OP PSD2 Account Information Service API (v1.1)
Download OpenAPI specification:Download
NOTE: Calling PSD2 APIs with Postman is not supported at this time.
PSD2 Account Information Service allows Third-Party Providers to present and process account and transaction data to OP's customers. Check our PSD2 page for more information about the APIs and the regulation.
Using this API requires end user authentication and authorization. Registered TPP (later AISP) can request for account information of a Payment Services User (PSU) through OP PSD2 AIS API. Prerequisite is that the AISP has been registered by a National Competent Authority (NCA) in EU/ETA area and the account owner (PSU) has mandated the AISP to request the account information.
The agreement of the account information service (AIS) is made between the PSU and the AISP. OP is not a participant in this agreement. Instead, OP provides the authentication and confirmation mechanism for the PSU to confirm the account requests the AISP has sent. Account information requests through OP PSD2 AIS API applies only to payment accounts.
See the full workflow for PSD2 AIS API >
PSD2 APIs are available in sandbox free of charge for both licensed and unlicensed developers. Full details for sandbox access.
Following the regulation, using PSD2 APIs is free of charge also in production. However, a Third-Party Provider has to apply for an AISP/PISP license from a financial authority (e.g. FIN-FSA in Finland) and obtain valid QWAC and QSEAL certificates. Full details for production access.
Only the account holder, i.e. the company, can grant TPPs the right to access the company's business accounts.
However, technically the company representative, i.e. the business user, is the actor who in practice confirms with their banking codes
the access to business accounts for the TPP.
As the business user is not the holder of the account, the user needs an additional access right from the account holder
in order to be able to confirm the requests sent by authorized TPPs.
Instructions for the additional access right registration are available at op.fi in Finnish, Swedish, and English.
After this registration, the business user is able to confirm (or reject) the requests sent by TPPs.
The main steps in the account information process are as follows:
- The PSU and the AISP agree upon the Account information service.
- AISP must register as a client to OP PSD2 Account Information Service API (online technical registration).
- PSU starts the account information request at the AISP's service.
- AISP sends the account information request to OP.
- AISP redirects PSU to OP's Authentication service.
- PSU performs SCA with their bank credentials and selects the payment accounts to be accessed by the AISP.
- After the PSU has confirmed the request, the PSU is redirected back to AISP's service with access_code.
- AISP exchanges the access_code to access_token (for accessing the API) and refresh_token (for getting new access_token and refresh_token).
- After the retrieval of the needed credentials AISP may request account information from the accounts the PSU has confirmed
Authorization requests:
- Authorization request can be a one-off or for longer period up to 90 days.
- One-off requests are valid for 60 minutes after authorization and allow for fetching transcactions up to 730 days in the past.
- Up to 90 days requests are valid for the authorized period (up to 90 days).
- When the authorization period has elapsed, the PSU must perform the SCA again to confirm the use of their account information.
- When the up to 90 days authorization period is valid, the AISP can make the requests without the presence of the PSU – this is called as an exemption from the SCA.
- Number of requests made without the presence of the PSU, is restricted to four requests per 24-hour period.
As per the European Commission amending the regulatory technical standards (RTS) regarding the 90-day exemption for account access, we will extend the exemption period to 180 days. The change will be applied from 24 May 2023 in the sandbox and from 25 July 2023 in production.
Revocation of the access to the accounts
- The PSU may revoke the access to the accounts through the same AISP’s service through which the access was originally granted. AISP must send the revocation information to OP by deleting the authorization.
List authorized accounts
Lists all accounts to which the customer has provided authorization.
header Parameters
x-api-key required | string API Key |
x-fapi-customer-last-logged-time | string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe... The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC |
x-fapi-customer-ip-address | string The PSU's IP address if the PSU is currently logged in with the TPP. |
x-fapi-interaction-id | string An RFC4122 UID used as a correlation id. |
x-customer-user-agent | string Indicates the user-agent that the PSU is using. |
Authorization | string An Authorisation Token representing the end user as per https://tools.ietf.org/html/rfc6750, representing the customer. Acquired at the end of the OIDC flow. |
Responses
Request samples
- CURL
curl -X GET https://psd2.mtls.sandbox.apis.op.fi/accounts-psd2/v1/accounts \ -H 'x-api-key: string' \ -H 'x-fapi-customer-last-logged-time: string' \ -H 'x-fapi-customer-ip-address: string' \ -H 'x-fapi-interaction-id: string' \ -H 'x-customer-user-agent: string' \ -H 'Authorization: string' \ -H 'Accept: application/json' \ -H 'Content-Type: application/json'
Response samples
- 200
- default
[- {
- "accountId": "string",
- "productName": "KÄYTTÖTILI",
- "identifierSchema": "IBAN",
- "identifier": "string",
- "servicerSchema": "BIC",
- "servicer": "OKOYFIHH",
- "owner": "Matti Meikäläinen",
- "netBalance": "1234.56",
- "grossBalance": "1234.56",
- "counterBalance": "1234.56",
- "coverReservationAmount": "1234.56",
- "currency": "EUR"
}
]
Account details
Returns the details of a single account.
path Parameters
accountId required | string Account ID |
header Parameters
x-api-key required | string API Key |
x-fapi-customer-last-logged-time | string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe... The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC |
x-fapi-customer-ip-address | string The PSU's IP address if the PSU is currently logged in with the TPP. |
x-fapi-interaction-id | string An RFC4122 UID used as a correlation id. |
x-customer-user-agent | string Indicates the user-agent that the PSU is using. |
Authorization | string An Authorisation Token representing the end user as per https://tools.ietf.org/html/rfc6750, representing the customer. Acquired at the end of the OIDC flow. |
Accept-Language | string Default: fi Enum: "fi" "en" "sv" Preferred language |
Responses
Request samples
- CURL
curl -X GET https://psd2.mtls.sandbox.apis.op.fi/accounts-psd2/v1/accounts/{accountId} \ -H 'x-api-key: string' \ -H 'x-fapi-customer-last-logged-time: string' \ -H 'x-fapi-customer-ip-address: string' \ -H 'x-fapi-interaction-id: string' \ -H 'x-customer-user-agent: string' \ -H 'Authorization: string' \ -H 'Accept-Language: fi' \ -H 'Accept: application/json' \ -H 'Content-Type: application/json'
Response samples
- 200
- default
{- "accountId": "string",
- "productName": "KÄYTTÖTILI",
- "identifierSchema": "IBAN",
- "identifier": "string",
- "servicerSchema": "BIC",
- "servicer": "OKOYFIHH",
- "owner": "Matti Meikäläinen",
- "netBalance": "1234.56",
- "grossBalance": "1234.56",
- "counterBalance": "1234.56",
- "coverReservationAmount": "1234.56",
- "currency": "EUR"
}
Get Account transactions
Lists transactions on a single account.
path Parameters
accountId required | string Account ID |
query Parameters
continuationToken | string Continuation token for fetching more results |
archiveId | string Get transactions by archiveId |
header Parameters
x-api-key required | string API Key |
x-fapi-customer-last-logged-time | string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe... The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC |
x-fapi-customer-ip-address | string The PSU's IP address if the PSU is currently logged in with the TPP. |
x-fapi-interaction-id | string An RFC4122 UID used as a correlation id. |
x-customer-user-agent | string Indicates the user-agent that the PSU is using. |
Authorization | string An Authorisation Token representing the end user as per https://tools.ietf.org/html/rfc6750, representing the customer. Acquired at the end of the OIDC flow. |
Accept-Language | string Default: fi Enum: "fi" "en" "sv" Preferred language |
Responses
Request samples
- CURL
curl -X GET https://psd2.mtls.sandbox.apis.op.fi/accounts-psd2/v1/accounts/{accountId}/transactions \ -H 'x-api-key: string' \ -H 'x-fapi-customer-last-logged-time: string' \ -H 'x-fapi-customer-ip-address: string' \ -H 'x-fapi-interaction-id: string' \ -H 'x-customer-user-agent: string' \ -H 'Authorization: string' \ -H 'Accept-Language: fi' \ -H 'Accept: application/json' \ -H 'Content-Type: application/json'
Response samples
- 200
- default
{- "transactions": [
- {
- "archiveId": "string",
- "message": "string",
- "reference": "string",
- "amount": "1234.56",
- "currency": "EUR",
- "bookingDate": "2019-08-24",
- "valueDate": "2019-08-24",
- "paymentDate": "2019-08-24",
- "payer": {
- "name": "string"
}, - "recipient": {
- "name": "Matti Meikäläinens",
- "identifier": "FI3959986920068848",
- "servicer": "OKOYFIHH",
- "address": [
- "string"
]
}, - "proprietaryTransactionDescription": "string"
}
], - "continuationToken": "string",
- "_links": {
- "self": {
- "href": "string"
}, - "next": {
- "href": "string"
}
}
}
List authorized cards
Lists all cards authorized by the end user.
header Parameters
x-api-key required | string API Key |
x-fapi-customer-last-logged-time | string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe... The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC |
x-fapi-customer-ip-address | string The PSU's IP address if the PSU is currently logged in with the TPP. |
x-fapi-interaction-id | string An RFC4122 UID used as a correlation id. |
x-customer-user-agent | string Indicates the user-agent that the PSU is using. |
Authorization | string An Authorisation Token representing the end user as per https://tools.ietf.org/html/rfc6750, representing the customer. Acquired at the end of the OIDC flow. |
Accept-Language | string Default: fi Enum: "fi" "en" "sv" Preferred language |
Responses
Request samples
- CURL
curl -X GET https://psd2.mtls.sandbox.apis.op.fi/accounts-psd2/v1/cards \ -H 'x-api-key: string' \ -H 'x-fapi-customer-last-logged-time: string' \ -H 'x-fapi-customer-ip-address: string' \ -H 'x-fapi-interaction-id: string' \ -H 'x-customer-user-agent: string' \ -H 'Authorization: string' \ -H 'Accept-Language: fi' \ -H 'Accept: application/json' \ -H 'Content-Type: application/json'
Response samples
- 200
- default
[- {
- "cardId": "string",
- "productName": "OP-Visa Credit/Debit",
- "cardNumber": "492065******6526",
- "statementBalance": "1234.56",
- "authorizedOutstandingAmount": "1234.56"
}
]
Get Card transactions
Retrieves transactions on a card.
path Parameters
cardId required | string Card ID |
query Parameters
continuationToken | string Continuation token for fetching more results |
header Parameters
x-api-key required | string API Key |
x-fapi-customer-last-logged-time | string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe... The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC |
x-fapi-customer-ip-address | string The PSU's IP address if the PSU is currently logged in with the TPP. |
x-fapi-interaction-id | string An RFC4122 UID used as a correlation id. |
x-customer-user-agent | string Indicates the user-agent that the PSU is using. |
Authorization | string An Authorisation Token representing the end user as per https://tools.ietf.org/html/rfc6750, representing the customer. Acquired at the end of the OIDC flow. |
Accept-Language | string Default: fi Enum: "fi" "en" "sv" Preferred language |
Responses
Request samples
- CURL
curl -X GET https://psd2.mtls.sandbox.apis.op.fi/accounts-psd2/v1/cards/{cardId}/transactions \ -H 'x-api-key: string' \ -H 'x-fapi-customer-last-logged-time: string' \ -H 'x-fapi-customer-ip-address: string' \ -H 'x-fapi-interaction-id: string' \ -H 'x-customer-user-agent: string' \ -H 'Authorization: string' \ -H 'Accept-Language: fi' \ -H 'Accept: application/json' \ -H 'Content-Type: application/json'
Response samples
- 200
- default
{- "transactions": [
- {
- "description": "HBO*NORDIC.COM",
- "amount": "15.00",
- "currency": "EUR",
- "originalAmount": "1234.56",
- "originalCurrency": "EUR",
- "postingDate": "2019-01-03"
}
], - "continuationToken": "string",
- "_links": {
- "self": {
- "href": "string"
}, - "next": {
- "href": "string"
}
}
}
Create authorization request
Creates an authorization resource. Use the resulting authorizationId in end user authentication and authorization.
header Parameters
x-api-key required | string API Key |
Authorization required | string Authorization Token representing the application, acquired via Client Credentials flow. |
x-fapi-customer-last-logged-time | string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe... The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC |
x-fapi-customer-ip-address | string The PSU's IP address if the PSU is currently logged in with the TPP. |
x-fapi-interaction-id | string An RFC4122 UID used as a correlation id. |
x-customer-user-agent | string Indicates the user-agent that the PSU is using. |
Accept-Language | string Default: fi Enum: "fi" "en" "sv" Preferred language |
Request Body schema: application/json; charset=utf-8
expires | string <date-time> Specified date and time when authorization expires. Expiration date time can not be more than 90 days in to the future. All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in must include the timezone. |
transactionFrom | string <date> Specified start date for transaction query period. The date cannot exceed 730 days into past. |
transactionTo | string <date> Specified end date and time for transaction query period. The data must not exceed current date. Date is inclusive. |
Responses
Request samples
- Payload
- CURL
{- "expires": "2017-04-05T10:43:07.000Z",
- "transactionFrom": "2018-01-01",
- "transactionTo": "2019-03-13"
}
Response samples
- 201
- default
{- "authorizationId": "string",
- "created": "2019-08-24T14:15:22Z",
- "modified": "2019-08-24T14:15:22Z",
- "authorized": "2019-08-24T14:15:22Z",
- "expires": "2019-08-24T14:15:22Z",
- "transactionFrom": "2019-08-24",
- "transactionTo": "2019-08-24",
- "status": "Unauthorized"
}
Get account authorization
Returns the details of an authorization resource.
path Parameters
authorizationId required | string Authorization ID |
header Parameters
x-api-key required | string API Key |
Authorization required | string Authorization Token representing the application, acquired via Client Credentials flow. |
x-fapi-customer-last-logged-time | string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe... The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC |
x-fapi-customer-ip-address | string The PSU's IP address if the PSU is currently logged in with the TPP. |
x-fapi-interaction-id | string An RFC4122 UID used as a correlation id. |
x-customer-user-agent | string Indicates the user-agent that the PSU is using. |
Accept-Language | string Default: fi Enum: "fi" "en" "sv" Preferred language |
Responses
Request samples
- CURL
curl -X GET https://psd2.mtls.sandbox.apis.op.fi/accounts-psd2/v1/authorizations/{authorizationId} \ -H 'x-api-key: string' \ -H 'x-fapi-customer-last-logged-time: string' \ -H 'x-fapi-customer-ip-address: string' \ -H 'x-fapi-interaction-id: string' \ -H 'x-customer-user-agent: string' \ -H 'Authorization: string' \ -H 'Accept-Language: fi' \ -H 'Accept: application/json' \ -H 'Content-Type: application/json'
Response samples
- 200
- default
{- "authorizationId": "string",
- "created": "2019-08-24T14:15:22Z",
- "modified": "2019-08-24T14:15:22Z",
- "authorized": "2019-08-24T14:15:22Z",
- "expires": "2019-08-24T14:15:22Z",
- "transactionFrom": "2019-08-24",
- "transactionTo": "2019-08-24",
- "status": "Unauthorized"
}
Revoke authorization
Permanently revokes an existing authorization.
path Parameters
authorizationId required | string Authorization ID |
header Parameters
x-api-key required | string API Key |
Authorization required | string Authorization Token representing the application, acquired via Client Credentials flow. |
x-fapi-customer-last-logged-time | string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe... The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC |
x-fapi-customer-ip-address | string The PSU's IP address if the PSU is currently logged in with the TPP. |
x-fapi-interaction-id | string An RFC4122 UID used as a correlation id. |
x-customer-user-agent | string Indicates the user-agent that the PSU is using. |
Accept-Language | string Default: fi Enum: "fi" "en" "sv" Preferred language |
Responses
Request samples
- CURL
curl -X DELETE https://psd2.mtls.sandbox.apis.op.fi/accounts-psd2/v1/authorizations/{authorizationId} \ -H 'x-api-key: string' \ -H 'x-fapi-customer-last-logged-time: string' \ -H 'x-fapi-customer-ip-address: string' \ -H 'x-fapi-interaction-id: string' \ -H 'x-customer-user-agent: string' \ -H 'Authorization: string' \ -H 'Accept-Language: fi' \ -H 'Accept: application/json' \ -H 'Content-Type: application/json'
Response samples
- 200
- default
{- "authorizationId": "string",
- "created": "2019-08-24T14:15:22Z",
- "modified": "2019-08-24T14:15:22Z",
- "authorized": "2019-08-24T14:15:22Z",
- "expires": "2019-08-24T14:15:22Z",
- "transactionFrom": "2019-08-24",
- "transactionTo": "2019-08-24",
- "status": "Unauthorized"
}