Redirect Account Flows

Learn more about the different account authorisation flows in Yapily

Summary

Redirect-based account authorisation flows require the PSU to be sent to the domain of the Institution to authenticate themself and to securely give their Consent to make a request for the their financial data.

Identifying each flow

An Institution using the coupled account authorisation flow:

  • Will contain the INITIATE_ACCOUNT_REQUEST feature
  • Will not contain both the INITIATE_PRE_AUTHORISATION and INITIATE_EMBEDDED_ACCOUNT_REQUEST features

An Institution using the account pre-authorisation flows:

  • Use GET Institutions to check the features to identify which flow each Institution uses
  • Are you using the Yapily redirect (https://auth.yapily.com)? If so, check coupled account authorisation to see how each diagram changes for your use case.

Coupled Account Authorisation Flow

Authorisation_Flows-1L_Default_Accounts

  • If your redirectUrl is managed by Yapily (if it is https://auth.yapily.com/`, Yapily recommends using the callback option replacing steps 2-3 in the following flows. Alternatively, the callback with OTT option can also be used instead of the listed steps.

Expand/Close Explanation
  1. You will need to execute POST Create Account Authorisation request and redirect the user to the Institution using the qrCodeUrl or authorisationUrl returned by the Yapily API. The status of the Consent will be AWAITING_AUTHORIZATION until the user authorises the request
  2. After the user authorises the request at the Institution, the user will be redirected to the redirectUrl where the Consent object will be updated with the consent-token that can access the user account information
  3. Using the default flow, you will need to poll the result of GET Consent until the Consent object is updated with the consent-token and once the status transitions to AUTHORIZED
  4. You will then be able to use the consent-token to access the account information using GET Accounts and other financial data belonging to the user

Coupled Account Pre-Authorisation Flow

Authorisation_Flows-2L_Default_Accounts

  • If your redirectUrl is managed by Yapily (if it is https://auth.yapily.com/, Yapily recommends using the callback option replacing steps 2-3 and 5-6 in the following flows. Alternatively, the callback with OTT option can also be used instead of the listed steps.

Expand/Close Explanation
  1. You will need to execute POST Create Pre-authorisation request with the body parameter scope: AIS and redirect the user to the Institution using the qrCodeUrl or authorisationUrl returned by the Yapily API. The status of the Consent will be AWAITING_PRE_AUTHORIZATION until the user authorises the request
  2. After the user authorises the request at the Institution, the user will be redirected to the redirectUrl where the Consent object will be updated with the consent-token to authorise the pre authorisation request
  3. Using the default flow, you will need to poll the result of GET Consent until the Consent object is updated with the consent-token and once the status transitions to PRE_AUTHORIZED
  4. You will then need to execute PUT Update Account Pre-authorisation request with the consentToken and redirect the user to the Institution using the qrCodeUrl or authorisationUrl returned by the Yapily API. The status of the Consent will be AWAITING_AUTHORIZATION until the user authorises the request
  5. After the user authorises the request at the Institution for the second time, the user will be redirected to the redirectUrl where the Consent object will be updated with the consent-token to initiate the request for the PSU's financial data on behalf of the user
  6. Once again, using the default flow, you will need to poll the result of GET Consent until the Consent object is updated with the consent-token and once the status transitions to AUTHORIZED
  7. You will then be able to use the consent-token to access the account information using GET Accounts and other financial data belonging to the user

Decoupled Account Pre-Authorisation Flow 1

Authorisation_Flows-2L_Decoupled_Accounts

  • If your redirectUrl is managed by Yapily (if it is https://auth.yapily.com/, Yapily recommends using the callback option replacing steps 2-3 in the following flow. Alternatively, the callback with OTT option can also be used instead of the listed steps.

Expand/Close Explanation
  1. You will need to execute POST Create Pre-authorisation request with the body parameter scope: AIS and redirect the user to the Institution using the qrCodeUrl or authorisationUrl returned by the Yapily API. The status of the Consent will be AWAITING_PRE_AUTHORIZATION until the user authorises the request
  2. After the user authorises the request at the Institution, the user will be redirected to the redirectUrl where the Consent object will be updated with the consent-token to authorise the pre authorisation request
  3. Using the default flow, you will need to poll the result of GET Consent until the Consent object is updated with the consent-token and once the status transitions to PRE_AUTHORIZED
  4. You will then need to execute PUT Update Account Pre-authorisation request with the consentToken. The status of the Consent will be AWAITING_DECOUPLED_AUTHORIZATION until the user authorises the request on their device
  5. The user will receive an authorisation directly from the Institution where they will authorise outside of Yapily. You can add a prompt in your application for the user to signal that they have approved the request in order to know when the consent-token is available, otherwise, poll the status of the Consent
  6. Once again, using the default flow, you will need to poll the result of GET Consent until the Consent object is updated with the consent-token and once the status transitions to AUTHORIZED
  7. You will then be able to use the consent-token to access the account information using GET Accounts and other financial data belonging to the user

Decoupled Account Pre-Authorisation Flow 2

Authorisation_Flows-2L2_Decoupled_Accounts

  • If your redirectUrl is managed by Yapily (if it is https://auth.yapily.com/, Yapily recommends using the callback option replacing steps 5-6 in the following flow. Alternatively, the callback with OTT option can also be used instead of the listed steps.

Expand/Close Explanation
  1. You will need to execute POST Create Pre-authorisation request with the body parameter scope: AIS. The status of the Consent will be AWAITING_DECOUPLED_AUTHORIZATION until the user authorises the request
  2. The user will receive an authorisation directly from the Institution where they will authorise outside of Yapily. You can add a prompt in your application for the user to signal that they have approved the request in order to know when the consent-token is available, otherwise, poll the status of the Consent
  3. You will need to poll the result of GET Consent until the Consent object is updated with the consent-token and once the status transitions to PRE_AUTHORIZED
  4. You will then need to execute PUT Update Account Pre-authorisation request with the consentToken. The status of the Consent will be AWAITING_AUTHORIZATION until the user authorises the request on their device
  5. You will be able to redirect the user to the Institution using the authorisationUrl or the qrCodeUrl. After the user authorises the request at the Institution, the user will be redirected to the redirectUrl where the Consent object will be updated with the consent-token to authorise the pre authorisation request
  6. Once again, using the default flow, you will need to poll the result of GET Consent until the Consent object is updated with the consent-token and once the status transitions to AUTHORIZED
  7. You will then be able to use the consent-token to access the account information using GET Accounts and other financial data belonging to the user