API docs by Redocly

OP PSD2 Account Information Service API (v1.1)

Download OpenAPI specification:Download

PSD2 support: tpp-support@op.fi


NOTE: Calling PSD2 APIs with Postman is not supported at this time.

PSD2 Account Information Service allows Third-Party Providers to present and process account and transaction data to OP's customers. Check our PSD2 page for more information about the APIs and the regulation.

Using this API requires end user authentication and authorization. Registered TPP (later AISP) can request for account information of a Payment Services User (PSU) through OP PSD2 AIS API. Prerequisite is that the AISP has been registered by a National Competent Authority (NCA) in EU/ETA area and the account owner (PSU) has mandated the AISP to request the account information.

The agreement of the account information service (AIS) is made between the PSU and the AISP. OP is not a participant in this agreement. Instead, OP provides the authentication and confirmation mechanism for the PSU to confirm the account requests the AISP has sent. Account information requests through OP PSD2 AIS API applies only to payment accounts.

See the full workflow for PSD2 AIS API >

Sandbox

PSD2 APIs are available in sandbox free of charge for both licensed and unlicensed developers. Full details for sandbox access.

Production access

Following the regulation, using PSD2 APIs is free of charge also in production. However, a Third-Party Provider has to apply for an AISP/PISP license from a financial authority (e.g. FIN-FSA in Finland) and obtain valid QWAC and QSEAL certificates. Full details for production access.

Access to business accounts

Only the account holder, i.e. the company, can grant TPPs the right to access the company's business accounts. However, technically the company representative, i.e. the business user, is the actor who in practice confirms with their banking codes the access to business accounts for the TPP.

As the business user is not the holder of the account, the user needs an additional access right from the account holder in order to be able to confirm the requests sent by authorized TPPs.

Instructions for the additional access right registration are available at op.fi in Finnish, Swedish, and English.

After this registration, the business user is able to confirm (or reject) the requests sent by TPPs.

Accounts

The main steps in the account information process are as follows:

  1. The PSU and the AISP agree upon the Account information service.
  2. AISP must register as a client to OP PSD2 Account Information Service API (online technical registration).
  3. PSU starts the account information request at the AISP's service.
  4. AISP sends the account information request to OP.
  5. AISP redirects PSU to OP's Authentication service.
  6. PSU performs SCA with their bank credentials and selects the payment accounts to be accessed by the AISP.
  7. After the PSU has confirmed the request, the PSU is redirected back to AISP's service with access_code.
  8. AISP exchanges the access_code to access_token (for accessing the API) and refresh_token (for getting new access_token and refresh_token).
  9. After the retrieval of the needed credentials AISP may request account information from the accounts the PSU has confirmed

Authorization requests:

  • Authorization request can be a one-off or for longer period up to 180 days.
  • One-off requests are valid for 60 minutes after authorization and allow for fetching transactions up to 730 days in the past.
  • Use of 180 days exemption allows fetching transactions up to 90 days in the past for the authorized period (up to 180 days).
  • When the authorization period has elapsed, the PSU must perform the SCA again to confirm the use of their account information.
  • When the up to 180 days authorization period is valid, the AISP can make the requests without the presence of the PSU – this is called as an exemption from the SCA.
  • Number of requests made without the presence of the PSU, is restricted to four requests per 24-hour period.

Revocation of the access to the accounts

  • The PSU may revoke the access to the accounts through the same AISP’s service through which the access was originally granted. AISP must send the revocation information to OP by deleting the authorization.

List authorized accounts

Lists all accounts to which the customer has provided authorization.

header Parameters
x-api-key
required
string

API Key

x-fapi-customer-last-logged-time
string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe...

The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC

x-fapi-customer-ip-address
string

The PSU's IP address if the PSU is currently logged in with the TPP.

x-fapi-interaction-id
string

An RFC4122 UID used as a correlation id.

x-customer-user-agent
string

Indicates the user-agent that the PSU is using.

Authorization
string

An Authorisation Token representing the end user as per https://tools.ietf.org/html/rfc6750, representing the customer. Acquired at the end of the OIDC flow.

Responses

Request samples 

curl -X GET https://psd2.mtls.sandbox.apis.op.fi/accounts-psd2/v1/accounts \
-H 'x-api-key: string' \
-H 'x-fapi-customer-last-logged-time: string' \
-H 'x-fapi-customer-ip-address: string' \
-H 'x-fapi-interaction-id: string' \
-H 'x-customer-user-agent: string' \
-H 'Authorization: string' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json'

Response samples

Content type
application/json; charset=utf-8
[
  • {
    }
]

Account details

Returns the details of a single account.

path Parameters
accountId
required
string

Account ID

header Parameters
x-api-key
required
string

API Key

x-fapi-customer-last-logged-time
string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe...

The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC

x-fapi-customer-ip-address
string

The PSU's IP address if the PSU is currently logged in with the TPP.

x-fapi-interaction-id
string

An RFC4122 UID used as a correlation id.

x-customer-user-agent
string

Indicates the user-agent that the PSU is using.

Authorization
string

An Authorisation Token representing the end user as per https://tools.ietf.org/html/rfc6750, representing the customer. Acquired at the end of the OIDC flow.

Accept-Language
string
Default: fi
Enum: "fi" "en" "sv"

Preferred language

Responses

Request samples 

curl -X GET https://psd2.mtls.sandbox.apis.op.fi/accounts-psd2/v1/accounts/{accountId} \
-H 'x-api-key: string' \
-H 'x-fapi-customer-last-logged-time: string' \
-H 'x-fapi-customer-ip-address: string' \
-H 'x-fapi-interaction-id: string' \
-H 'x-customer-user-agent: string' \
-H 'Authorization: string' \
-H 'Accept-Language: fi' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json'

Response samples

Content type
application/json; charset=utf-8
{
  • "accountId": "string",
  • "productName": "KÄYTTÖTILI",
  • "identifierSchema": "IBAN",
  • "identifier": "string",
  • "servicerSchema": "BIC",
  • "servicer": "OKOYFIHH",
  • "owner": "Matti Meikäläinen",
  • "netBalance": "1234.56",
  • "grossBalance": "1234.56",
  • "counterBalance": "1234.56",
  • "coverReservationAmount": "1234.56",
  • "currency": "EUR"
}

Get Account transactions

Lists transactions on a single account.

path Parameters
accountId
required
string

Account ID

query Parameters
continuationToken
string

Continuation token for fetching more results

archiveId
string

Get transactions by archiveId

header Parameters
x-api-key
required
string

API Key

x-fapi-customer-last-logged-time
string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe...

The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC

x-fapi-customer-ip-address
string

The PSU's IP address if the PSU is currently logged in with the TPP.

x-fapi-interaction-id
string

An RFC4122 UID used as a correlation id.

x-customer-user-agent
string

Indicates the user-agent that the PSU is using.

Authorization
string

An Authorisation Token representing the end user as per https://tools.ietf.org/html/rfc6750, representing the customer. Acquired at the end of the OIDC flow.

Accept-Language
string
Default: fi
Enum: "fi" "en" "sv"

Preferred language

Responses

Request samples 

curl -X GET https://psd2.mtls.sandbox.apis.op.fi/accounts-psd2/v1/accounts/{accountId}/transactions \
-H 'x-api-key: string' \
-H 'x-fapi-customer-last-logged-time: string' \
-H 'x-fapi-customer-ip-address: string' \
-H 'x-fapi-interaction-id: string' \
-H 'x-customer-user-agent: string' \
-H 'Authorization: string' \
-H 'Accept-Language: fi' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json'

Response samples

Content type
application/json; charset=utf-8
{
  • "transactions": [
    ],
  • "continuationToken": "string",
  • "_links": {
    }
}

Cards

List authorized cards

Lists all cards authorized by the end user.

header Parameters
x-api-key
required
string

API Key

x-fapi-customer-last-logged-time
string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe...

The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC

x-fapi-customer-ip-address
string

The PSU's IP address if the PSU is currently logged in with the TPP.

x-fapi-interaction-id
string

An RFC4122 UID used as a correlation id.

x-customer-user-agent
string

Indicates the user-agent that the PSU is using.

Authorization
string

An Authorisation Token representing the end user as per https://tools.ietf.org/html/rfc6750, representing the customer. Acquired at the end of the OIDC flow.

Accept-Language
string
Default: fi
Enum: "fi" "en" "sv"

Preferred language

Responses

Request samples 

curl -X GET https://psd2.mtls.sandbox.apis.op.fi/accounts-psd2/v1/cards \
-H 'x-api-key: string' \
-H 'x-fapi-customer-last-logged-time: string' \
-H 'x-fapi-customer-ip-address: string' \
-H 'x-fapi-interaction-id: string' \
-H 'x-customer-user-agent: string' \
-H 'Authorization: string' \
-H 'Accept-Language: fi' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json'

Response samples

Content type
application/json; charset=utf-8
[
  • {
    }
]

Get Card transactions

Retrieves transactions on a card.

path Parameters
cardId
required
string

Card ID

query Parameters
continuationToken
string

Continuation token for fetching more results

header Parameters
x-api-key
required
string

API Key

x-fapi-customer-last-logged-time
string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe...

The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC

x-fapi-customer-ip-address
string

The PSU's IP address if the PSU is currently logged in with the TPP.

x-fapi-interaction-id
string

An RFC4122 UID used as a correlation id.

x-customer-user-agent
string

Indicates the user-agent that the PSU is using.

Authorization
string

An Authorisation Token representing the end user as per https://tools.ietf.org/html/rfc6750, representing the customer. Acquired at the end of the OIDC flow.

Accept-Language
string
Default: fi
Enum: "fi" "en" "sv"

Preferred language

Responses

Request samples 

curl -X GET https://psd2.mtls.sandbox.apis.op.fi/accounts-psd2/v1/cards/{cardId}/transactions \
-H 'x-api-key: string' \
-H 'x-fapi-customer-last-logged-time: string' \
-H 'x-fapi-customer-ip-address: string' \
-H 'x-fapi-interaction-id: string' \
-H 'x-customer-user-agent: string' \
-H 'Authorization: string' \
-H 'Accept-Language: fi' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json'

Response samples

Content type
application/json; charset=utf-8
{
  • "transactions": [
    ],
  • "continuationToken": "string",
  • "_links": {
    }
}

Authorization

Create authorization request

Creates an authorization resource. Use the resulting authorizationId in end user authentication and authorization.

header Parameters
x-api-key
required
string

API Key

Authorization
required
string

Authorization Token representing the application, acquired via Client Credentials flow.

x-fapi-customer-last-logged-time
string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe...

The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC

x-fapi-customer-ip-address
string

The PSU's IP address if the PSU is currently logged in with the TPP.

x-fapi-interaction-id
string

An RFC4122 UID used as a correlation id.

x-customer-user-agent
string

Indicates the user-agent that the PSU is using.

Accept-Language
string
Default: fi
Enum: "fi" "en" "sv"

Preferred language

Request Body schema: application/json; charset=utf-8
expires
string <date-time>

Specified date and time when authorization expires. Expiration date time can not be more than 180 days in to the future. All dates in the JSON payloads are represented in ISO 8601 date-time format. All date-time fields in must include the timezone.

transactionFrom
string <date>

Specified start date for transaction query period. The date cannot exceed 730 days into past.

transactionTo
string <date>

Specified end date and time for transaction query period. The data must not exceed current date. Date is inclusive.

Responses

Request samples

Content type
application/json; charset=utf-8
{
  • "expires": "2017-04-05T10:43:07.000Z",
  • "transactionFrom": "2018-01-01",
  • "transactionTo": "2019-03-13"
}

Response samples

Content type
application/json; charset=utf-8
{
  • "authorizationId": "string",
  • "created": "2019-08-24T14:15:22Z",
  • "modified": "2019-08-24T14:15:22Z",
  • "authorized": "2019-08-24T14:15:22Z",
  • "expires": "2019-08-24T14:15:22Z",
  • "transactionFrom": "2019-08-24",
  • "transactionTo": "2019-08-24",
  • "status": "Unauthorized"
}

Get account authorization

Returns the details of an authorization resource.

path Parameters
authorizationId
required
string

Authorization ID

header Parameters
x-api-key
required
string

API Key

Authorization
required
string

Authorization Token representing the application, acquired via Client Credentials flow.

x-fapi-customer-last-logged-time
string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe...

The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC

x-fapi-customer-ip-address
string

The PSU's IP address if the PSU is currently logged in with the TPP.

x-fapi-interaction-id
string

An RFC4122 UID used as a correlation id.

x-customer-user-agent
string

Indicates the user-agent that the PSU is using.

Accept-Language
string
Default: fi
Enum: "fi" "en" "sv"

Preferred language

Responses

Request samples 

curl -X GET https://psd2.mtls.sandbox.apis.op.fi/accounts-psd2/v1/authorizations/{authorizationId} \
-H 'x-api-key: string' \
-H 'x-fapi-customer-last-logged-time: string' \
-H 'x-fapi-customer-ip-address: string' \
-H 'x-fapi-interaction-id: string' \
-H 'x-customer-user-agent: string' \
-H 'Authorization: string' \
-H 'Accept-Language: fi' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json'

Response samples

Content type
application/json; charset=utf-8
{
  • "authorizationId": "string",
  • "created": "2019-08-24T14:15:22Z",
  • "modified": "2019-08-24T14:15:22Z",
  • "authorized": "2019-08-24T14:15:22Z",
  • "expires": "2019-08-24T14:15:22Z",
  • "transactionFrom": "2019-08-24",
  • "transactionTo": "2019-08-24",
  • "status": "Unauthorized"
}

Revoke authorization

Permanently revokes an existing authorization.

path Parameters
authorizationId
required
string

Authorization ID

header Parameters
x-api-key
required
string

API Key

Authorization
required
string

Authorization Token representing the application, acquired via Client Credentials flow.

x-fapi-customer-last-logged-time
string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe...

The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC

x-fapi-customer-ip-address
string

The PSU's IP address if the PSU is currently logged in with the TPP.

x-fapi-interaction-id
string

An RFC4122 UID used as a correlation id.

x-customer-user-agent
string

Indicates the user-agent that the PSU is using.

Accept-Language
string
Default: fi
Enum: "fi" "en" "sv"

Preferred language

Responses

Request samples 

curl -X DELETE https://psd2.mtls.sandbox.apis.op.fi/accounts-psd2/v1/authorizations/{authorizationId} \
-H 'x-api-key: string' \
-H 'x-fapi-customer-last-logged-time: string' \
-H 'x-fapi-customer-ip-address: string' \
-H 'x-fapi-interaction-id: string' \
-H 'x-customer-user-agent: string' \
-H 'Authorization: string' \
-H 'Accept-Language: fi' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json'

Response samples

Content type
application/json; charset=utf-8
{
  • "authorizationId": "string",
  • "created": "2019-08-24T14:15:22Z",
  • "modified": "2019-08-24T14:15:22Z",
  • "authorized": "2019-08-24T14:15:22Z",
  • "expires": "2019-08-24T14:15:22Z",
  • "transactionFrom": "2019-08-24",
  • "transactionTo": "2019-08-24",
  • "status": "Unauthorized"
}