Common Request Headers
In order to successfully send API requests, TPPs must send a set of HTTP headers that allow the bank to check the request's validity. This includes signing the request with a qualified certificate.
Formulate the required headers for the Token API in accordance with these formatting rules:
- Headers are case-insensitive
- Header fields must be separated by a colon
- Key-value pairs must be in clear-text string format
- Denote the end of the header section with an empty field header
For a general review of HTTP 1.1 header formatting, see https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html.
The headers listed in the following table marked "mandatory" are required. All others are optional.
|customer-initiated||Boolean. Lets the bank know that the API call was explicitly initiated by the PSUPayment Services User – an individual person or legal business entity making use of an Open Banking service as a payee, payer or both.. Useful in circumnavigating bank restrictions that impose a 4-times-a-day (i.e., the same 24-hour period) access limit on the same AISPAccount Information Service Provider – a TPP authorised to access consumer or business account data from the account holder's financial institutions with the account holder's explicit consent. in accordance with RTS regulationsRegulatory Technical Standard – detailed specifications to achieve the strict security requirements for payment service providers in the EU..||Optional||Optional|
|token-customer-last-logged-time||Time when the PSU last logged in with the TPP||Optional||Optional|
PSU's IP address if the PSUPayment Services User – an individual person or legal business entity making use of an Open Banking service as a payee, payer or both. is currently logged in with the TPP.
If the customer IP addressIPv4 addresses are represented in dot-decimal notation, consisting of four decimal numbers, each ranging from 0 to 255, separated by dots, e.g., 172.16.254.1. is supplied (recommended), it is inferred that the PSU is present during the session (i.e., the request is PSU-initiated; adding a "customer-initiated": "true" header makes this explicit).
For AIS calls, if the customer's IP address is not provided in the request, the bank assumes it is a TPP-initiated request and may limit the TPP to 4 TPP-initiated access attempts within a given 24-hour period.
Unique identifier generated on the client side.
|token-customer-user-agent||Specifies the user agent for the PSU..
Format: Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion
Ex: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0
If the PSU is using the TPP's mobile app, make sure the mobile app user-agent string is different than browser-based user-agent strings
|token-json-error||Boolean. Converts the error response, if any, to JSON format. See Changing Error Responses to JSON Format.||Optional||Optional|
Passes valid credentials constructed for either Token Authentication (Basic) or JWT Authentication (Bearer) authentication schemes.
Ex: Use the links above for basic and bearer authentication to see the respective format and examples.