Payments

Payment Initiation (PSD2)

Initiate payments and retrieve information on the status of the transaction. You need a PSD2 license to use this service.

Authorization

Important: To use this API must be on-boarded. If you haven't done this already, see the on-boarding procedure in Overview.

ABN AMRO client accounts are protected against unauthorized access. To get access to an ABN AMRO client account, you must authenticate yourself using OAuth 2.0. For more information, see OAuth 2.0

This API uses two types of OAuth:

  • Client Credentials

  • Authorization Code

Client Credentials

In this authorization, OAuth is used for direct access to an API. As a third party payment service provider (TPP) you use this method to get an access token for registration of a payment. When requesting an access token you must identify yourself as a client using a PSD2 compliant EIDAS QWAC SSL Certificate. In response, an access token is returned that can be used to access all APIs that you are authorized to use. For security reasons the validity of this token is temporary. The sequence diagram in the Authorization code section illustrates how client credentials are used when accessing an ABN AMRO account.

Authorization code

In this authorization, OAuth is used in a TPP role to access ABN AMRO client accounts. ABN AMRO clients must provide consent to you as a TPP before the account can accessed.

Before consent can be requested, a payment instruction must be registered. Registration of payment is completed using client credential authorization. After the registration of payment, an ABN AMRO client must be requested to provide authorization through the consent application, this enables you to execute the registered payment and view the status.

When consent is granted an authorization code is provided. For security reasons this code is short-lived and must be exchanged for a long-lived refresh token and a short-lived access token. This access token can be used to get access to the APIs, and for example, used to release the stored payment for processing. The long-lived refresh token can be used for future account access. The sequence diagram below depicts this process. For more information, see Refresh access token.

OAuthRefreshPIS.svg

For information on how to access the OAuth server, see Single payments tutorial, Batch payments tutorial, or OAuth.

Authorization code Batch

Important: To send direct debit batches, account holders must have a direct debit contract with ABN AMRO.

In this process, OAuth is used in a TPP role to access ABN AMRO clients accounts and send batch payments. Both SEPA credit transfer batches and direct debit batches are supported.

Before batch payments are sent on behalf of the account holder, consent must be provided by the account holder. This consent is requested through the consent application. A consent is valid for 90 days. As a result of this consent an authorization code is provided. For security reasons this code is short-lived and needs to be exchanged for a long-lived refresh token and a short-lived access token. This access token can be used to get access to post the batch payment. The sequence diagram below describes this process.

OAuthConsentBatch.svg

For information on how to access the OAuth server, see OAuth, see Single payments tutorial, or Batch payments tutorial.

The consent application is used in the authorization code process to provide you with an access code for the requested authorization. Authorization is a grant to an account for one or multiple scopes. A scope defines the type of access. For payments there are write and read scopes. A write scope is used to register and execute payments, and a read scope is used to read the status of a payment. In the consent application the ABN AMRO client can grant you access to their account, by using for example an E.dentifier. This is a so-called redirect. In the consent application, the ABN AMRO client can review the payment details that were registered by you, authorize the payment, and check the status. The ABN AMRO client can either authorize or cancel the requested authorization.

The client consent process consists of three steps:

  1. Logon
  2. Check requested access to account
  3. Authorization

All payment initiation consents are valid for 90 days. Consent can be given using Internet Banking, a Mobile Banking app, or Access Online.

Notes: ps - The scopes for Payment Initiation (PSD2) cannot be combined with scopes for Account Information. For more information, see Technical.

  • For details on how to access the consent application through the OAuth server, see OAuth, Single payments tutorial, and Batch payments tutorial.

  • The ABN AMRO client can select an account number that is different from the account number in the registered payment when they are not authorized for that account.

  • The ABN AMRO client can select the Dutch or English language in the consent application.

  • A cookie is used in the consent process which must be stored in the browser of the ABN AMRO client.

Refresh an Access Token

When the short-lived access token has expired, the long-lived refresh token can be used to get a new access token and a new refresh token. This renders the used refresh token as invalid. The sequence diagram below describes this process.

OAuthRefreshPIS.svg

For information how to access the OAuth server, see OAuth, Single payments tutorial, or Batch payments tutorial.

Use this method to retrieve details — such as: transactionId, initiating accountnumber, and scopes — of consent that are associated with an access token.

OAuthConsentInfoPIS.svg

For information on how to access the consent info API, see Technical, Single payments tutorial, or Batch payments tutorial.