According to the Berlin Group’s NextGenPSD2-Standard, Third Party Providers (TPPs) are attributed the OAuth-role “client”. As set out from the Internet Engineering Task Force, the “Client Credentials Grant“ is used to generate an access token.
STEP 1: TESTING YOUR EIDAS QWAC CERTIFICATE / GETTING A CLIENT-ID
You will have to call the first-contact endpoint once to receive a Client-ID. This step also ensures that your eIDAS certificate is valid.
You can send this request multiple times - as long as your certificate's subject DN does not change, you will receive the same Client-ID.Please note that our APIs only support certificates with a maximum key length of 2048 bits.
The following example shows a request in "cURL" format:
curl -X POST "https://psd2.vkb-bank.at/api/psd2-xs2a/first-contact/" \ -H "Content-Type: application/json" \ -H "Cache-Control: no-cache" \ --cert "/path/to/cert.pem" \ --key "/path/to/key.key"
The following is an example response body you would receive:
{
"clientId": "API-7d6f204b-3219-4b63-b66e-5f7a0be1d067"
}
STEP 2: GET AN OAUTH ACCESS TOKEN FROM SSO-PSD2.VKB-BANK.AT
Once you have obtained a Client-ID you can retrieve an access token
TThe following example shows an OAuth Access Token request in "cURL" and "HTTP" format:
curl -X POST https://sso-psd2.vkb-bank.at/as/token.oauth2 \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Cache-Control: no-cache" \ --cert "/path/to/cert.pem" \ --key "/path/to/key.key" \ -d "grant_type=client_credentials&client_id=API-7d6f204b-3219-4b63-b66e-5f7a0be1d067&scope=apic-psd2"
POST /as/token.oauth2 HTTP/1.1 Host: sso-psd2.vkb-bank.atContent-Type: application/x-www-form-urlencoded Cache-Control: no-cache grant_type=client_credentials&client_id=API-7d6f204b-3219-4b63-b66e-5f7a0be1d067&scope=apic-psd2
The following is an example response body you would receive:
{
"access_token": "kUNrj52ZqpXpYstVfmPU9Iv9Igiz",
"token_type": "Bearer",
"expires_in": 599
}
STEP 3: USE THE OAUTH ACCESS TOKEN TO CALL OUR APIS AT PSD2.VKB-BANK.AT
For all subsequent calls to our APIs you have to transmit the generated Access Token in the "Authorization: Bearer" header field. In the example below a request to the accounts endpoint is made.
The following example shows a request in "cURL" and "HTTP" format:
curl -X GET https://psd2.vkb-bank.at/api/psd2-xs2a/rest/v1/accounts \ -H "Authorization: Bearer kUNrj52ZqpXpYstVfmPU9Iv9Igiz" \ -H "X-Request-ID: 99391c7e-ad88-49ec-a2ad-99ddcb1f7721" \ -H "Consent-ID: e6151d43-dca8-4fe1-b139-3a89bfeb57a2" \ -H "Cache-Control: no-cache" --cert "/path/to/cert.pem" \ --key "/path/to/key.key"
GET /api/psd2-xs2a/rest/v1/accounts HTTP/1.1 Host: psd2.vkb-bank.atAuthorization: Bearer kUNrj52ZqpXpYstVfmPU9Iv9Igiz X-Request-ID: 99391c7e-ad88-49ec-a2ad-99ddcb1f7721 Consent-ID: e6151d43-dca8-4fe1-b139-3a89bfeb57a2 Cache-Control: no-cache