To authorize requests, MEO Wallet uses OAuth2 as described in the RFC 6749.
Authorization Sandbox URL: https://ob.sandbox.meowallet.pt:8443
Authorization Production URL: https://ob.wallet.pt
In the OAUTH2 Authorization flow, the TPP must specify which OAUTH scopes are being requested, according to the APIs the TPP will access. For AISP services the requested scope must be aisp. The requested scopes must have a direct match with the roles on the QWAC certificate that will be used by the TPP on the requests to the AISP API.
To request an authorization to a given PSU, use this authorization URL (production environment): https://ob.wallet.pt/openbanking/authorize?client_id={tpp_client_id}&response_type=code&scope=aisp&redirect_uri={tpp_redirect_uri}&state={csrf_token}. Below is described the meaning of each query string parameter:
If the user accepts your request, you will get a code to be exchanged by an Access Token. This code is valid for 10 minutes.
If the user refuses your request you get an error as described in the RFC.
Reference: Authorization Code and Errors
Sandbox URL: https://ob.psd2.services.sandbox.meowallet.pt
Production URL: https://ob.psd2.services.wallet.pt
If the PSU accepts your authorization request, you will be able to request an Access Token. This token can be used until 1 hour after the authorization approval.
All details about this request are here: /openbanking/oauth2/v1/token.
Reference: Access Token
Sandbox URL: https://ob.psd2.services.sandbox.meowallet.pt
Production URL: https://ob.psd2.services.wallet.pt
As you can see in the response of an Access Token, you have a “refresh_token” in the response. This token can be used to get a new Access Token without a new authorization request.
The refresh token is valid until 90 days after the authorization. After that period, you must request a new authorization to the PSU.
All details about this request are here: /openbanking/oauth2/v1/token.
Reference: Refresh Token
Sandbox URL: https://ob.psd2.services.sandbox.meowallet.pt
Production URL: https://ob.psd2.services.wallet.pt
As described in the RFC 7009, you can revoke an Access Token or a Refresh Token.
All details about this request are here: /openbanking/oauth2/v1/revoke. If the request succeeds, you will get an empty response with the HTTP 200 status code.
Sandbox URL: https://ob.psd2.services.sandbox.meowallet.pt
Production URL: https://ob.psd2.services.wallet.pt
You must generate an Access Token using OAUTH2 Client Credentials grant. This token can be used until 1 hour after the token generation. All details about this request are here: /openbanking/oauth2/v1/token.
With this Access Token, you can create a payment as described here: Create a payment
This type of access token is also used to get a given Payment data.
Reference: Access Token
The scope in this case must be only pisp. The requested scope must have a direct match with the roles on the QWAC certificate that will be used by the TPP on the requests to the PISP APIs.
To request a payment authorization to a given PSU, get the “consentApproval” URL returned in the previous step after creating the payment.
The consentApproval URL will be similar to this:
https://ob.wallet.pt/openbanking/authorizepi?response_type=code&scope=pisp&context={operationid}
Append to it your OAUTH2 credentials: client_id, redirect_uri and state.
At the end you will get a URL like this:
https://ob.wallet.pt/openbanking/authorizepi?response_type=code&scope=pisp&context={operationid}&client_id={tpp_client_id}&redirect_uri={tpp_redirect_uri}&state={csrf_token}
Below is described the meaning of each query string parameter:
If the user accepts your payment authorization request, you will get a code to be exchanged by an Access Token. This code is valid for 10 minutes.
If the user refuses your request you get an error as described in the RFC.
Reference: Authorization Code and Errors
Sandbox URL: https://ob.psd2.services.sandbox.meowallet.pt
Production URL: https://ob.psd2.services.wallet.pt
If the PSU accepts your payment authorization request, you will be able to exchange the authorization code for an Access Token. This token can be used until 1 hour after the payment authorization approval.
All details about this request are here: /openbanking/oauth2/v1/token.
Reference: Access Token
Once you have your payment confirmation access token you must complete the payment SCA flow using the access token on the payment-request confirmation endpoint.
All details about this request are here: Confirm a payment