Authorization

To authorize requests, MEO Wallet uses OAuth2 as described in the RFC 6749.

Authorization Sandbox URL: https://ob.sandbox.meowallet.pt:8443

Authorization Production URL: https://ob.wallet.pt

Account Information Service Providers (AISP)

Request an Authorization Code

In the OAUTH2 Authorization flow, the TPP must specify which OAUTH scopes are being requested, according to the APIs the TPP will access. For AISP services the requested scope must be aisp. The requested scopes must have a direct match with the roles on the QWAC certificate that will be used by the TPP on the requests to the AISP API.

To request an authorization to a given PSU, use this authorization URL (production environment): https://ob.wallet.pt/openbanking/authorize?client_id={tpp_client_id}&response_type=code&scope=aisp&redirect_uri={tpp_redirect_uri}&state={csrf_token}. Below is described the meaning of each query string parameter:

  1. client_id - Identifier of the OAUTH client you created on your TPP Account
  2. response_type - OAuth2 grant type (currently only code is supported)
  3. scope - aisp
  4. redirect_uri - This URI must match with the URI defined at client creation
  5. state - A identifier to prevent CSRF attacks. This identifier must be validated by you before perform any action

If the user accepts your request, you will get a code to be exchanged by an Access Token. This code is valid for 10 minutes.

If the user refuses your request you get an error as described in the RFC.

Reference: Authorization Code and Errors

Request an Access Token

Sandbox URL: https://ob.psd2.services.sandbox.meowallet.pt

Production URL: https://ob.psd2.services.wallet.pt

If the PSU accepts your authorization request, you will be able to request an Access Token. This token can be used until 1 hour after the authorization approval.

All details about this request are here: /openbanking/oauth2/v1/token.

Reference: Access Token

Request a Refresh Token

Sandbox URL: https://ob.psd2.services.sandbox.meowallet.pt

Production URL: https://ob.psd2.services.wallet.pt

As you can see in the response of an Access Token, you have a “refresh_token” in the response. This token can be used to get a new Access Token without a new authorization request.

The refresh token is valid until 90 days after the authorization. After that period, you must request a new authorization to the PSU.

All details about this request are here: /openbanking/oauth2/v1/token.

Reference: Refresh Token

Request a Token Revocation

Sandbox URL: https://ob.psd2.services.sandbox.meowallet.pt

Production URL: https://ob.psd2.services.wallet.pt

As described in the RFC 7009, you can revoke an Access Token or a Refresh Token.

All details about this request are here: /openbanking/oauth2/v1/revoke. If the request succeeds, you will get an empty response with the HTTP 200 status code.

Payment Information Service Providers (PISP)

Request an Access Token for Payment Initiation

Sandbox URL: https://ob.psd2.services.sandbox.meowallet.pt

Production URL: https://ob.psd2.services.wallet.pt

You must generate an Access Token using OAUTH2 Client Credentials grant. This token can be used until 1 hour after the token generation. All details about this request are here: /openbanking/oauth2/v1/token.

With this Access Token, you can create a payment as described here: Create a payment

This type of access token is also used to get a given Payment data.

Reference: Access Token

Request an Authorization Code for Payment Confirmation

The scope in this case must be only pisp. The requested scope must have a direct match with the roles on the QWAC certificate that will be used by the TPP on the requests to the PISP APIs.

To request a payment authorization to a given PSU, get the “consentApproval” URL returned in the previous step after creating the payment.

The consentApproval URL will be similar to this:

https://ob.wallet.pt/openbanking/authorizepi?response_type=code&scope=pisp&context={operationid}

Append to it your OAUTH2 credentials: client_id, redirect_uri and state.

At the end you will get a URL like this:

https://ob.wallet.pt/openbanking/authorizepi?response_type=code&scope=pisp&context={operationid}&client_id={tpp_client_id}&redirect_uri={tpp_redirect_uri}&state={csrf_token}

Below is described the meaning of each query string parameter:

  1. response_type - OAuth2 grant type (code). Pre-filled on consentApproval URL, you cannot change it.
  2. scope - pisp. Pre-filled on consentApproval URL, you cannot change it.
  3. context - payment context. Pre-filled on consentApproval URL, you cannot change it.
  4. client_id - Identifier of the OAUTH client you created on your TPP Account.
  5. redirect_uri - This URI must match with the URI defined at client creation.
  6. state - A identifier to prevent CSRF attacks. This identifier must be validated by you before perform any action.

If the user accepts your payment authorization request, you will get a code to be exchanged by an Access Token. This code is valid for 10 minutes.

If the user refuses your request you get an error as described in the RFC.

Reference: Authorization Code and Errors

Request an Access Token for Payment Confirmation

Sandbox URL: https://ob.psd2.services.sandbox.meowallet.pt

Production URL: https://ob.psd2.services.wallet.pt

If the PSU accepts your payment authorization request, you will be able to exchange the authorization code for an Access Token. This token can be used until 1 hour after the payment authorization approval.

All details about this request are here: /openbanking/oauth2/v1/token.

Reference: Access Token

Once you have your payment confirmation access token you must complete the payment SCA flow using the access token on the payment-request confirmation endpoint.

All details about this request are here: Confirm a payment