Refresh your token

ligne89C3

Principle

The refresh token issued by the bank ASPSP is valid up to 90 days and needs to be renewed before it expires. Please also note that :

  •  Authorization and refresh tokens can be revoked at any moment ;
  • If the Authorization token is revoked, then the refresh one is automatically revoked (and the other way round) ;
  • The access token has a shorter life cycle (10 to 15min) on standalone device.

 

How it works ?

1. You request for a refresh token using POST /token

 épingleSee also STET V1.4.0.47 / Part I / section 3.4.3.4 / page 25 

 

2. ASPSP :

  • Identifies and authenticates the TPP through the presented eIDAS certificate (QWAC)
  • Checks the direct or indirect matching between the Authorization Number within the eIDAS certificate and the [client_id] value.
  • Controls last PSU SCA date (< 90 jours).

 

3. If correct, ASPSP then answers through a HTTP200 (OK) that embeds a new autorization token and refresh token that can replace the previous one. You need to store safely these tokens.

 

4. ASPSP de facto revokes the previous refresh token :

  • After timeout of the by-law specified delay between two SCAs ;
  • After timeout of the ASPSP specified delay based on internal rules if any ; 
  • After reject of a request for insufficient scope in order to allow the AISP to request another token with the desired scope ; 
  • On request of a PSU wanting to revoke the TPP access on his/her account data.

Please also note that, as a TPP, you are able to ask for the revocation of the refresh token through a POST /revoke request.

 épingleSee also STET V1.4.0 / Part I / section 3.4.3.5 / page 26 

           RFC 7009, cf. https://tools.ietf.org/html/rfc7009