Redirect Account Flows
Learn more about the different account authorisation flows in Yapily
Summary
Redirect-based account authorisation flows require the PSU to be sent to the domain of the Institution
to authenticate themself and to securely give their Consent
to make a request for the their
financial data.
Identifying each flow
An Institution
using the coupled account authorisation flow:
- Will contain the
INITIATE_ACCOUNT_REQUEST
feature - Will not contain both the
INITIATE_PRE_AUTHORISATION
andINITIATE_EMBEDDED_ACCOUNT_REQUEST
features
An Institution
using the account pre-authorisation flows:
- Will contain the
INITIATE_ACCOUNT_REQUEST
andINITIATE_PRE_AUTHORISATION
features - May involve one decoupled account authorisation step
- Use GET Institutions to check the features to identify which flow each
Institution
uses - Are you using the Yapily
redirect
(https://auth.yapily.com
)? If so, check coupled account authorisation to see how each diagram changes for your use case.
Coupled Account Authorisation Flow
redirectUrl
is managed by Yapily (if it is https://auth.yapily.com/
`, Yapily recommends using the callback
option replacing steps 2-3 in the following flows. Alternatively, the callback with OTT option can also be used
instead of the listed steps.Expand/Close Explanation
Institution
using
the qrCodeUrl
or authorisationUrl
returned by the Yapily API. The status
of the Consent
will be AWAITING_AUTHORIZATION
until the user authorises the
request
Institution
, the user will be redirected to the redirectUrl
where the Consent
object will be updated with
the consent-token
that can access the user account information
Consent
object is updated with the
consent-token
and once the status
transitions to AUTHORIZED
consent-token
to access the account information using GET Accounts and other financial data
belonging to the user
Coupled Account Pre-Authorisation Flow
redirectUrl
is managed by Yapily (if it is https://auth.yapily.com/
, Yapily recommends using the callback
option replacing steps 2-3 and 5-6 in the following flows. Alternatively, the callback with OTT option can also
be used instead of the listed steps.Expand/Close Explanation
scope: AIS
and redirect the user to the
Institution
using the qrCodeUrl
or authorisationUrl
returned by the Yapily API. The status
of the Consent
will be AWAITING_PRE_AUTHORIZATION
until the
user authorises the request
Institution
, the user will be redirected to the redirectUrl
where the Consent
object will be updated with
the consent-token
to authorise the pre authorisation request
Consent
object is updated with the consent-token
and once the status
transitions to PRE_AUTHORIZED
consentToken
and redirect the user to
the Institution
using the qrCodeUrl
or authorisationUrl
returned by the Yapily API. The status
of the Consent
will be AWAITING_AUTHORIZATION
until the
user authorises the request
Institution
for the second time, the user will be redirected to the redirectUrl
where the Consent
object will
be updated with the consent-token
to initiate the request for the PSU's financial data on behalf of the user
Consent
object is updated with the
consent-token
and once the status
transitions to AUTHORIZED
consent-token
to access the account information using GET Accounts and other financial data
belonging to the user
Decoupled Account Pre-Authorisation Flow 1
redirectUrl
is managed by Yapily (if it is https://auth.yapily.com/
, Yapily recommends using the callback option replacing steps 2-3 in the following
flow. Alternatively, the callback with OTT option can also be used instead of the listed steps.Expand/Close Explanation
scope: AIS
and redirect the user to the
Institution
using the qrCodeUrl
or authorisationUrl
returned by the Yapily API. The status
of the Consent
will be AWAITING_PRE_AUTHORIZATION
until the
user authorises the request
Institution
, the user will be redirected to the redirectUrl
where the Consent
object will be updated with
the consent-token
to authorise the pre authorisation request
Consent
object is updated with the consent-token
and once the status
transitions to PRE_AUTHORIZED
consentToken
. The status
of the Consent
will be AWAITING_DECOUPLED_AUTHORIZATION
until the user authorises the request on their device
Institution
where they will authorise outside of Yapily. You can add a prompt in your application for the
user to signal that they have approved the request in order to know when the consent-token
is available, otherwise, poll the status of the Consent
Consent
object is updated with the
consent-token
and once the status
transitions to AUTHORIZED
consent-token
to access the account information using GET Accounts and other financial data
belonging to the user
Decoupled Account Pre-Authorisation Flow 2
redirectUrl
is managed by Yapily (if it is https://auth.yapily.com/
, Yapily recommends using the callback option replacing steps 5-6 in the following
flow. Alternatively, the callback with OTT option can also be used instead of the listed steps.Expand/Close Explanation
scope: AIS
. The status
of the
Consent
will be AWAITING_DECOUPLED_AUTHORIZATION
until the user authorises the request
Institution
where they will authorise outside of Yapily. You can add a prompt in your application for the
user to signal that they have approved the request in order to know when the consent-token
is available, otherwise, poll the status of the Consent
Consent
object is updated with the consent-token
and once the status
transitions
to PRE_AUTHORIZED
consentToken
. The status
of the Consent
will be AWAITING_AUTHORIZATION
until the user authorises the request on their device
Institution
using the authorisationUrl
or the qrCodeUrl
. After the user authorises the request at the Institution
,
the user will be redirected to the redirectUrl
where the Consent
object will be updated with the consent-token
to authorise the pre authorisation request
Consent
object is updated with the
consent-token
and once the status
transitions to AUTHORIZED
consent-token
to access the account information using GET Accounts and other financial data
belonging to the user