Live PSD2 Oauth Flow | Poso Developer Portal

According to the Berlin Group’s NextGenPSD2-Standard, Third Party Providers (TPPs) are attributed the OAuth-role “client”. As set out from the Internet Engineering Task Force, the “Client Credentials Grant“ is used to generate an access token.

STEP 1: TESTING YOUR EIDAS QWAC CERTIFICATE / GETTING A CLIENT-ID

You will have to call the first-contact endpoint once to receive a Client-ID. This step also ensures that your eIDAS certificate is valid.
You can send this request multiple times - as long as your certificate's subject DN does not change, you will receive the same Client-ID.
Please note that our APIs only support certificates with a maximum key length of 2048 bits.

The following example shows a request in "cURL" format:

curl -X POST "https://psd2.poso.at/api/psd2-xs2a/first-contact/" \
-H "Content-Type: application/json" \
-H "Cache-Control: no-cache" \
--cert "/path/to/cert.pem" \
--key "/path/to/key.key"

The following is an example response body you would receive:

{
  "clientId": "API-7d6f204b-3219-4b63-b66e-5f7a0be1d067"
}

STEP 2: GET AN OAUTH ACCESS TOKEN FROM SSO-PSD2.POSO.AT

Once you have obtained a Client-ID you can retrieve an access token

TThe following example shows an OAuth Access Token request in "cURL" and "HTTP" format:

curl -X POST https://sso-psd2.poso.at/as/token.oauth2 \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Cache-Control: no-cache" \
--cert "/path/to/cert.pem" \
--key "/path/to/key.key" \
-d "grant_type=client_credentials&client_id=API-7d6f204b-3219-4b63-b66e-5f7a0be1d067&scope=apic-psd2"

POST /as/token.oauth2 HTTP/1.1
Host: sso-psd2.poso.at
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache

grant_type=client_credentials&client_id=API-7d6f204b-3219-4b63-b66e-5f7a0be1d067&scope=apic-psd2

The following is an example response body you would receive:

{
  "access_token": "kUNrj52ZqpXpYstVfmPU9Iv9Igiz",
  "token_type": "Bearer",
  "expires_in": 599
}

STEP 3: USE THE OAUTH ACCESS TOKEN TO CALL OUR APIS AT PSD2.POSO.AT

For all subsequent calls to our APIs you have to transmit the generated Access Token in the "Authorization: Bearer" header field. In the example below a request to the accounts endpoint is made.

The following example shows a request in "cURL" and "HTTP" format:

curl -X GET https://psd2.poso.at/api/psd2-xs2a/rest/v1/accounts \
-H "Authorization: Bearer kUNrj52ZqpXpYstVfmPU9Iv9Igiz" \
-H "X-Request-ID: 99391c7e-ad88-49ec-a2ad-99ddcb1f7721" \
-H "Consent-ID: e6151d43-dca8-4fe1-b139-3a89bfeb57a2" \
-H "Cache-Control: no-cache"
--cert "/path/to/cert.pem" \
--key "/path/to/key.key"

GET /api/psd2-xs2a/rest/v1/accounts HTTP/1.1
Host: psd2.poso.at
Authorization: Bearer kUNrj52ZqpXpYstVfmPU9Iv9Igiz
X-Request-ID: 99391c7e-ad88-49ec-a2ad-99ddcb1f7721
Consent-ID: e6151d43-dca8-4fe1-b139-3a89bfeb57a2
Cache-Control: no-cache