Redirecting the User to Authenticate

As covered under Token Basics, the PSD2ClosedPSD2 stands for Payment Services Directive 2 and is a new EU regulation in effect since September 14, 2019. It governs electronic and other non-cash payments. The main provision of PSD2 is for Strong Customer Authentication (SCA), a process that seeks to make online payments more secure and reduce fraud while increasing authorisation rates. The European Banking Authority (EBA) recently extended the deadline for PSD2 compliance until December 31, 2020. SCAClosedStrong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement ensures that account access for information and electronic payments is safeguarded by multi-factor authentication. requirement introduces the challenge of multi-factor authentication, efficiently accommodated using one of three models: (1) redirect, (2) decouple, or (3) embed. See Authentication for details on each of these models.

Otherwise, upon creating and storing the access token request, you're ready to redirect the customer to the user-selected bank via Token to authenticate and obtain consent.

Generate the Token Request URL

This can be a redirect from your browser page to the Token web app or, for mobile, you can use Token's App-to-App Redirect method. In both bases, you'll need to construct a URL or a mobile universal link that redirects the user from your web page or mobile app to the Token web app.

Hence, to generate a request URL with the correct request-id, use this method:

// generate token request URL

return tokenClient.generateTokenRequestUrlBlocking(request-id);

The resulting token request redirect URL will look something like this (with the request-id shown in yellow):

Tip: You can specify a particular language by passing its language code (lang=country-code) as a query parameter, appended to the URL above, which the user can override in the webapp according to personal preference. Here's an example for passing the desired ISO 639-1ClosedCodes for the representation of names of languages—Part 1: Alpha-2 code, is the first part of the ISO 639 series of international standards for language codes. Part 1 covers the registration of two-letter codes. There are 184 two-letter codes registered as of December 2018. The registered codes cover the world's major languages. See language code for German (de):

After generating the URL, you'll want to direct your front-end to visit it. There are a couple of ways to do this: (a) you can initiate a server-side HTTP 302ClosedAn HTTP response with this status code will additionally provide a URL in the header field Location. This is an invitation to the user agent (i.e., a web browser) to make a second, otherwise identical, request to the new URL specified in the location field. The end result is a redirection to the new URL. or (b) bind the URL to a button in your UI that either redirects the customer to the Token web app in the current browser tab or launches a pop-up window. The request-id portion of the generated redirect URL associates your stored request with the result of the redirect.

Redirect to the TPP's Callback URL

Upon transfer to the Token web app, the customer is prompted to agree to Token's terms and conditions. If the customer accepts the T&CClosedTerms of service (also known as terms of use and terms and conditions, commonly abbreviated as TOS or ToS, ToU or T&C) are the legal agreements between a service provider and a person who wants to use that service. Terms of service can also be merely a disclaimer, especially regarding the use of websites., control is transferred to the customer-selected bank's login page or mobile app login screen to authenticate and authorise payment, whereupon a corresponding token is created and the user is returned to the TPP's callback URL specified in setRedirectUrl for the original request.

Handling the callback is covered next.