Use Case Example
A customer having different accounts in various banks is willing to agregate his data.
Using this API "Account information" setup by banks (ASPSP), you can ask for real-time data authorized by the customer without asking for online banking credentials.
The API resources can only be consumed if you have obtained the Account Information Services Provider ("AISP") role status. This prerequisite is described in section "Eligibility".
Once done, the overall process is as follows :
The customer agreed to use your service. He needs to select his ASPSP through your interface.
During the first set of data exchanges, you will request for an authorization token (and a refresh one). For this AISP role, you need these tokens BEFORE consuming API resources. These tokens are issued by the ASPSP AFTER an identification and authorization process of the bank accound holder.
The ASPSP will :
check your certificates and on-going agreement delivered by the Comptent Authority
identify and authorize the customer using the "redirect" mode in order to issue the tokens.
If the above access is granted by the customer, you can then get these OAUTH2 tokens thru secure exchanges (see use case "Get your token").
Whenever you present this token to the 89C3 API gateway, you will be able to consume this API resources in order to :
request for the list of eligible accounts (see use case "List accounts")
forward customer's consent to the ASPSP (see use case "Forward customer's consent")
securely access to granted customer's data (see use case "Access to data")
If the regulated 90-day token validity period expires, this process needs to be started again (see use case "Refresh your token")
NB : any ASPSP can refuse the access to customer's data for any justified reason (non compliant API call, blocked account, ...).