OP PSD2 Confirmation of Funds API (v1.0)
Download OpenAPI specification:Download
OP PSD2 Confirmation of Funds API allows Third-Party Providers to create and authorize requests regarding availability of funds on an account. Read more about PSD2 regulation and our APIs.
Please note that calling OP's PSD2 APIs with Postman is not supported at this time.
Using this API requires authenticating the client application, and end user authentication and authorization.
Go to the full workflow for PSD2 CoF API >
- AISP: Account Information Service Provider
- ASPSP: Account Servicing Payment Service Provider
- CoF: Confirmation of Funds
- PISP: Payment Initiation Service Provider
- PSP: Payment Service Provider
- PSU: Payment Service User
- TPP: Third-Party Provider accessing the API
PSD2 APIs are available in sandbox free of charge for both licensed and unlicensed developers. See full details for sandbox access.
Following the regulation, using PSD2 APIs is free of charge also in production. However, a Third-Party Provider has to apply for an AISP/PISP licence from a financial authority (e.g. FIN-FSA in Finland) and obtain valid QWAC and QSEAL certificates. See full details for production access.
Only the account holder, i.e. the company, can grant TPPs the right to access the company's business accounts.
However, technically the company representative, i.e. the business user, is the actor who in practice confirms with their banking codes
the access to business accounts for the TPP.
As the business user is not the holder of the account, the user needs an additional access right from the account holder
in order to be able to confirm the requests sent by authorized TPPs.
Instructions for the additional access right registration are available at op.fi in Finnish, Swedish, and English.
After this registration, the business user is able to confirm (or reject) the requests sent by TPPs.
Create funds confirmation
This request is used to check the availability of funds on authorized EUR account.
header Parameters
Authorization required | string An Authorisation Token as per https://tools.ietf.org/html/rfc6750 |
Accept required | string Value: "application/json" The Accept request HTTP header advertises which content types, expressed as MIME types, the client is able to understand. This header must be set to 'application/json' or HTTP status Bad Request (400) will be returned. |
x-api-key required | string API Key |
x-fapi-customer-last-logged-time | string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe... Example: Thu, 21 Sep 2019 19:43:31 UTC The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. |
x-fapi-customer-ip-address | string The PSU's IP address if the PSU is currently logged in with the TPP. |
x-fapi-interaction-id | string An RFC4122 UID used as a correlation ID. |
x-customer-user-agent | string Indicates the user-agent that the PSU is using. |
Request Body schema: application/json; charset=utf-8
authorizationId | string Unique identification as assigned by the ASPSP to uniquely identify the funds confirmation authorization. |
amountEUR | string <number> ^\d{1,13}(?:\.\d\d)?$ Amount of money whose availability on the account is to be confirmed. Value is a positive (greater-than zero) monetary amount in currency of EUR. |
Responses
Request samples
- Payload
- CURL
{- "authorizationId": "6d07d98e-e406-443e-b75b-ce2af15928b8",
- "amountEUR": "string"
}
Response samples
- 201
- default
{- "fundsConfirmationId": "d99a5c3b-a989-4b6f-8af1-9b62e3de9058",
- "authorizationId": "6d07d98e-e406-443e-b75b-ce2af15928b8",
- "created": "2019-02-21T10:43:07+02:00",
- "amountEUR": "string",
- "fundsAvailable": true
}
Create authorization request
Authorization request which must be authorized by the PSU. Creates an authorization request for confirming availability of funds. Returns an authorizationId which can be used for authorizing the confirmation of funds. Authorization must be done in advance prior to the first actual Funds confirmation request.
header Parameters
Authorization required | string An Authorisation Token as per https://tools.ietf.org/html/rfc6750 |
Accept required | string Value: "application/json" The Accept request HTTP header advertises which content types, expressed as MIME types, the client is able to understand. This header must be set to 'application/json' or HTTP status Bad Request (400) will be returned. |
x-api-key required | string API Key |
x-fapi-customer-last-logged-time | string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe... Example: Thu, 21 Sep 2019 19:43:31 UTC The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. |
x-fapi-customer-ip-address | string The PSU's IP address if the PSU is currently logged in with the TPP. |
x-fapi-interaction-id | string An RFC4122 UID used as a correlation ID. |
x-customer-user-agent | string Indicates the user-agent that the PSU is using. |
Request Body schema: application/json; charset=utf-8
expires | string <date-time> ^\d{4}(-\d\d(-\d\d(T\d\d:\d\d(:\d\d)?(\.\d+)?... Specified date and time the funds confirmation authorization will expire. If this is not defined, the authorization will expire after a year which is the maximum valid period for single authorization. If expires value is define, it cannot exceed the maximum valid period of one year. Value is represented in ISO 8601 date-time format and it must include the timezone. |
iban | string IBAN (without formatting spaces) of the debtors account to which the confirmation of funds authorization will be applied. |
Responses
Request samples
- Payload
- CURL
{- "expires": "2012-03-05T10:43:07Z",
- "iban": "FI8659986920068681"
}
Response samples
- 201
- default
{- "authorizationId": "6d07d98e-e406-443e-b75b-ce2af15928b8",
- "created": "2019-02-21T10:43:07+02:00",
- "status": "Unauthorized",
- "expires": "2012-03-05T10:43:07Z",
- "iban": "FI8659986920068681"
}
Get account authorization
Get account authorization request is used to obtain information related to authorization made by the PSU.
path Parameters
authorizationId required | string <uuid> Example: 6d07d98e-e406-443e-b75b-ce2af15928b8 Unique identification as assigned by the ASPSP to uniquely identify the funds confirmation authorization. |
header Parameters
Accept required | string Value: "application/json" The Accept request HTTP header advertises which content types, expressed as MIME types, the client is able to understand. This header must be set to 'application/json' or HTTP status Bad Request (400) will be returned. |
Authorization required | string An Authorisation Token as per https://tools.ietf.org/html/rfc6750 |
x-api-key required | string API Key |
x-fapi-customer-last-logged-time | string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe... Example: Thu, 21 Sep 2019 19:43:31 UTC The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. |
x-fapi-customer-ip-address | string The PSU's IP address if the PSU is currently logged in with the TPP. |
x-fapi-interaction-id | string An RFC4122 UID used as a correlation ID. |
x-customer-user-agent | string Indicates the user-agent that the PSU is using. |
Responses
Request samples
- CURL
curl -X GET https://psd2.mtls.sandbox.apis.op.fi/confirmation-of-funds-psd2/v1/authorizations/{authorizationId} \ -H 'Authorization: string' \ -H 'x-api-key: string' \ -H 'x-fapi-customer-last-logged-time: string' \ -H 'x-fapi-customer-ip-address: string' \ -H 'x-fapi-interaction-id: string' \ -H 'x-customer-user-agent: string' \ -H 'Accept: application/json' \ -H 'Content-Type: application/json'
Response samples
- 200
- default
{- "authorizationId": "6d07d98e-e406-443e-b75b-ce2af15928b8",
- "created": "2019-02-21T10:43:07+02:00",
- "modified": "2019-02-21T10:44:07+02:00",
- "authorized": "2019-02-21T10:45:07+02:00",
- "status": "Authorized",
- "expires": "2012-03-05T10:43:07Z",
- "iban": "FI8659986920068681"
}
Revoke authorization
path Parameters
authorizationId required | string <uuid> Example: 6d07d98e-e406-443e-b75b-ce2af15928b8 Unique identification as assigned by the ASPSP to uniquely identify the funds confirmation authorization. |
header Parameters
Accept required | string Value: "application/json" The Accept request HTTP header advertises which content types, expressed as MIME types, the client is able to understand. This header must be set to 'application/json' or HTTP status Bad Request (400) will be returned. |
Authorization required | string An Authorisation Token as per https://tools.ietf.org/html/rfc6750 |
x-api-key required | string API Key |
x-fapi-customer-last-logged-time | string^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Fe... Example: Thu, 21 Sep 2019 19:43:31 UTC The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. |
x-fapi-customer-ip-address | string The PSU's IP address if the PSU is currently logged in with the TPP. |
x-fapi-interaction-id | string An RFC4122 UID used as a correlation ID. |
x-customer-user-agent | string Indicates the user-agent that the PSU is using. |
Responses
Request samples
- CURL
curl -X DELETE https://psd2.mtls.sandbox.apis.op.fi/confirmation-of-funds-psd2/v1/authorizations/{authorizationId} \ -H 'Authorization: string' \ -H 'x-api-key: string' \ -H 'x-fapi-customer-last-logged-time: string' \ -H 'x-fapi-customer-ip-address: string' \ -H 'x-fapi-interaction-id: string' \ -H 'x-customer-user-agent: string' \ -H 'Accept: application/json' \ -H 'Content-Type: application/json'
Response samples
- 200
- default
{- "authorizationId": "6d07d98e-e406-443e-b75b-ce2af15928b8",
- "created": "2019-02-21T10:43:07+02:00",
- "modified": "2019-02-21T10:44:07+02:00",
- "authorized": "2019-02-21T10:45:07+02:00",
- "status": "Revoked",
- "expires": "2012-03-05T10:43:07Z",
- "iban": "FI8659986920068681"
}