Support           API Reference           Log in to Dashboard →

Standing Orders / Recurring Payments

A standing order (or a standing instruction) is an instruction to pay a set amount at regular intervals to a beneficiary account. The instruction is sometimes known as a banker's order. These transactions are also referred to as recurring payments — giving permission to a retailer or merchant to deduct payments for goods or services from the user's bank account on a regularly scheduled basis. In addition to the information required for a single payment, standing orders need a start date, an end date, and a frequency.

The frequencies supported for standing orders comprise daily (DAIL), weekly (WEEK), twice-weekly (TOWK), monthly (MNTH), twice-monthly (TOMN), quarterly (QUTR), semiannually (SEMI), and yearly (YEAR). Hence, if a customer wishes to authorize a standing order beginning on a startDate of 2020-08-01 and lasting until an endDate of 2022-07-31, with a frequency of MNTH, this represents 24 equal monthly payments to be executed on the first of each month or the next business day after, beginning in August of 2020 and ending July 2022.

The Token API also supports the CMA9 specification for variable installment payment amounts and dates (first, recurring, and last).

Before initiating a request to a Token.io-connected bank, you'll first need to get the list of banks in the desired country that support the features you need to access. A GET /v2/banks call filters the list of Token.io-connected banks based on your selection criteria with respect to bank location and bank-supported features. See Bank Selection for more on filtering and selecting Token-connected banks.

Bank-initiated Standing Order Submission (1-step)

Putting the full sequence into perspective, the diagram pictured next (click to enlarge) shows the communication flow for submitting a bank-initiated standing order.

TPP-initiated Standing Order Submission (2-step)

The sequence diagram pictured next shows the communication flow for a TPP-initiated SIP.

Heads-up: For standing order requests subject to additional credentials in mandatoryFields, see the discussion on mapping mandatory fields in bank selection for the correct field mapping, paying special attention to the differences in authenticating credentials in the respective request flows; i.e., using the Token Web App versus not using the Token Web App.

If the mandatory user credentials you provide are invalid, the submission status returned will be unauthenticated, and you will need to repeat the redirect to the bank for consent to have your user try again. Conversely, when the status returned is authenticated, it means the bank has accepted the consent and no redirect is required.

Guidance for making the appropriate POST and GET calls, as well as handling Token's responses to these requests is covered in the code examples below.

CMA9 Standing Orders: As mentioned above, the API also supports the more granular frequency settings for standing orders required by the CMA9 specification, in addition to supporting variable payment amounts (first, recurring, last). Optional CMA9-specific parameters are labelled as such in the list of key fields.

To test OBIE-CMA9 standing orders, please use Ozone Bank.

Base URLs

See Base URLs.

Headers

See Common Request Headers.

Making the Token Request

To initiate a payment request with the bank, you'll need to be able to identify yourself as the calling TPP using your Member IDand your Alias, defined as follows:

  • Member ID – unique value generated by the Dashboard when you signed up.
  • Alias – unique email, domain, eIDAS or realmId you provided when you signed up.

A transfer request must include both parameters.

You can obtain the values from the dashboard by following these steps:

  1. If the dashboard isn't already open in a browser tab, sign in.

  2. Click Member Information in the navigation panel on the left.

  3. Click the "eye" icon to the right of each value to reveal it.

  4. Copy the value you need.

If the selected bank imposes this initial credentials check requirement, you'll need to capture the credentialFields specified by the bank (e.g., the user's ) in its response to your GET /banks call (see Bank Selection) and include this information in your payment request.

In addition, when initial credentials are required by the user-selected bank, the redirect URL in the sandbox will be:

https://tpp-integration.sandbox.token.io/initiatePayment/callback?redirect-url={{your-redirect-url}}

For production, the redirect URL changes to:

https://tpp-integration.token.io/initiatePayment/callback?redirect-url={{your-redirect-url}}

Here, {{your-redirect-url}} is your standard TPP redirect URL.

The exchange iterations necessary to provide initial credential information to the bank take place in the background.

If you are not connecting to a bank in Germany, Austria or Hungary, the requirement for an initial credentials check using the redirect URL format above does not apply and you should instead use the standard format outlined below.

Once the user gives consent for you to initiate PIS on the user's behalf, here's the call for POSTing /token-requests with a requestPayload:

POST {{BASE_URL}}/token-requests

{

    "requestPayload": {

        "refId": "xyz", // must be unique

        "to": {

            "id": "m:nP4w3u5y8ddrxDJkjimgSX9e4fZ:5zKtXEAq" // required TPP member ID; mandatory

        },

        "standingOrderBody": {

            "transferInstructions": {

                "metadata": {  // see notes on provider metadata below

                    },

                    "transferDestinations": {

                        "fasterPayments": {

                            "accountNumber": "70000005",

                            "sortCode": "700001"

                        },

                        "customerData": {

                            "legalNames": [

                                "Test"

                            ] // populating creditor name is mandatory

                        }

                    },

                },

                "startDate": "2019-12-16",

                "endDate": "2019-12-20",

                "frequency": "DAIL",

                "amount": "7.96",

                "currency": "EUR"

            },

            "description": "your description",

            "redirectUrl": "https://sample-merchant-domain.com/transfer"

            },

            "requestOptions": {

                "from": {

        }

    }

}

The most important request fields and their corresponding descriptions are listed in the following table.

Key Fields in the Transfer Token Request for SIP
Field Description/Subfields Required/Optional
refId TPP-generated reference identifier for the token; not to be confused with requestId. RefId is typically used by the TPP to reconcile transactions against payments received. RefId maps to tppRefId in the bank's consentRequest. It is needed to match/verify the originating token request with the bank's consent request.

Warning: If the description in subsequent token lookups/changes/updates (retrieve, redeem, or cancel) doesn't match the description in the originating token request, an exception will be thrown.

 Required
to Identifies the member initiating the request Required
id Member ID of the TPP, a constant value in all requests; see Member Information in Understanding Dashboard Settings. Required
alias A human-readable proxy for your member identifier that contains your realmId or alias type (DOMAIN, EMAIL, other) and a value string.

A realmId identifies a member created under the realm of a specific bank.

See Member Information in Understanding Dashboard Settings to find your member id and alias.

 Optional; soon to be deprecated
standingOrderBody Specifies the critical details of the standing order: currency, amount, and transferDestinations(beneficiary account information). Required
currency Currency for the transaction Required
amount Payment amount valued in currency for each scheduled transfer.

For standing orders involving standard (non-variable) payments from a bank, lifetimeAmount maps to firstPayment, consistent with the standard.

Precision: Recommended precision is rounding to 4 decimal places (), although the TPP can set it's own desired precision. However, be aware that certain banks may handle rounding differently — some with greater precision (i.e., more decimal places), others with reduced rounding precision (fewer decimal places). The Token Platform strictly serves as the pipeline between the TPP and the bank, imposing no precision restrictions.

 Required
frequency ISO 20022 code for the scheduled frequency of standing order payments:

    • DAIL – daily; once a day
    • WEEK – weekly; once a week
    • TOWK – twice weekly; two times a week
    • MNTH – monthly; once a month
    • TOMN – twice monthly; two times a month
    • QUTR – quarterly; once every 3 months
    • SEMI – semi-annually; two times each year
    • YEAR – annually; once a year

Note: The day of the week for each instalment will be based on the day of week for startDate (e.g., if startDate falls on a Wednesday, every subsequent payment will also occur on a Wednesday). However, if frequency is MNTH, the day of the month for startDate is used (e.g., if startDate is the 5th of the month, all monthly instalments will occur on the 5th day of each succeeding month), unless startDate is the last day of the month. If so, all subsequent monthly instalments will occur on the last day of each month.		 Required
startDate Date on which the standing order will begin in ISO 8601 format (YYYY-MM-DD or YYYYMMD; order will last until endDate, when specified.

For non CMA9-specific standing orders involving a CMA9 bank, startDate maps to firstPaymentDateTime, consistent with the OBIE standard.

 Required
firstPayment First or "down" payment valued in currency in accordance with the OBIE standard. Value can be a different amount with respect to nextPayment and finalPayment.

Precision: Recommended precision is rounding to 4 decimal places (), although the TPP can set it's own desired precision. However, be aware that certain banks may handle rounding differently — some with greater precision (i.e., more decimal places), others with reduced rounding precision (fewer decimal places). The Token Platform strictly serves as the pipeline between the TPP and the bank, imposing no precision restrictions.

 Supported by CMA9 banks only
firstPaymentDateTime Scheduled date and time for firstPayment in accordance with the OBIE standard. Supported by CMA9 banks only
nextPayment Recurring instalment payment amount scheduled by nextPaymentDateTime and frequency in accordance with the OBIE standard. Supported by CMA9 banks only
nextPaymentDateTime Recurring payment date and time for instalments scheduled between firstPaymentDateTime and finalPaymentDateTime in accordance with the OBIE standard. Supported by CMA9 banks only
payment_amount Recurring payment amount for scheduled instalments between startDate and endDate in accordance with the OBIE standard. Supported by CMA9 banks only
payment_date_time Recurring payment date and time for instalments scheduled between startDate and endDate in accordance with the OBIE standard. If not specified for CMA9 orders, scheduled instalments will default in accordance to the day/date ascribed to frequency (see the note above). Supported by CMA9 banks only
number_of_payments int32 field specifying the total number of payments in accordance with the OBIE standard. Required if finalPaymentDateTime is not specified. Supported by CMA9 banks only
finalPayment Last and final payment valued in currency in accordance with the OBIE standard. Value can be a different amount with respect to firstPayment and nextPayment.

Precision: Recommended precision is rounding to 4 decimal places (), although the TPP can set it's own desired precision. However, be aware that certain banks may handle rounding differently — some with greater precision (i.e., more decimal places), others with reduced rounding precision (fewer decimal places). The Token Platform strictly serves as the pipeline between the TPP and the bank, imposing no precision restrictions.

 Supported by CMA9 banks only
finalPaymentDateTime Scheduled date and time for finalPayment in accordance with the OBIE standard. Required if numberOfPayments is not specified. Supported by CMA9 banks only
endDate Specifies the ending date for completing the order in ISO 8601 format (YYYY-MM-DD or YYYYMMDD).

For non CMA9-specific standing orders involving a CMA9 bank, endDate maps to finalPaymentDateTime, consistent with the OBIE standard.

 Required
remittanceInformation Creditor reference or payment remit identification for end-to-end transaction identification in accordance with the OBIE standard. Supported by CMA9 banks only
instructions Instructions to the bank for executing the transactions.
metadataBank-dependent; can include deliveryAddress, merchant identification, and provider information specific to this standing order — type of standing order (cma9StandingOrderMetadata, nextGenPsd2StandingOrderMetadata, polishApiStandingOrderMetadata, or stetStandingOrderMetadata), payment value and scheduling parameters (firstPayment, recurringPayment, and/or finalPayment), and so forth. See Notes on provider metadata below.
transferDestinationsThese are the beneficiary account details that determine if the request is for a domestic, , or cross-border payment. Generally, the beneficiary is the TPP. See Restricting Beneficiary Accounts for guidance on adding, modifying, and deleting accounts.

Each restricted destination/beneficiary account is specified according to the payment system used. See Initiating Payments for the list of supported payment systems and the respective account information fields required.

Required by some banks, optional for others, the type of destination account (business or personal) is specified under transferDestinations in customerData.type as UNKNOWN, BUSINESS or PERSONAL. When not specified, the default destination account type is BUSINESS.

A creditor name (customerData.legalNames) for the destination account is a required subfield parameter: transferInstructions.transferDestinations.customerData.legalNames

sourceIdentifies the bank account from which the amount is being debited; set using the AccountIdentifier object, See Source Account Validation for important rules about populating the source object.
 Required*
callbackState Developer-specified string allowing state to be persisted between the request and callback phases of the flow; used for the signature in a GET /token-requests/{tokenRequestId}/token-request-result call, in which the signing payload for the signature is a combination of state and tokenId and validates the tokenId against the callbackstate originally sent by the TPP in the request.

Note: The value of callbackState is added to the redirect URL and appended to the hash of the CSRF token specified by Token.io; e.g.:

https://{callback-url}?signature=%7B%22memberId%22%3A%22m%3A3rKtsoKaE1QUti3KCWPrcSQYvJj9%
3A5zKtXEAq%22%2C%22keyId%22%3A%22lgf2Mn0G4kkcXd5m%22%2C%22signature%22%3A%22Md-2D
G0X9PpuOxea0iK33cAZ2Ffk6E5I1mAcJS6YywU80Q0yYBOlwvGy37dmovmH_OC7Jl8c-fxQ5gP2RWTaDw%22%7D&
state=%257B%2522csrfTokenHash%2522%253A%2522pod1e6xornyoesn2sp%2522%257D&
tokenId=ta%3AHWowFawmAwiuPKNdM7xjpiQktPppgK2JatsWPZAyTHcq%3A5zKtXEAq

Optional
description Description of the payment with the following qualifiers:
  • must comply with the constraint imposed by the bank (see Bank-dependent Field Formatting)
  • length must be no greater than 255 characters
  • description in a subsequent call must match description in originating request
  • description omitted in originating request must also be omitted in subsequent calls
  • description omitted in subsequent call will be replaced with refId

This description field maps to description in the bank's consentRequest presented to the user.

Warning: If description in a subsequent token request for lookups/changes/updates (retrieve, redeem, or cancel) doesn't match the description in the originating token request, an exception will be thrown.

 Optional, with the caveats described in the previous column
redirectUrl Defines the bank's callback URL where your server initiates token redemption. Required
remittanceReference Augments refId and description, this is TPP-defined additional information pertinent to the TPP's payments policies; for instance, could contain a full or partial credit card number when payment is being initiated for a credit card payment. Securely hashed to safeguard its transmission throughout the communication flow, this field should be considered by TPPs wishing to augment their transaction reference data for tracking and audit control. Optional
traceID TPP-provided unique value captured by Token and sent across to the bank to be stored with the request throughout its life-cycle as an audit-trail aid. Optional
requestOptions
  • bankId where payment is to be initiated
  • psuId of customer initiating the payment; recommended to identify and collate multiple standing orders initiated by the same user
  • receiptRequested – to specify that an email receipt is to be sent to the user by Token.io
 Optional
* Inclusion of some elements may be optional or bank-dependent

 

Cited in the table within transferInstructions and nested in source is the accountIdentifier object (required):

"source": {

    "accountIdentifier": {

        "gb_domestic": {

            "account_number": "70000005",

            "sort_code": "700001"

         }

    }

}

Remember, whatever you specify as the source and transferDestinations in the request will be reflected in the response.

A PAN is disallowed in the token request payload within the refId and description fields. In accordance with the PA-DSS security standard, Regex is used for pattern matching of numeric strings that intentionally or inadvertently reveal or resemble a PAN in the refId or description of a token request. Potential PAN patterns found will now throw an exception.

Payee Information

Submission and return of payee information is not supported by all banks. When supported, and based on the standard adopted by the bank, creditor account (payee) information (legal name and/or address) is included in customerData within providerTransactionDetails for single transactions. When included in the request, payee/creditor account information is available in the response, regardless of the API standard adopted by the bank; typically, however, the following guidelines apply:

  • STET requires creditor account information.

  • CMA9, NextGenPSD2, and PolishAPI have the creditor name and account identifiers, as well as the creditor agent BIC. However, these are optional fields, so the presence of creditor account information is bank-dependent.

  • CMA9 needs the creditor agent address, whilst PolishAPI requires the creditor's address.

If you are initiating a payment to Barclays Bank UK or HSBC, the creditor name (creditorAcount.name) can be no more than 18 characters. If this limit is exceeded, the bank will reject the payment.

Otherwise, when providing creditor name and address for CMA9 international payments, bear in mind that certain banks, such as HSBC, require creditor information to process international payments, despite its designation as "optional" in the OBIE specification. To be safe with respect to CMA9 international payments, provide this information in the customerData fields of the transferDestination object. The OBIE information maps to its Token counterpart as follows:

Token OBIE
flats SubDepartment
house_name Department
house_number BuildingNumber
street StreetName
post_code PostCode
city TownName
district CountrySubDivision
country Country

 

Using the actingAs property

Resellers and TPPs contractually granted permission by Token can create a token on behalf of another party by configuring the actingAs object in the requestPayload. Here's an example:

actingAs: {

    "displayName": "Rudolfo's Pizzeria",

    "logoUrl": "https://cdn-somewhere-on-the-web.com",

    "refId": "Merchant-No. TX14JG6890", // unique reference for internal tracking and reporting; e.g., a merchant-id

    "secondaryName": "rudys-restaurants.it" }

Each identifier is defined in the following table:

Properties of the actingAs Field
Field Description Required/ Optional
displayName Name of recipient shown to user Required*
logoUrl URL pointing to recipient's logo Optional
secondaryName Domain or email address of recipient shown to user along with displayName Optional
refId TPP's discretionary reference identification of the recipient, opaque to Token; can be used by a "gateway" business member to (uniquely) define a merchant that is acting through it.The uniqueness of refId should be handled by the gateway member; typically a reseller requiring separate reports for each participating merchant it is representing. Optional
* Required when specifying ActingAs, although ActingAs is otherwise optional.

A "gateway" is a business member empowered to act on behalf of a merchant that is not registered as a member in the Token system. The gateway member must have ACT_ON_BEHALF_OF permission from Token and populate the actingAs field in the token request accordingly to indicate the merchant on whose behalf it is acting.

Processing the Response

Here's an example of the response you'll receive:

Response to transfer token request

"tokenRequest": {

    "id": "rq:3eoe4MPXkUGEA3gWeMTDWPTKAfxU:5zKtXEAq", // request-id; add to BASE_URL for consent

    "requestPayload": {

        "redirectUrl": "https://sample-merchant-domain.com/pis"

        "to": {

            "alias": {

                "type": "EMAIL",

                "value": noverify@token.io"

            }

            "id": "m:nP4w3u5y8ddrxDJkjimgSX9e4fZ:5zKtXEAq"// TPPmember ID

        },

        "standingOrderBody": {

              "instructions": {

                  "metadata": {

                  },

                  "transferDestinations": {

                      "fasterPayments": {

                          "accountNumber": "70000005",

                          "sortCode": "700001"

                      }

                  },

                  "customerData": {

                      "legalNames": ["Southside"]

                  }

              },

              "startDate": "2019-12-16",

              "endDate": "2019-12-20",

              "frequency": "DAIL",

              "amount": "7.96",

              "currency": "EUR"

        },

        "description": "your description",

        "redirectUrl": "https://sample-merchant-domain.com"/transfer

    }

}

Create the redirect URL by appending the request id in the response (shown above in red) to the redirect base URL, then send it to the user to provide explicit consent to bank.

https://{{BASE_URL}}/app/request-token/{{Insert request-id here}}

// example = https://web-app.sandbox.token.io/app/request-token/rq:3eoe4MPXkUGEA3gWeMTDWPTKAfxU:5zKtXEAq

You can specify a particular language by passing its language code (lang=country-code) as a query parameter, appended to the URL above, which the user can override in the Web App according to personal preference. Here's an example for passing the desired ISO 639-1 language code for German (de):

https://web-app.token.io/app/request-token/rq:o9adbFqJXcaDGNDaykPvpSZFZDW:5zKtXEAq?lang=de

TPPs using Token's licence only: This Web App URL redirects the PSU to the Token Web App, which displays a payment confirmation page (pictured, click to enlarge):

Note: If you did not capture the source account number from the PSU in your UI after user bank selection (see Filtering Banks), the user is presented with an input field (shown in the payment confirmation page above) in which to enter the source account number (IBAN).

Upon user consent, Token.io will redirect the user back to the TPP with either a tokenId or a transferId as a query parameter, depending on the bank's support for two- or one-step payments, respectively.

"redirectUrl": "https://sample-merchant-domain.com"/pis?tokenId=sample_token_id

"redirectUrl": "https://sample-merchant-domain.com"/pis?transferId=sample_transfer_id

To derive the complete redirect URL, you'll need to URL decode the tokenId or transferId value provided.

Using the tokenId sent by the bank (also known as the consent-id on the bank side), which confirms user consent, you can now initiate payment.

For one-step payments, the callback will contain a transferId and a transferStatus (see Payment Status: Value and Meaning for the list of possible status codes), which you can then display to the customer/user. Use the transferId, as necessary, to check for status updates with a GET /transfers/{transferId} call, presuming you didn't subscribe to a webhook in the original token request.

For 2-step payments, you'll need to redeem the transfer token with a POST /standing-order-submissions request containing the Token.io-provided tokenId from the bank's response. Here's an example:

POST {{BASE_URL}}/standing-order-submissions

{

 "tokenId": "tokenId":"st:5vwpSZXLy4pHnD5dtc9B1Hta7TrzqYZX8A5X66xxU7hn:5zKcENpV"

}

With the exception of GET /banks, all POST and GET calls must pass in an appropriate authorization header containing your authentication key (see Common Request Headers).

To get information about a specific token, use a GET /tokens/{tokenId} call. To subsequently retrieve information about a specific payment, use a GET /transfers/{transferId} call.

Please refer to the Token.io's API reference for additional details on all of the above.

Standing Orders / Recurring Payments

A standing order (or a standing instruction) is an instruction to pay a set amount at regular intervals to a beneficiary account. The instruction is sometimes known as a banker's order. These transactions are also referred to as recurring payments — giving permission to a retailer or merchant to deduct payments for goods or services from the user's bank account on a regularly scheduled basis. In addition to the information required for a single payment, standing orders need a start date, an end date, and a frequency.

The frequencies supported for standing orders comprise daily (DAIL), weekly (WEEK), twice-weekly (TOWK), monthly (MNTH), twice-monthly (TOMN), quarterly (QUTR), semiannually (SEMI), and yearly (YEAR). Hence, if a customer wishes to authorize a standing order beginning on a startDate of 2020-08-01 and lasting until an endDate of 2022-07-31, with a frequency of MNTH, this represents 24 equal monthly payments to be executed on the first of each month or the next business day after, beginning in August of 2020 and ending July 2022.

The Token API also supports the CMA9 specification for variable installment payment amounts and dates (first, recurring, and last).

Before initiating a request to a Token.io-connected bank, you'll first need to get the list of banks in the desired country that support the features you need to access. A GET /v2/banks call filters the list of Token.io-connected banks based on your selection criteria with respect to bank location and bank-supported features. See Bank Selection for more on filtering and selecting Token-connected banks.

Bank-initiated Standing Order Submission (1-step)

Putting the full sequence into perspective, the diagram pictured next (click to enlarge) shows the communication flow for submitting a bank-initiated standing order.

TPP-initiated Standing Order Submission (2-step)

The sequence diagram pictured next shows the communication flow for a TPP-initiated SIP.

Heads-up: For standing order requests subject to additional credentials in mandatoryFields, see the discussion on mapping mandatory fields in bank selection for the correct field mapping, paying special attention to the differences in authenticating credentials in the respective request flows; i.e., using the Token Web App versus not using the Token Web App.

If the mandatory user credentials you provide are invalid, the submission status returned will be unauthenticated, and you will need to repeat the redirect to the bank for consent to have your user try again. Conversely, when the status returned is authenticated, it means the bank has accepted the consent and no redirect is required.

Guidance for making the appropriate POST and GET calls, as well as handling Token's responses to these requests is covered in the code examples below.

CMA9 Standing Orders: As mentioned above, the API also supports the more granular frequency settings for standing orders required by the CMA9 specification, in addition to supporting variable payment amounts (first, recurring, last). Optional CMA9-specific parameters are labelled as such in the list of key fields.

To test OBIE-CMA9 standing orders, please use Ozone Bank.

Base URLs

See Base URLs.

Headers

See Common Request Headers.

Making the Token Request

To initiate a payment request with the bank, you'll need to be able to identify yourself as the calling TPP using your Member IDand your Alias, defined as follows:

  • Member ID – unique value generated by the Dashboard when you signed up.
  • Alias – unique email, domain, eIDAS or realmId you provided when you signed up.

A transfer request must include both parameters.

You can obtain the values from the dashboard by following these steps:

  1. If the dashboard isn't already open in a browser tab, sign in.

  2. Click Member Information in the navigation panel on the left.

  3. Click the "eye" icon to the right of each value to reveal it.

  4. Copy the value you need.

If the selected bank imposes this initial credentials check requirement, you'll need to capture the credentialFields specified by the bank (e.g., the user's ) in its response to your GET /banks call (see Bank Selection) and include this information in your payment request.

In addition, when initial credentials are required by the user-selected bank, the redirect URL in the sandbox will be:

https://tpp-integration.sandbox.token.io/initiatePayment/callback?redirect-url={{your-redirect-url}}

For production, the redirect URL changes to:

https://tpp-integration.token.io/initiatePayment/callback?redirect-url={{your-redirect-url}}

Here, {{your-redirect-url}} is your standard TPP redirect URL.

The exchange iterations necessary to provide initial credential information to the bank take place in the background.

If you are not connecting to a bank in Germany, Austria or Hungary, the requirement for an initial credentials check using the redirect URL format above does not apply and you should instead use the standard format outlined below.

Once the user gives consent for you to initiate PIS on the user's behalf, here's the call for POSTing /token-requests with a requestPayload:

POST {{BASE_URL}}/token-requests

{

    "requestPayload": {

        "refId": "xyz", // must be unique

        "to": {

            "id": "m:nP4w3u5y8ddrxDJkjimgSX9e4fZ:5zKtXEAq" // required TPP member ID; mandatory

        },

        "standingOrderBody": {

            "transferInstructions": {

                "metadata": {  // see notes on provider metadata below

                    },

                    "transferDestinations": {

                        "fasterPayments": {

                            "accountNumber": "70000005",

                            "sortCode": "700001"

                        },

                        "customerData": {

                            "legalNames": [

                                "Test"

                            ] // populating creditor name is mandatory

                        }

                    },

                },

                "startDate": "2019-12-16",

                "endDate": "2019-12-20",

                "frequency": "DAIL",

                "amount": "7.96",

                "currency": "EUR"

            },

            "description": "your description",

            "redirectUrl": "https://sample-merchant-domain.com/transfer"

            },

            "requestOptions": {

                "from": {

        }

    }

}

The most important request fields and their corresponding descriptions are listed in the following table.

Key Fields in the Transfer Token Request for SIP
Field Description/Subfields Required/Optional
refId TPP-generated reference identifier for the token; not to be confused with requestId. RefId is typically used by the TPP to reconcile transactions against payments received. RefId maps to tppRefId in the bank's consentRequest. It is needed to match/verify the originating token request with the bank's consent request.

Warning: If the description in subsequent token lookups/changes/updates (retrieve, redeem, or cancel) doesn't match the description in the originating token request, an exception will be thrown.

 Required
to Identifies the member initiating the request Required
id Member ID of the TPP, a constant value in all requests; see Member Information in Understanding Dashboard Settings. Required
alias A human-readable proxy for your member identifier that contains your realmId or alias type (DOMAIN, EMAIL, other) and a value string.

A realmId identifies a member created under the realm of a specific bank.

See Member Information in Understanding Dashboard Settings to find your member id and alias.

 Optional; soon to be deprecated
standingOrderBody Specifies the critical details of the standing order: currency, amount, and transferDestinations(beneficiary account information). Required
currency Currency for the transaction Required
amount Payment amount valued in currency for each scheduled transfer.

For standing orders involving standard (non-variable) payments from a bank, lifetimeAmount maps to firstPayment, consistent with the standard.

Precision: Recommended precision is rounding to 4 decimal places (), although the TPP can set it's own desired precision. However, be aware that certain banks may handle rounding differently — some with greater precision (i.e., more decimal places), others with reduced rounding precision (fewer decimal places). The Token Platform strictly serves as the pipeline between the TPP and the bank, imposing no precision restrictions.

 Required
frequency ISO 20022 code for the scheduled frequency of standing order payments:

    • DAIL – daily; once a day
    • WEEK – weekly; once a week
    • TOWK – twice weekly; two times a week
    • MNTH – monthly; once a month
    • TOMN – twice monthly; two times a month
    • QUTR – quarterly; once every 3 months
    • SEMI – semi-annually; two times each year
    • YEAR – annually; once a year

Note: The day of the week for each instalment will be based on the day of week for startDate (e.g., if startDate falls on a Wednesday, every subsequent payment will also occur on a Wednesday). However, if frequency is MNTH, the day of the month for startDate is used (e.g., if startDate is the 5th of the month, all monthly instalments will occur on the 5th day of each succeeding month), unless startDate is the last day of the month. If so, all subsequent monthly instalments will occur on the last day of each month.		 Required
startDate Date on which the standing order will begin in ISO 8601 format (YYYY-MM-DD or YYYYMMD; order will last until endDate, when specified.

For non CMA9-specific standing orders involving a CMA9 bank, startDate maps to firstPaymentDateTime, consistent with the OBIE standard.

 Required
firstPayment First or "down" payment valued in currency in accordance with the OBIE standard. Value can be a different amount with respect to nextPayment and finalPayment.

Precision: Recommended precision is rounding to 4 decimal places (), although the TPP can set it's own desired precision. However, be aware that certain banks may handle rounding differently — some with greater precision (i.e., more decimal places), others with reduced rounding precision (fewer decimal places). The Token Platform strictly serves as the pipeline between the TPP and the bank, imposing no precision restrictions.

 Supported by CMA9 banks only
firstPaymentDateTime Scheduled date and time for firstPayment in accordance with the OBIE standard. Supported by CMA9 banks only
nextPayment Recurring instalment payment amount scheduled by nextPaymentDateTime and frequency in accordance with the OBIE standard. Supported by CMA9 banks only
nextPaymentDateTime Recurring payment date and time for instalments scheduled between firstPaymentDateTime and finalPaymentDateTime in accordance with the OBIE standard. Supported by CMA9 banks only
payment_amount Recurring payment amount for scheduled instalments between startDate and endDate in accordance with the OBIE standard. Supported by CMA9 banks only
payment_date_time Recurring payment date and time for instalments scheduled between startDate and endDate in accordance with the OBIE standard. If not specified for CMA9 orders, scheduled instalments will default in accordance to the day/date ascribed to frequency (see the note above). Supported by CMA9 banks only
number_of_payments int32 field specifying the total number of payments in accordance with the OBIE standard. Required if finalPaymentDateTime is not specified. Supported by CMA9 banks only
finalPayment Last and final payment valued in currency in accordance with the OBIE standard. Value can be a different amount with respect to firstPayment and nextPayment.

Precision: Recommended precision is rounding to 4 decimal places (), although the TPP can set it's own desired precision. However, be aware that certain banks may handle rounding differently — some with greater precision (i.e., more decimal places), others with reduced rounding precision (fewer decimal places). The Token Platform strictly serves as the pipeline between the TPP and the bank, imposing no precision restrictions.

 Supported by CMA9 banks only
finalPaymentDateTime Scheduled date and time for finalPayment in accordance with the OBIE standard. Required if numberOfPayments is not specified. Supported by CMA9 banks only
endDate Specifies the ending date for completing the order in ISO 8601 format (YYYY-MM-DD or YYYYMMDD).

For non CMA9-specific standing orders involving a CMA9 bank, endDate maps to finalPaymentDateTime, consistent with the OBIE standard.

 Required
remittanceInformation Creditor reference or payment remit identification for end-to-end transaction identification in accordance with the OBIE standard. Supported by CMA9 banks only
instructions Instructions to the bank for executing the transactions.
metadataBank-dependent; can include deliveryAddress, merchant identification, and provider information specific to this standing order — type of standing order (cma9StandingOrderMetadata, nextGenPsd2StandingOrderMetadata, polishApiStandingOrderMetadata, or stetStandingOrderMetadata), payment value and scheduling parameters (firstPayment, recurringPayment, and/or finalPayment), and so forth. See Notes on provider metadata below.
transferDestinationsThese are the beneficiary account details that determine if the request is for a domestic, , or cross-border payment. Generally, the beneficiary is the TPP. See Restricting Beneficiary Accounts for guidance on adding, modifying, and deleting accounts.

Each restricted destination/beneficiary account is specified according to the payment system used. See Initiating Payments for the list of supported payment systems and the respective account information fields required.

Required by some banks, optional for others, the type of destination account (business or personal) is specified under transferDestinations in customerData.type as UNKNOWN, BUSINESS or PERSONAL. When not specified, the default destination account type is BUSINESS.

A creditor name (customerData.legalNames) for the destination account is a required subfield parameter: transferInstructions.transferDestinations.customerData.legalNames

sourceIdentifies the bank account from which the amount is being debited; set using the AccountIdentifier object, See Source Account Validation for important rules about populating the source object.
 Required*
callbackState Developer-specified string allowing state to be persisted between the request and callback phases of the flow; used for the signature in a GET /token-requests/{tokenRequestId}/token-request-result call, in which the signing payload for the signature is a combination of state and tokenId and validates the tokenId against the callbackstate originally sent by the TPP in the request.

Note: The value of callbackState is added to the redirect URL and appended to the hash of the CSRF token specified by Token.io; e.g.:

https://{callback-url}?signature=%7B%22memberId%22%3A%22m%3A3rKtsoKaE1QUti3KCWPrcSQYvJj9%
3A5zKtXEAq%22%2C%22keyId%22%3A%22lgf2Mn0G4kkcXd5m%22%2C%22signature%22%3A%22Md-2D
G0X9PpuOxea0iK33cAZ2Ffk6E5I1mAcJS6YywU80Q0yYBOlwvGy37dmovmH_OC7Jl8c-fxQ5gP2RWTaDw%22%7D&
state=%257B%2522csrfTokenHash%2522%253A%2522pod1e6xornyoesn2sp%2522%257D&
tokenId=ta%3AHWowFawmAwiuPKNdM7xjpiQktPppgK2JatsWPZAyTHcq%3A5zKtXEAq

Optional
description Description of the payment with the following qualifiers:
  • must comply with the constraint imposed by the bank (see Bank-dependent Field Formatting)
  • length must be no greater than 255 characters
  • description in a subsequent call must match description in originating request
  • description omitted in originating request must also be omitted in subsequent calls
  • description omitted in subsequent call will be replaced with refId

This description field maps to description in the bank's consentRequest presented to the user.

Warning: If description in a subsequent token request for lookups/changes/updates (retrieve, redeem, or cancel) doesn't match the description in the originating token request, an exception will be thrown.

 Optional, with the caveats described in the previous column
redirectUrl Defines the bank's callback URL where your server initiates token redemption. Required
remittanceReference Augments refId and description, this is TPP-defined additional information pertinent to the TPP's payments policies; for instance, could contain a full or partial credit card number when payment is being initiated for a credit card payment. Securely hashed to safeguard its transmission throughout the communication flow, this field should be considered by TPPs wishing to augment their transaction reference data for tracking and audit control. Optional
traceID TPP-provided unique value captured by Token and sent across to the bank to be stored with the request throughout its life-cycle as an audit-trail aid. Optional
requestOptions
  • bankId where payment is to be initiated
  • psuId of customer initiating the payment; recommended to identify and collate multiple standing orders initiated by the same user
  • receiptRequested – to specify that an email receipt is to be sent to the user by Token.io
 Optional
* Inclusion of some elements may be optional or bank-dependent

 

Cited in the table within transferInstructions and nested in source is the accountIdentifier object (required):

"source": {

    "accountIdentifier": {

        "gb_domestic": {

            "account_number": "70000005",

            "sort_code": "700001"

         }

    }

}

Remember, whatever you specify as the source and transferDestinations in the request will be reflected in the response.

A PAN is disallowed in the token request payload within the refId and description fields. In accordance with the PA-DSS security standard, Regex is used for pattern matching of numeric strings that intentionally or inadvertently reveal or resemble a PAN in the refId or description of a token request. Potential PAN patterns found will now throw an exception.

Payee Information

Submission and return of payee information is not supported by all banks. When supported, and based on the standard adopted by the bank, creditor account (payee) information (legal name and/or address) is included in customerData within providerTransactionDetails for single transactions. When included in the request, payee/creditor account information is available in the response, regardless of the API standard adopted by the bank; typically, however, the following guidelines apply:

  • STET requires creditor account information.

  • CMA9, NextGenPSD2, and PolishAPI have the creditor name and account identifiers, as well as the creditor agent BIC. However, these are optional fields, so the presence of creditor account information is bank-dependent.

  • CMA9 needs the creditor agent address, whilst PolishAPI requires the creditor's address.

If you are initiating a payment to Barclays Bank UK or HSBC, the creditor name (creditorAcount.name) can be no more than 18 characters. If this limit is exceeded, the bank will reject the payment.

Otherwise, when providing creditor name and address for CMA9 international payments, bear in mind that certain banks, such as HSBC, require creditor information to process international payments, despite its designation as "optional" in the OBIE specification. To be safe with respect to CMA9 international payments, provide this information in the customerData fields of the transferDestination object. The OBIE information maps to its Token counterpart as follows:

Token OBIE
flats SubDepartment
house_name Department
house_number BuildingNumber
street StreetName
post_code PostCode
city TownName
district CountrySubDivision
country Country

 

Using the actingAs property

Resellers and TPPs contractually granted permission by Token can create a token on behalf of another party by configuring the actingAs object in the requestPayload. Here's an example:

actingAs: {

    "displayName": "Rudolfo's Pizzeria",

    "logoUrl": "https://cdn-somewhere-on-the-web.com",

    "refId": "Merchant-No. TX14JG6890", // unique reference for internal tracking and reporting; e.g., a merchant-id

    "secondaryName": "rudys-restaurants.it" }

Each identifier is defined in the following table:

Properties of the actingAs Field
Field Description Required/ Optional
displayName Name of recipient shown to user Required*
logoUrl URL pointing to recipient's logo Optional
secondaryName Domain or email address of recipient shown to user along with displayName Optional
refId TPP's discretionary reference identification of the recipient, opaque to Token; can be used by a "gateway" business member to (uniquely) define a merchant that is acting through it.The uniqueness of refId should be handled by the gateway member; typically a reseller requiring separate reports for each participating merchant it is representing. Optional
* Required when specifying ActingAs, although ActingAs is otherwise optional.

A "gateway" is a business member empowered to act on behalf of a merchant that is not registered as a member in the Token system. The gateway member must have ACT_ON_BEHALF_OF permission from Token and populate the actingAs field in the token request accordingly to indicate the merchant on whose behalf it is acting.

Processing the Response

Here's an example of the response you'll receive:

Response to transfer token request

"tokenRequest": {

    "id": "rq:3eoe4MPXkUGEA3gWeMTDWPTKAfxU:5zKtXEAq", // request-id; add to BASE_URL for consent

    "requestPayload": {

        "redirectUrl": "https://sample-merchant-domain.com/pis"

        "to": {

            "alias": {

                "type": "EMAIL",

                "value": noverify@token.io"

            }

            "id": "m:nP4w3u5y8ddrxDJkjimgSX9e4fZ:5zKtXEAq"// TPPmember ID

        },

        "standingOrderBody": {

              "instructions": {

                  "metadata": {

                  },

                  "transferDestinations": {

                      "fasterPayments": {

                          "accountNumber": "70000005",

                          "sortCode": "700001"

                      }

                  },

                  "customerData": {

                      "legalNames": ["Southside"]

                  }

              },

              "startDate": "2019-12-16",

              "endDate": "2019-12-20",

              "frequency": "DAIL",

              "amount": "7.96",

              "currency": "EUR"

        },

        "description": "your description",

        "redirectUrl": "https://sample-merchant-domain.com"/transfer

    }

}

Create the redirect URL by appending the request id in the response (shown above in red) to the redirect base URL, then send it to the user to provide explicit consent to bank.

https://{{BASE_URL}}/app/request-token/{{Insert request-id here}}

// example = https://web-app.sandbox.token.io/app/request-token/rq:3eoe4MPXkUGEA3gWeMTDWPTKAfxU:5zKtXEAq

You can specify a particular language by passing its language code (lang=country-code) as a query parameter, appended to the URL above, which the user can override in the Web App according to personal preference. Here's an example for passing the desired ISO 639-1 language code for German (de):

https://web-app.token.io/app/request-token/rq:o9adbFqJXcaDGNDaykPvpSZFZDW:5zKtXEAq?lang=de

TPPs using Token's licence only: This Web App URL redirects the PSU to the Token Web App, which displays a payment confirmation page (pictured, click to enlarge):

Note: If you did not capture the source account number from the PSU in your UI after user bank selection (see Filtering Banks), the user is presented with an input field (shown in the payment confirmation page above) in which to enter the source account number (IBAN).

Upon user consent, Token.io will redirect the user back to the TPP with either a tokenId or a transferId as a query parameter, depending on the bank's support for two- or one-step payments, respectively.

"redirectUrl": "https://sample-merchant-domain.com"/pis?tokenId=sample_token_id

"redirectUrl": "https://sample-merchant-domain.com"/pis?transferId=sample_transfer_id

To derive the complete redirect URL, you'll need to URL decode the tokenId or transferId value provided.

Using the tokenId sent by the bank (also known as the consent-id on the bank side), which confirms user consent, you can now initiate payment.

For one-step payments, the callback will contain a transferId and a transferStatus (see Payment Status: Value and Meaning for the list of possible status codes), which you can then display to the customer/user. Use the transferId, as necessary, to check for status updates with a GET /transfers/{transferId} call, presuming you didn't subscribe to a webhook in the original token request.

For 2-step payments, you'll need to redeem the transfer token with a POST /standing-order-submissions request containing the Token.io-provided tokenId from the bank's response. Here's an example:

POST {{BASE_URL}}/standing-order-submissions

{

 "tokenId": "tokenId":"st:5vwpSZXLy4pHnD5dtc9B1Hta7TrzqYZX8A5X66xxU7hn:5zKcENpV"

}

With the exception of GET /banks, all POST and GET calls must pass in an appropriate authorization header containing your authentication key (see Common Request Headers).

To get information about a specific token, use a GET /tokens/{tokenId} call. To subsequently retrieve information about a specific payment, use a GET /transfers/{transferId} call.

Please refer to the Token.io's API reference for additional details on all of the above.

Standing Orders / Recurring Payments

A standing order (or a standing instruction) is an instruction to pay a set amount at regular intervals to a beneficiary account. The instruction is sometimes known as a banker's order. These transactions are also referred to as recurring payments — giving permission to a retailer or merchant to deduct payments for goods or services from the user's bank account on a regularly scheduled basis. In addition to the information required for a single payment, standing orders need a start date, an end date, and a frequency.

The frequencies supported for standing orders comprise daily (DAIL), weekly (WEEK), twice-weekly (TOWK), monthly (MNTH), twice-monthly (TOMN), quarterly (QUTR), semiannually (SEMI), and yearly (YEAR). Hence, if a customer wishes to authorize a standing order beginning on a startDate of 2020-08-01 and lasting until an endDate of 2022-07-31, with a frequency of MNTH, this represents 24 equal monthly payments to be executed on the first of each month or the next business day after, beginning in August of 2020 and ending July 2022.

The Token API also supports the CMA9 specification for variable installment payment amounts and dates (first, recurring, and last).

Before initiating a request to a Token.io-connected bank, you'll first need to get the list of banks in the desired country that support the features you need to access. A GET /v2/banks call filters the list of Token.io-connected banks based on your selection criteria with respect to bank location and bank-supported features. See Bank Selection for more on filtering and selecting Token-connected banks.

Bank-initiated Standing Order Submission (1-step)

Putting the full sequence into perspective, the diagram pictured next (click to enlarge) shows the communication flow for submitting a bank-initiated standing order.

TPP-initiated Standing Order Submission (2-step)

The sequence diagram pictured next shows the communication flow for a TPP-initiated SIP.

Heads-up: For standing order requests subject to additional credentials in mandatoryFields, see the discussion on mapping mandatory fields in bank selection for the correct field mapping, paying special attention to the differences in authenticating credentials in the respective request flows; i.e., using the Token Web App versus not using the Token Web App.

If the mandatory user credentials you provide are invalid, the submission status returned will be unauthenticated, and you will need to repeat the redirect to the bank for consent to have your user try again. Conversely, when the status returned is authenticated, it means the bank has accepted the consent and no redirect is required.

Guidance for making the appropriate POST and GET calls, as well as handling Token's responses to these requests is covered in the code examples below.

CMA9 Standing Orders: As mentioned above, the API also supports the more granular frequency settings for standing orders required by the CMA9 specification, in addition to supporting variable payment amounts (first, recurring, last). Optional CMA9-specific parameters are labelled as such in the list of key fields.

To test OBIE-CMA9 standing orders, please use Ozone Bank.

Base URLs

See Base URLs.

Headers

See Common Request Headers.

Making the Token Request

To initiate a payment request with the bank, you'll need to be able to identify yourself as the calling TPP using your Member IDand your Alias, defined as follows:

  • Member ID – unique value generated by the Dashboard when you signed up.
  • Alias – unique email, domain, eIDAS or realmId you provided when you signed up.

A transfer request must include both parameters.

You can obtain the values from the dashboard by following these steps:

  1. If the dashboard isn't already open in a browser tab, sign in.

  2. Click Member Information in the navigation panel on the left.

  3. Click the "eye" icon to the right of each value to reveal it.

  4. Copy the value you need.

If the selected bank imposes this initial credentials check requirement, you'll need to capture the credentialFields specified by the bank (e.g., the user's ) in its response to your GET /banks call (see Bank Selection) and include this information in your payment request.

In addition, when initial credentials are required by the user-selected bank, the redirect URL in the sandbox will be:

https://tpp-integration.sandbox.token.io/initiatePayment/callback?redirect-url={{your-redirect-url}}

For production, the redirect URL changes to:

https://tpp-integration.token.io/initiatePayment/callback?redirect-url={{your-redirect-url}}

Here, {{your-redirect-url}} is your standard TPP redirect URL.

The exchange iterations necessary to provide initial credential information to the bank take place in the background.

If you are not connecting to a bank in Germany, Austria or Hungary, the requirement for an initial credentials check using the redirect URL format above does not apply and you should instead use the standard format outlined below.

Once the user gives consent for you to initiate PIS on the user's behalf, here's the call for POSTing /token-requests with a requestPayload:

POST {{BASE_URL}}/token-requests

{

    "requestPayload": {

        "refId": "xyz", // must be unique

        "to": {

            "id": "m:nP4w3u5y8ddrxDJkjimgSX9e4fZ:5zKtXEAq" // required TPP member ID; mandatory

        },

        "standingOrderBody": {

            "transferInstructions": {

                "metadata": {  // see notes on provider metadata below

                    },

                    "transferDestinations": {

                        "fasterPayments": {

                            "accountNumber": "70000005",

                            "sortCode": "700001"

                        },

                        "customerData": {

                            "legalNames": [

                                "Test"

                            ] // populating creditor name is mandatory

                        }

                    },

                },

                "startDate": "2019-12-16",

                "endDate": "2019-12-20",

                "frequency": "DAIL",

                "amount": "7.96",

                "currency": "EUR"

            },

            "description": "your description",

            "redirectUrl": "https://sample-merchant-domain.com/transfer"

            },

            "requestOptions": {

                "from": {

        }

    }

}

The most important request fields and their corresponding descriptions are listed in the following table.

Key Fields in the Transfer Token Request for SIP
Field Description/Subfields Required/Optional
refId TPP-generated reference identifier for the token; not to be confused with requestId. RefId is typically used by the TPP to reconcile transactions against payments received. RefId maps to tppRefId in the bank's consentRequest. It is needed to match/verify the originating token request with the bank's consent request.

Warning: If the description in subsequent token lookups/changes/updates (retrieve, redeem, or cancel) doesn't match the description in the originating token request, an exception will be thrown.

 Required
to Identifies the member initiating the request Required
id Member ID of the TPP, a constant value in all requests; see Member Information in Understanding Dashboard Settings. Required
alias A human-readable proxy for your member identifier that contains your realmId or alias type (DOMAIN, EMAIL, other) and a value string.

A realmId identifies a member created under the realm of a specific bank.

See Member Information in Understanding Dashboard Settings to find your member id and alias.

 Optional; soon to be deprecated
standingOrderBody Specifies the critical details of the standing order: currency, amount, and transferDestinations(beneficiary account information). Required
currency Currency for the transaction Required
amount Payment amount valued in currency for each scheduled transfer.

For standing orders involving standard (non-variable) payments from a bank, lifetimeAmount maps to firstPayment, consistent with the standard.

Precision: Recommended precision is rounding to 4 decimal places (), although the TPP can set it's own desired precision. However, be aware that certain banks may handle rounding differently — some with greater precision (i.e., more decimal places), others with reduced rounding precision (fewer decimal places). The Token Platform strictly serves as the pipeline between the TPP and the bank, imposing no precision restrictions.

 Required
frequency ISO 20022 code for the scheduled frequency of standing order payments:

    • DAIL – daily; once a day
    • WEEK – weekly; once a week
    • TOWK – twice weekly; two times a week
    • MNTH – monthly; once a month
    • TOMN – twice monthly; two times a month
    • QUTR – quarterly; once every 3 months
    • SEMI – semi-annually; two times each year
    • YEAR – annually; once a year

Note: The day of the week for each instalment will be based on the day of week for startDate (e.g., if startDate falls on a Wednesday, every subsequent payment will also occur on a Wednesday). However, if frequency is MNTH, the day of the month for startDate is used (e.g., if startDate is the 5th of the month, all monthly instalments will occur on the 5th day of each succeeding month), unless startDate is the last day of the month. If so, all subsequent monthly instalments will occur on the last day of each month.		 Required
startDate Date on which the standing order will begin in ISO 8601 format (YYYY-MM-DD or YYYYMMD; order will last until endDate, when specified.

For non CMA9-specific standing orders involving a CMA9 bank, startDate maps to firstPaymentDateTime, consistent with the OBIE standard.

 Required
firstPayment First or "down" payment valued in currency in accordance with the OBIE standard. Value can be a different amount with respect to nextPayment and finalPayment.

Precision: Recommended precision is rounding to 4 decimal places (), although the TPP can set it's own desired precision. However, be aware that certain banks may handle rounding differently — some with greater precision (i.e., more decimal places), others with reduced rounding precision (fewer decimal places). The Token Platform strictly serves as the pipeline between the TPP and the bank, imposing no precision restrictions.

 Supported by CMA9 banks only
firstPaymentDateTime Scheduled date and time for firstPayment in accordance with the OBIE standard. Supported by CMA9 banks only
nextPayment Recurring instalment payment amount scheduled by nextPaymentDateTime and frequency in accordance with the OBIE standard. Supported by CMA9 banks only
nextPaymentDateTime Recurring payment date and time for instalments scheduled between firstPaymentDateTime and finalPaymentDateTime in accordance with the OBIE standard. Supported by CMA9 banks only
payment_amount Recurring payment amount for scheduled instalments between startDate and endDate in accordance with the OBIE standard. Supported by CMA9 banks only
payment_date_time Recurring payment date and time for instalments scheduled between startDate and endDate in accordance with the OBIE standard. If not specified for CMA9 orders, scheduled instalments will default in accordance to the day/date ascribed to frequency (see the note above). Supported by CMA9 banks only
number_of_payments int32 field specifying the total number of payments in accordance with the OBIE standard. Required if finalPaymentDateTime is not specified. Supported by CMA9 banks only
finalPayment Last and final payment valued in currency in accordance with the OBIE standard. Value can be a different amount with respect to firstPayment and nextPayment.

Precision: Recommended precision is rounding to 4 decimal places (), although the TPP can set it's own desired precision. However, be aware that certain banks may handle rounding differently — some with greater precision (i.e., more decimal places), others with reduced rounding precision (fewer decimal places). The Token Platform strictly serves as the pipeline between the TPP and the bank, imposing no precision restrictions.

 Supported by CMA9 banks only
finalPaymentDateTime Scheduled date and time for finalPayment in accordance with the OBIE standard. Required if numberOfPayments is not specified. Supported by CMA9 banks only
endDate Specifies the ending date for completing the order in ISO 8601 format (YYYY-MM-DD or YYYYMMDD).

For non CMA9-specific standing orders involving a CMA9 bank, endDate maps to finalPaymentDateTime, consistent with the OBIE standard.

 Required
remittanceInformation Creditor reference or payment remit identification for end-to-end transaction identification in accordance with the OBIE standard. Supported by CMA9 banks only
instructions Instructions to the bank for executing the transactions.
metadataBank-dependent; can include deliveryAddress, merchant identification, and provider information specific to this standing order — type of standing order (cma9StandingOrderMetadata, nextGenPsd2StandingOrderMetadata, polishApiStandingOrderMetadata, or stetStandingOrderMetadata), payment value and scheduling parameters (firstPayment, recurringPayment, and/or finalPayment), and so forth. See Notes on provider metadata below.
transferDestinationsThese are the beneficiary account details that determine if the request is for a domestic, , or cross-border payment. Generally, the beneficiary is the TPP. See Restricting Beneficiary Accounts for guidance on adding, modifying, and deleting accounts.

Each restricted destination/beneficiary account is specified according to the payment system used. See Initiating Payments for the list of supported payment systems and the respective account information fields required.

Required by some banks, optional for others, the type of destination account (business or personal) is specified under transferDestinations in customerData.type as UNKNOWN, BUSINESS or PERSONAL. When not specified, the default destination account type is BUSINESS.

A creditor name (customerData.legalNames) for the destination account is a required subfield parameter: transferInstructions.transferDestinations.customerData.legalNames

sourceIdentifies the bank account from which the amount is being debited; set using the AccountIdentifier object, See Source Account Validation for important rules about populating the source object.
 Required*
callbackState Developer-specified string allowing state to be persisted between the request and callback phases of the flow; used for the signature in a GET /token-requests/{tokenRequestId}/token-request-result call, in which the signing payload for the signature is a combination of state and tokenId and validates the tokenId against the callbackstate originally sent by the TPP in the request.

Note: The value of callbackState is added to the redirect URL and appended to the hash of the CSRF token specified by Token.io; e.g.:

https://{callback-url}?signature=%7B%22memberId%22%3A%22m%3A3rKtsoKaE1QUti3KCWPrcSQYvJj9%
3A5zKtXEAq%22%2C%22keyId%22%3A%22lgf2Mn0G4kkcXd5m%22%2C%22signature%22%3A%22Md-2D
G0X9PpuOxea0iK33cAZ2Ffk6E5I1mAcJS6YywU80Q0yYBOlwvGy37dmovmH_OC7Jl8c-fxQ5gP2RWTaDw%22%7D&
state=%257B%2522csrfTokenHash%2522%253A%2522pod1e6xornyoesn2sp%2522%257D&
tokenId=ta%3AHWowFawmAwiuPKNdM7xjpiQktPppgK2JatsWPZAyTHcq%3A5zKtXEAq

Optional
description Description of the payment with the following qualifiers:
  • must comply with the constraint imposed by the bank (see Bank-dependent Field Formatting)
  • length must be no greater than 255 characters
  • description in a subsequent call must match description in originating request
  • description omitted in originating request must also be omitted in subsequent calls
  • description omitted in subsequent call will be replaced with refId

This description field maps to description in the bank's consentRequest presented to the user.

Warning: If description in a subsequent token request for lookups/changes/updates (retrieve, redeem, or cancel) doesn't match the description in the originating token request, an exception will be thrown.

 Optional, with the caveats described in the previous column
redirectUrl Defines the bank's callback URL where your server initiates token redemption. Required
remittanceReference Augments refId and description, this is TPP-defined additional information pertinent to the TPP's payments policies; for instance, could contain a full or partial credit card number when payment is being initiated for a credit card payment. Securely hashed to safeguard its transmission throughout the communication flow, this field should be considered by TPPs wishing to augment their transaction reference data for tracking and audit control. Optional
traceID TPP-provided unique value captured by Token and sent across to the bank to be stored with the request throughout its life-cycle as an audit-trail aid. Optional
requestOptions
  • bankId where payment is to be initiated
  • psuId of customer initiating the payment; recommended to identify and collate multiple standing orders initiated by the same user
  • receiptRequested – to specify that an email receipt is to be sent to the user by Token.io
 Optional
* Inclusion of some elements may be optional or bank-dependent

 

Cited in the table within transferInstructions and nested in source is the accountIdentifier object (required):

"source": {

    "accountIdentifier": {

        "gb_domestic": {

            "account_number": "70000005",

            "sort_code": "700001"

         }

    }

}

Remember, whatever you specify as the source and transferDestinations in the request will be reflected in the response.

A PAN is disallowed in the token request payload within the refId and description fields. In accordance with the PA-DSS security standard, Regex is used for pattern matching of numeric strings that intentionally or inadvertently reveal or resemble a PAN in the refId or description of a token request. Potential PAN patterns found will now throw an exception.

Payee Information

Submission and return of payee information is not supported by all banks. When supported, and based on the standard adopted by the bank, creditor account (payee) information (legal name and/or address) is included in customerData within providerTransactionDetails for single transactions. When included in the request, payee/creditor account information is available in the response, regardless of the API standard adopted by the bank; typically, however, the following guidelines apply:

  • STET requires creditor account information.

  • CMA9, NextGenPSD2, and PolishAPI have the creditor name and account identifiers, as well as the creditor agent BIC. However, these are optional fields, so the presence of creditor account information is bank-dependent.

  • CMA9 needs the creditor agent address, whilst PolishAPI requires the creditor's address.

If you are initiating a payment to Barclays Bank UK or HSBC, the creditor name (creditorAcount.name) can be no more than 18 characters. If this limit is exceeded, the bank will reject the payment.

Otherwise, when providing creditor name and address for CMA9 international payments, bear in mind that certain banks, such as HSBC, require creditor information to process international payments, despite its designation as "optional" in the OBIE specification. To be safe with respect to CMA9 international payments, provide this information in the customerData fields of the transferDestination object. The OBIE information maps to its Token counterpart as follows:

Token OBIE
flats SubDepartment
house_name Department
house_number BuildingNumber
street StreetName
post_code PostCode
city TownName
district CountrySubDivision
country Country

 

Using the actingAs property

Resellers and TPPs contractually granted permission by Token can create a token on behalf of another party by configuring the actingAs object in the requestPayload. Here's an example:

actingAs: {

    "displayName": "Rudolfo's Pizzeria",

    "logoUrl": "https://cdn-somewhere-on-the-web.com",

    "refId": "Merchant-No. TX14JG6890", // unique reference for internal tracking and reporting; e.g., a merchant-id

    "secondaryName": "rudys-restaurants.it" }

Each identifier is defined in the following table:

Properties of the actingAs Field
Field Description Required/ Optional
displayName Name of recipient shown to user Required*
logoUrl URL pointing to recipient's logo Optional
secondaryName Domain or email address of recipient shown to user along with displayName Optional
refId TPP's discretionary reference identification of the recipient, opaque to Token; can be used by a "gateway" business member to (uniquely) define a merchant that is acting through it.The uniqueness of refId should be handled by the gateway member; typically a reseller requiring separate reports for each participating merchant it is representing. Optional
* Required when specifying ActingAs, although ActingAs is otherwise optional.

A "gateway" is a business member empowered to act on behalf of a merchant that is not registered as a member in the Token system. The gateway member must have ACT_ON_BEHALF_OF permission from Token and populate the actingAs field in the token request accordingly to indicate the merchant on whose behalf it is acting.

Processing the Response

Here's an example of the response you'll receive:

Response to transfer token request

"tokenRequest": {

    "id": "rq:3eoe4MPXkUGEA3gWeMTDWPTKAfxU:5zKtXEAq", // request-id; add to BASE_URL for consent

    "requestPayload": {

        "redirectUrl": "https://sample-merchant-domain.com/pis"

        "to": {

            "alias": {

                "type": "EMAIL",

                "value": noverify@token.io"

            }

            "id": "m:nP4w3u5y8ddrxDJkjimgSX9e4fZ:5zKtXEAq"// TPPmember ID

        },

        "standingOrderBody": {

              "instructions": {

                  "metadata": {

                  },

                  "transferDestinations": {

                      "fasterPayments": {

                          "accountNumber": "70000005",

                          "sortCode": "700001"

                      }

                  },

                  "customerData": {

                      "legalNames": ["Southside"]

                  }

              },

              "startDate": "2019-12-16",

              "endDate": "2019-12-20",

              "frequency": "DAIL",

              "amount": "7.96",

              "currency": "EUR"

        },

        "description": "your description",

        "redirectUrl": "https://sample-merchant-domain.com"/transfer

    }

}

Create the redirect URL by appending the request id in the response (shown above in red) to the redirect base URL, then send it to the user to provide explicit consent to bank.

https://{{BASE_URL}}/app/request-token/{{Insert request-id here}}

// example = https://web-app.sandbox.token.io/app/request-token/rq:3eoe4MPXkUGEA3gWeMTDWPTKAfxU:5zKtXEAq

You can specify a particular language by passing its language code (lang=country-code) as a query parameter, appended to the URL above, which the user can override in the Web App according to personal preference. Here's an example for passing the desired ISO 639-1 language code for German (de):

https://web-app.token.io/app/request-token/rq:o9adbFqJXcaDGNDaykPvpSZFZDW:5zKtXEAq?lang=de

TPPs using Token's licence only: This Web App URL redirects the PSU to the Token Web App, which displays a payment confirmation page (pictured, click to enlarge):

Note: If you did not capture the source account number from the PSU in your UI after user bank selection (see Filtering Banks), the user is presented with an input field (shown in the payment confirmation page above) in which to enter the source account number (IBAN).

Upon user consent, Token.io will redirect the user back to the TPP with either a tokenId or a transferId as a query parameter, depending on the bank's support for two- or one-step payments, respectively.

"redirectUrl": "https://sample-merchant-domain.com"/pis?tokenId=sample_token_id

"redirectUrl": "https://sample-merchant-domain.com"/pis?transferId=sample_transfer_id

To derive the complete redirect URL, you'll need to URL decode the tokenId or transferId value provided.

Using the tokenId sent by the bank (also known as the consent-id on the bank side), which confirms user consent, you can now initiate payment.

For one-step payments, the callback will contain a transferId and a transferStatus (see Payment Status: Value and Meaning for the list of possible status codes), which you can then display to the customer/user. Use the transferId, as necessary, to check for status updates with a GET /transfers/{transferId} call, presuming you didn't subscribe to a webhook in the original token request.

For 2-step payments, you'll need to redeem the transfer token with a POST /standing-order-submissions request containing the Token.io-provided tokenId from the bank's response. Here's an example:

POST {{BASE_URL}}/standing-order-submissions

{

 "tokenId": "tokenId":"st:5vwpSZXLy4pHnD5dtc9B1Hta7TrzqYZX8A5X66xxU7hn:5zKcENpV"

}

With the exception of GET /banks, all POST and GET calls must pass in an appropriate authorization header containing your authentication key (see Common Request Headers).

To get information about a specific token, use a GET /tokens/{tokenId} call. To subsequently retrieve information about a specific payment, use a GET /transfers/{transferId} call.

Please refer to the Token.io's API reference for additional details on all of the above.

 

 

 

 

 

 

                           
COMPANY RESOURCES SOLUTIONS PRODUCTS

About

Careers

Press

Contact

Impressum

Connected Countries

Downloads

Blog

FAQ

PSPs

Merchants

Banks

Token Payments

Token Data

Token Compliance

© 2023 TOKEN, INC.    ALL RIGHTS RESERVED. POLICIES        MOBILE APP TERMS OF SERVICE   
 

 

 

 

                           
COMPANY RESOURCES SOLUTIONS PRODUCTS

About

Careers

Press

Contact

Impressum

Connected Countries

Downloads

Blog

FAQ

PSPs

Merchants

Banks

Token Payments

Token Data

Token Compliance

© 2023 TOKEN, INC.    ALL RIGHTS RESERVED. POLICIES        MOBILE APP TERMS OF SERVICE   

© 2023 TOKEN, INC.     ALL RIGHTS RESERVED.