. * 'PostIdentificationForDecoupled': In case of a Decoupled approach, the Initiating Party has to use this link to post the PSU username. * 'PostAuthorisationForEmbedded': In case of an embedded approach, the Initiating Party has to use this link to post the PSU credentials. * 'SelectAuthenticationMethod': In case of an embedded approach, the Initiating Party has to use this link to post the credentials. * 'AuthorizeTransaction': In case of an embedded approach, the Initiating Party has to authorize the transaction (consent) by providing the SCA OneTimePassword. * 'GetConsentStatus': Endpoint to be called for retrieving the consent status. properties: RedirectUrl: $ref: '#/components/schemas/Link' PostAuthorisationForExplicit: $ref: '#/components/schemas/Link' PostIdentificationForDecoupled: $ref: '#/components/schemas/Link' PostAuthorisationForEmbedded: $ref: '#/components/schemas/Link' PutAuthorisationForEmbedded: $ref: '#/components/schemas/Link' SelectAuthenticationMethod: $ref: '#/components/schemas/Link' AuthorizeTransaction: $ref: '#/components/schemas/Link' GetConsentStatus: $ref: '#/components/schemas/Link' PaymentDetailedInformation: type: object additionalProperties: false properties: PaymentProductUsed: $ref: '#/components/schemas/PaymentProductEnum' CommonPaymentData: $ref: '#/components/schemas/CommonPaymentDataResponse' Links: $ref: '#/components/schemas/StatusResponseLinks' UseWaitingScreen: type: boolean description: | If `true` the IP should show a waiting screen even if the the RedirectUrl is provided. On the waiting screen a redirection button should be placed. Click on the button should redirect the PSU by the link from `RedirectUrl`. CommonPaymentDataResponse: type: object additionalProperties: false required: - PaymentId - PaymentStatus properties: ExpiryDateTimestamp: type: string format: date-time description: | The timestamp from which the transaction operation will expire in [ISODateTime standard](https://www.iso20022.org/standardsrepository/type/ISODateTime), expressed in UTC time format(YYYY-MM-DDThh:mm:ss.sssZ) GuaranteedAmount: description: | The amount guaranteed by the ASPSP/Issuer to the Merchant/CPSP. Will be provided if the min max amount values are defined in the request pattern: ^\d{1,13}\.\d{1,5}$ type: string example: "123.45" PaymentStatus: $ref: '#/components/schemas/PaymentStatusEnum' PaymentId: maxLength: 35 minLength: 1 type: string description: | Id generated by the Open Banking Service. This should be used to refer to this payment in subsequent api calls. AspspPaymentId: maxLength: 35 minLength: 1 type: string description: | Id used by the ASPSP/AccessPoint to refer to the payment. AspspId: maxLength: 35 minLength: 1 type: string description: | Id of the ASPSP selected by the PSU. InitiatingPartyReferenceId: maxLength: 36 minLength: 1 type: string description: | Reference to the payment created by the Initiating Party. This Id will not be visible to the Payment Service User. FundsAvailable: type: boolean description: | Information whether sufficient funding is available. DebtorInformation: $ref: '#/components/schemas/DebtorInformationResponse' AmountRelatedDetails: $ref: '#/components/schemas/AmountRelatedDetails' AuthorisationRequiredData: $ref: '#/components/schemas/AuthorisationRequiredData' PsuMessage: maxLength: 1024 minLength: 1 type: string description: | Text to be displayed to the PSU. AuthorisationRequiredData: type: object additionalProperties: false description: | The data required for PSU authentication and transaction authorisation properties: PsuCredentials: type: array description: | List of credentials the PSU has on the ASPSP's system. The PSU has to provide the CredentialValue for each of these (Username & Password). items: $ref: '#/components/schemas/PsuCredentials' ScaMethods: type: array description: | Array of available ScaMethods. items: $ref: '#/components/schemas/ScaMethods' ChosenScaMethod: $ref: '#/components/schemas/ScaMethods' ChallengeData: $ref: '#/components/schemas/ScaChallengeData' PsuCredentials: required: - CredentialsDetails type: object additionalProperties: false properties: AspspProductCode: type: string description: | Product Identification. Used to contextualize the credentials provided by the PSU for those ASPSP that need of it. CredentialsDetails: type: array description: Credentials Details items: $ref: '#/components/schemas/CredentialDetails' description: | PSU Credentials on the Bank system. CredentialDetails: required: - CredentialId - IsSecret - LabelList type: object additionalProperties: false properties: IsSecret: type: boolean description: | Binary identification of the transparancy of the provided credentials by the PSU. Can have 2 values, * true * false Can be provided by ASPSP. If not provided by the ASPSP then by default, * true, if the CredentialId=ewl-password * false, if CredentialId=ewl-user-id CredentialId: type: string description: | Credential detail identification of the PSU credential at the bank (provided bi CBI if approach is Embedded). If not provided by the aspsp, then default values should be, * ewl-user-id, when IsSecret=false * ewl-password, when IsSecret=true LabelList: type: array description: | The list of the labels to show to the end user. They are internationalized. items: $ref: '#/components/schemas/CredentialLabel' description: | Credentials Details. CredentialLabel: required: - Label - Language type: object additionalProperties: false properties: Label: type: string description: | The label associated to the credentials to show to the end user. Language: type: string description: | Label internationalization. It specifies the language of the label. The default value is EN ScaMethods: required: - AuthenticationId - AuthenticationType type: object additionalProperties: false properties: AuthenticationType: $ref: '#/components/schemas/ScaMethodEnum' AuthenticationId: minLength: 1 type: string description: | Id of the method. (To be used in PUT request.) Version: minLength: 1 type: string description: | Version of the method. Name: minLength: 1 type: string description: | Name of the method in readable form. Explanation: minLength: 1 type: string description: | Description of the method. ScaMethodEnum: type: string description: | SCA authentication methods. enum: - SmsOTP - ChipOTP - PhotoOTP - PushOTP - SmtpOTP ScaChallengeData: type: object additionalProperties: false properties: AdditionalInformation: type: string description: | Additional Information for the PSU describing the method Data: type: array description: | A collection of strings as challenge data items: type: string Image: type: string description: | Image in base64 encoding ImageLink: type: string description: | URL of image OtpFormat: type: string description: | The OTP format. OtpMaxLength: type: integer description: | The maximum length for the OTP. format: int32 description: | JSON DTO used to represent challenge data. AmountRelatedDetails: type: object additionalProperties: false description: | contains additional information about the fees and estimated amount properties: TransactionFees: $ref: '#/components/schemas/TransactionFees' ExchangeRateInformation: $ref: '#/components/schemas/ExchangeRateInformationResponse' CurrencyConversionFee: $ref: '#/components/schemas/CurrencyConversionFee' EstimatedTotalAmount: $ref: '#/components/schemas/EstimatedTotalAmount' EstimatedInterbankSettlementAmount: $ref: '#/components/schemas/EstimatedInterbankSettlementAmount' ExchangeRateInformationResponse: type: object additionalProperties: false properties: UnitCurrency: pattern: '[A-Z]{3,3}' type: string description: | Currency in which the rate of exchange is expressed in a currency exchange. In the example 1GBP = xxxCUR, the unit currency is GBP. ExchangeRate: type: number description: | The factor used for conversion of an amount from one currency to another. This reflects the price at which one currency was bought with another currency. Rate expressed as a decimal, for example, 0.7 is 7/10 and 70%. RateType: type: string description: | Specifies the type used to complete the currency exchange. * Spot: Exchange rate applied is the spot rate. * Sale: Exchange rate applied is the market rate at the time of the sale. * Agreed: Exchange rate applied is the rate agreed between the parties. enum: - Spot - Sale - Agreed ContractIdentification: maxLength: 256 minLength: 1 type: string description: | Unique and unambiguous reference to the foreign exchange contract agreed between the Initiating Party/creditor and the debtor agent. ExpirationDateTime: type: string description: | Expiration date time. ISO 8601 DateTime. format: date-time description: | Provides details on the currency exchange rate and contract. EstimatedTotalAmount: type: object additionalProperties: false required: - Currency - Amount properties: Currency: pattern: '[A-Z]{3,3}' type: string description: | A code allocated to a currency by a Maintenance Agency under an international identification scheme, as described in the latest edition of the international standard ISO 4217 "Codes for the representation of currencies and funds". Amount: pattern: ^\d{1,13}\.\d{1,5}$ type: string description: | Amount description: | Estimated Total Amount. EstimatedInterbankSettlementAmount: type: object additionalProperties: false required: - Currency - Amount properties: Currency: pattern: '[A-Z]{3,3}' type: string description: | A code allocated to a currency by a Maintenance Agency under an international identification scheme, as described in the latest edition of the international standard ISO 4217 "Codes for the representation of currencies and funds". Amount: pattern: ^\d{1,13}\.\d{1,5}$ type: string description: | Amount description: | Estimated Interbank Settlement Amount. TransactionFees: type: object additionalProperties: false properties: Currency: pattern: '[A-Z]{3,3}' type: string description: | A code allocated to a currency by a Maintenance Agency under an international identification scheme, as described in the latest edition of the international standard ISO 4217 "Codes for the representation of currencies and funds". Amount: pattern: ^\d{1,13}\.\d{1,5}$ type: string description: | Amount of the fees. description: | Information used for transporting transaction fees by the ASPSP. CurrencyConversionFee: type: object additionalProperties: false required: - Currency - Amount properties: Currency: pattern: '[A-Z]{3,3}' type: string description: | A code allocated to a currency by a Maintenance Agency under an international identification scheme, as described in the latest edition of the international standard ISO 4217 "Codes for the representation of currencies and funds". Amount: pattern: ^\d{1,13}\.\d{1,5}$ type: string description: | Amount of the fees. description: | Currency Conversion Fee DebtorInformationResponse: type: object additionalProperties: false description: | All debtor relavant data. This object will only be provided if the PaymentStatus is Authorised or higher. properties: Name: maxLength: 140 type: string description: | The name of the debtor. Agent: type: string pattern: '[A-Z0-9]{4,4}[A-Z]{2,2}[A-Z0-9]{2,2}([A-Z0-9]{3,3}){0,1}' description: | BIC of the financial institution servicing an account for the debtor. Account: $ref: '#/components/schemas/DebtorAccount' ContactDetails: $ref: "#/components/schemas/DebtorContactDetailsResponse" ShippingAddress: $ref: "#/components/schemas/AddressData" BillingAddress: $ref: "#/components/schemas/AddressData" DebtorContactDetailsResponse: type: object additionalProperties: false properties: FirstName: type: string description: | The first name of the debtor LastName: type: string description: | The last name of the debtor PhoneNumber: type: string description: | The phone number of the debtor in E.164 format pattern: "^\\+[1-9][0-9]{1,14}$" example: "+31612345678" Email: type: string description: | The e-mail address of the debtor format: email example: "bob.smith@mymail.com" minLength: 1 AddressData: type: object additionalProperties: false properties: FirstName: type: string description: | The first name of the debtor example: "Bob" minLength: 1 LastName: type: string description: | The last name of the debtor example: "Smith" minLength: 1 CompanyName: type: string description: | The company name of the debtor example: "Cookie factory" minLength: 1 PostCode: type: string description: | The postal code of the address without spaces example: "1234AB" minLength: 1 BuildingNumber: type: string description: | The house number of the address example: "100" minLength: 1 Floor: type: string description: | The addition of the address example: "2B" minLength: 1 StreetName: type: string description: | The street of the address example: "Bankastraat" minLength: 1 TownName: type: string description: | The city of the address example: "Amsterdam" minLength: 1 Country: type: string description: | The code of the coutry regarding ISO 3166 standard. For the IDEAL payments the country name will be provided minLength: 1 CountrySubDivision: type: string description: | Country sub division. maxLength: 35 minLength: 1 DebtorAccount: required: - Identification type: object additionalProperties: false properties: SchemeName: $ref: '#/components/schemas/IdentificationTypeEnum' Identification: type: string description: | Unambiguous identification of the account of the debtor to which a debit entry will be made as a result of the transaction. SecondaryIdentification: type: string description: | Secondary identification of the Debtor Account, to which a debit entry will be made as a result of the transaction. (Only Openbank UK) Currency: pattern: '[A-Z]{3,3}' type: string description: | A code allocated to a currency by a Maintenance Agency under an international identification scheme, as described in the latest edition of the international standard ISO 4217 "Codes for the representation of currencies and funds". IdentificationTypeEnum: type: string description: | Type of the account number. enum: - IBAN - SortCodeAccountNumber PaymentStatusEnum: type: string description: | Payment status. enum: - Open - Authorised - PartiallyAuthorised - Pending - SettlementInProcess - SettlementCompleted - ReceivedByCreditorBank - ReceivedOnCreditorAccount - Cancelled - CancelledAtTPP - TimeoutAtTpp - Error - Expired PaymentProductEnum: type: string default: PSD2-SCT description: | Indicates the requested payment method. Since we are not only supporting sepa we use generic terms. enum: - PSD2-SCT - PSD2-SCT-Inst - PSD2-Target2 - PSD2-Domestic - PSD2-Domestic-Inst - IDEAL DebtorToken: type: object additionalProperties: false properties: PsuId: type: string description: | The id of the PSU saved from the PSU management PaymentId: maxLength: 35 minLength: 1 type: string description: | Id generated by the Open Banking Service. This should be used to refer to this payment in subsequent api calls. DebtorToken: type: string description: | The token generated by the Access Point for the IDEAL Payments StatusResponseLinks: type: object additionalProperties: false description: | A list of hyperlinks to be recognized by the Initiating Party. The actual hyperlinks used in the response depend on the dynamical decisions on authorization approach for example. Remark - All links are full links. * 'RedirectUrl': In case of an Redirect approach, the Initiating Party has to use this link to redirect the PSU’s browser session. * 'PostAuthorisationForExplicit': In case the ASPSP requires explicit start of authorization. * 'PostIdentificationForDecoupled': In case of a Decoupled approach, identification of the PSU required to start the decoupled authorization. * 'PutAuthorisationForEmbedded': In case of an embedded approach, endpoint to be called to add information to the Authorization. * 'SelectAuthenticationMethod': In case of an embedded approach, the Initiating Party has to use this link to pass the SCA method. * 'AuthorizeTransaction': In case of an embedded approach, the Initiating Party has to authorize the payment by providing the SCA OneTimePassword. * 'ConfirmationRequired': Endpoint to be called for payment confirmation for ASPSPs that require explicit confirmation of payments. properties: RedirectUrl: $ref: '#/components/schemas/Link' PostAuthorisationForExplicit: $ref: '#/components/schemas/Link' PostIdentificationForDecoupled: $ref: '#/components/schemas/Link' PostAuthorisationForEmbedded: $ref: '#/components/schemas/Link' PutAuthorisationForEmbedded: $ref: '#/components/schemas/Link' SelectAuthenticationMethod: $ref: '#/components/schemas/Link' AuthorizeTransaction: $ref: '#/components/schemas/Link' ConfirmationRequired: $ref: '#/components/schemas/Link' Link: required: - Href type: object additionalProperties: false properties: Href: maxLength: 1024 minLength: 1 type: string Error: deprecated: true type: object additionalProperties: false properties: Code: pattern: '[0-9]{1,3}' type: string Message: maxLength: 140 minLength: 1 type: string Details: type: string Link: $ref: '#/components/schemas/Link' description: | No error response is required. This Error object will be removed from the notification API's in the next version. requestBodies: notificationRequest: content: application/json: schema: oneOf: #Different Notification Bodies - $ref: '#/components/schemas/ConsentDetailedInformation' - $ref: '#/components/schemas/PaymentDetailedInformation' examples: "Example 1: 'ConsentNotificationRequest'": $ref: "#/components/examples/consentNotificationRequest_json" "Example 2: 'PaymentNotificationRequest'": $ref: "#/components/examples/paymentNotificationRequest_json" required: true debtorTokenRequest: content: application/json: schema: $ref: '#/components/schemas/DebtorToken' required: true headers: X-Request-ID: required: true description: | UUID for unique request identification schema: type: string maxLength: 36 minLength: 1 example: abcdef2e-3000-4000-88cc-ae40e3b113d7 MessageCreateDateTime: required: true schema: type: string format: 'date-time' description: | The message create date time. ISO 8601 DateTime. example: "2020-09-25T08:15:00.856Z" parameters: X-Request-ID: name: X-Request-ID in: header description: | UUID for unique request identification. required: true schema: maxLength: 36 minLength: 1 type: string example: "abcdef2e-3000-4000-88cc-ae40e3b113d7" MessageCreateDateTime: name: MessageCreateDateTime in: header description: | The message create date time. ISO 8601 DateTime. required: true schema: type: string format: date-time example: "2020-09-25T08:15:00.856Z" Signature: name: Signature in: header description: | Conditionally required for iDEAL payments. The signature in the request should include a keyId with the value of fingerprint of the certificate schema: type: string Digest: name: Digest in: header description: Is contained if and only if the `Signature` element is contained in the header of the request. schema: type: string example: "SHA-256=hl1/Eps8BEQW58FJhDApwJXjGY4nr1ArGDHIT25vq6A=" PaymentStatusSource: name: PaymentStatusSource in: header description: | Has the value 'CollectingBank' if the PaymentStatus originated from the Collecting Bank. If the PaymentStatus originates from another source, such as the debtor bank, then this header is not sent. schema: type: string example: "CollectingBank" DebtorDataSource: name: DebtorDataSource in: header description: | Key- value pair which indicates the source for a certain field in the 'DebtorInformation' object in the body of this request. The following Key's can occur: - Name - Account.Identification The following Value's can occur: - IP (Initiating Party) - PSU (Payment Service User) - ASPSP (Account Servicing Payment Service Provider, The Bank of the PSU) - Collecting Bank (The bank which receives the money) More then one key-Value pair can be provided, separated by a pipe. schema: type: string example: "Name:IP|Account.Identification:PSU" responses: 400: description: | Bad Request headers: X-Request-ID: $ref: '#/components/headers/X-Request-ID' MessageCreateDateTime: $ref: '#/components/headers/MessageCreateDateTime' content: application/json: schema: $ref: '#/components/schemas/Error' 401: description: | Unauthorized headers: X-Request-ID: $ref: '#/components/headers/X-Request-ID' MessageCreateDateTime: $ref: '#/components/headers/MessageCreateDateTime' content: application/json: schema: $ref: '#/components/schemas/Error' 403: description: | Forbidden headers: X-Request-ID: $ref: '#/components/headers/X-Request-ID' MessageCreateDateTime: $ref: '#/components/headers/MessageCreateDateTime' content: application/json: schema: $ref: '#/components/schemas/Error' 404: description: | Not Found headers: X-Request-ID: $ref: '#/components/headers/X-Request-ID' MessageCreateDateTime: $ref: '#/components/headers/MessageCreateDateTime' content: application/json: schema: $ref: '#/components/schemas/Error' 415: description: | Unsupported Media Type headers: X-Request-ID: $ref: '#/components/headers/X-Request-ID' MessageCreateDateTime: $ref: '#/components/headers/MessageCreateDateTime' content: application/json: schema: $ref: '#/components/schemas/Error' 500: description: | Internal Server Error headers: X-Request-ID: $ref: '#/components/headers/X-Request-ID' MessageCreateDateTime: $ref: '#/components/headers/MessageCreateDateTime' content: application/json: schema: $ref: '#/components/schemas/Error' 502: description: | Bad Gateway headers: X-Request-ID: $ref: '#/components/headers/X-Request-ID' MessageCreateDateTime: $ref: '#/components/headers/MessageCreateDateTime' content: application/json: schema: $ref: '#/components/schemas/Error' 503: description: | Service Unavailable' headers: X-Request-ID: $ref: '#/components/headers/X-Request-ID' MessageCreateDateTime: $ref: '#/components/headers/MessageCreateDateTime' content: application/json: schema: $ref: '#/components/schemas/Error' 511: description: | Network Authentication Required headers: X-Request-ID: $ref: '#/components/headers/X-Request-ID' MessageCreateDateTime: $ref: '#/components/headers/MessageCreateDateTime' content: application/json: schema: $ref: '#/components/schemas/Error' 204: description: | No Content headers: X-Request-ID: $ref: '#/components/headers/X-Request-ID' MessageCreateDateTime: $ref: '#/components/headers/MessageCreateDateTime' content: {} 405: description: | Method not allowed headers: X-Request-ID: $ref: '#/components/headers/X-Request-ID' MessageCreateDateTime: $ref: '#/components/headers/MessageCreateDateTime' content: application/json: schema: $ref: '#/components/schemas/Error' examples: consentNotificationRequest_json: value: { "ConsentId": "string", "ConsentStatus": "Open", "Links": { "RedirectUrl": { "Href": "https://example.org" } } } paymentNotificationRequest_json: value: { "CommonPaymentData": { "PaymentId": "string", "PaymentStatus": "Open", }, "Links": { "ConfirmationRequired": { "Href": "https://example.org" } } }