Get your token


Access to PSD2 API is granted by the bank with an authorization token (or access token) issued using OAUTH2 standardized process.

How it works ?

épingleSee also STET V1.4.2.17 / Part I / section 3.4 




1- The customer (PSU) provides the identity of the bank which holds his accounts (ASPSP) to the TPP. 


2- The TPP initiates an OAUTH2 access token request sequence by redirecting the customer to the ASPSP’s authorization infrastructure using GET /authorize

épingleSee also STET V1.4.2.17 / Part I / section 3.4 


3- ASPSP will : 

    • Identify and authenticate the PSU

    • Check your role and validity of your eIDAS certificates and agreement


4- Once checks are done and correct, ASPS will redirect the PSU to your site using "call-back" URL given in the GET /authorize and to ASPSP for the Go Live process.

You will find in the response of this request a one-time-token with a short life period.


5- You can then call the ASPSP in order to request the OAUTH2 token (and refresh one) using POST /token with previously received data (incl'd the one-time-token). 

Note : these /token requests for getting the Authorization Code flow shall be sent WITHOUT the « scope » parameter.

épingleSee also STET V1.4.2.17 / Part I / section 3.4 


6- ASPSP will :

    • Check your role and validity of your eIDAS certificates and agreement

    • Checks the direct or indirect matching between the Authorization Number within the eIDAS certificate and the [client_id] value

7- Once checks are done and correct, ASPSP returns a response HTTP200 (OK) with data including the access token.

épingleSee also see STET V1.4.2.17 / Part I / section 3.4 



8- As soon as you get the OAUTH2 access token (and a 90-day valid refresh token) issued by the bank, you can use it for each API request within the "Authorization" header, prefixed by the token type "Bearer".

The [client_id] that is linked to the access token must directly or indirectly match with the Authorisation Number that is located within the TPP’s eIDAS certificate (QWAC).

If the access token is expired, the request will be rejected with HTTP401 with an error equal to "invalid_token".

The request can be replayed once the access token has been refreshed suing the use case "Refresh your token".


If your refresh token is about to expire, you will have to perform again all this process, meaning also redirect to ASPSP for customer's strong autentication (PSU SCA). 


 épingleFor more details, see also OAUTH 2.0 Authorization Framework :



You can find an example of this request in section "Test our API" and then "Use our sandbox".