Token Services Architecture

Services are units of software that perform a function. They are used to break complex problems into a series of simpler problems. Services are also designed to be separately deployable, allowing Token to build highly scalable and resilient systems.

A high tolerance to various stresses and failures under real word conditions is called resilience. Token's services architecture builds systems that continue to function when things fail by making them autonomous, thereby eliminating single points of failure (SPOFClosedSingle point of failure – part of a system that, if it fails, will stop the entire system from working.). These services are then deployed to Token's cloud infrastructureClosedFunctionality, data and resources running on physical and virtual servers maintained and controlled by Token, and accessed via an Internet connection. and scaled up or down on demand. Hence, when one service instance fails, the Token PlatformClosedProvides turnkey PSD2 and OBIE compliance that allows third-party providers to easily and securely develop applications that support payment initiation and account information retrieval. The core of TokenOS is the "smart token," providing authorization to access an underlying asset. Smart tokens define the conditions (rules) governing access to the asset. detects this and automatically finds or creates another instance of the service that is working. This is called failoverClosedHigh-availability system capability that automatically and seamlessly switches to a reliable alternate or backup upon failure of a primary instance to eliminate, or at least reduce, the impact on system users when a service failure occurs..

A high-level structural view of Token's services architecture looks like this (hover to enlarge):

Depending on the Token-connected bank, Token's Bank SDK is implemented either directly, interfacing with the bank's Open Banking API, or through Token, utilizing Token's Bank Integration SDK. The Bank Integration SDK communicates with the Token Platform (also called the Token Cloud) through Bank Adapter middlewareClosedFunctioning like connective tissue between systems, applications and data, OS-agnostic middleware provides common services and capabilities like messaging, authentication, and API management. and an Integration Service, which transform (translate) and segregate requests and responses to and from the Token Cloud into data objects understandable by the disparate systemsClosedSystems designed to operate as fundamentally distinct; not originally intended to exchange data or interact with each other at a native level. Such systems require appropriate APIs to bridge the communications divide. — the bank's Core Banking System on one side and Token's Open Banking Service on the other. Token's Core Service similarly coordinates the request-reply information flow to and from registered and verified TPPClosedThird-Party Provider – an authorised online service provider introduced as part of Open Banking. TPPs exist outside of the account holder’s relationship with their bank but may be involved in transactions carried out by the user. members, managing the tokenClosedFor PSD2, smart tokens come in two kinds: transfer tokens and access tokens. Transfer tokens authorize payment or the transfer of assets or funds from a payer to a designated payee. They function as programmable money. Access tokens authorize user-approved access to a member's bank account information. The type and level of access granted by the bank depends on the conditions set for the access token — “who,” “what,” “how,” and "when" that data can be accessed and "by whom". creation-redemption-cancellation/expiration lifecycle. Token's Member, Consent, and Directory services handle TPP member enrollment and service access (AISClosedAccount Information Service – supports TPP secure access to customer accounts and data, but only with the bank-verified consent of the customer./PISClosedPayment Initiation Service – with the consent of the end-user, initiates a payment from a user-held account upon user authentication./CBPIIClosedCard Based Payment Instrument Issuer – a payment services provider that issues card-based payment instruments and allows its customers to pay from bank accounts.), authentication (SCAClosedStrong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement ensures that account access for information and electronic payments is safeguarded by multi-factor authentication.), and licensing and certification (eIDASClosedElectronic Identification, Authentication and Trust Services – an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. See digital-single-market/en/discover-eidas for the rules and regulations.) verification, respectively. Securely relaying open banking requests by TPPs and the corresponding responses from the bank is achieved through a Gateway hosting Token's gRPCClosedOpen source remote procedure call (RPC) framework that can run anywhere. It enables client and server applications to communicate transparently, and makes it easier to build connected systems. gRPC uses protocol buffers, Google's mature open source mechanism for serializing structured data — think XML, but smaller, faster, and simpler. interface and a REST API for direct TPP communications. Indirect TPP application integration is supported by the TPP SDK, which is available in multiple programming languages (JavaClosedProgramming language and computing platform first released by Sun Microsystems in 1995. There are lots of applications and websites that will not work unless you have Java installed, and more are created every day. Java is fast, secure, and reliable. From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!, JavaScriptClosedOften abbreviated as JS, JavaScript is an interpreted programming language that conforms to the ECMAScript specification — high-level, often just-in-time compiled, and multi-paradigm. It has curly-bracket syntax, dynamic typing, prototype-based object-orientation, and first-class functions. Alongside HTML and CSS, JavaScript is one of the core technologies of the World Wide Web. All major web browsers have a dedicated JavaScript engine to execute it., and C#ClosedGeneral-purpose, multi-paradigm programming language encompassing strong typing, lexically scoped, imperative, declarative, functional, generic, object-oriented (class-based), and component-oriented programming disciplines. It was developed around 2000 by Microsoft as part of its .NET initiative, and later approved as an international standard by Ecma (ECMA-334) and ISO (ISO/IEC 23270:2018).) and which interfaces with the gRPC protocol buffersClosedSpecifies how serialized information is structured by defining message types in .proto files. Each protocol buffer message is a small logical record of information containing a series of name-value pairs. Protocol buffers have many advantages over XML for serializing structured data, including being simpler, 3 to 10 times smaller yet 20 to 100 times faster, all whilst being less ambiguous, in addition to generating data access classes that are easier to use programmatically.. System Administration and Monitoring of SaaSClosedSoftware as a Service (SaaS) – a software distribution model in which a third-party provider hosts applications and makes them available to customers over the Internet. SaaS is one of three main categories of cloud computing, alongside infrastructure as a service (IaaS) and platform as a service (PaaS). operations complete the architecture with secure management visibility and control services.

The foregoing, all working together, enable easy integration with your existing IT infrastructure, delivering bank connectivity to TPPs via a single connection. Moreover, just as bank integration can be accomplished directly or through Token, TPP integration can be direct-to-bank or through Token, as well. TPPs choosing the latter course (through Token) can use their own licence or Token's licence. Ultimately, this distinguishes TPPs into three types:

  • TPPs connecting to Token's network of banks using Token's licence
  • TPPs connecting to Token's network of banks using their own licence
  • TPPs connecting directly to a specific bank using their own licence

An additional level of classification involves resellers. See TPPs versus Resellers for additional information.