V2.0 and above of our standards include two authentication flows – redirect and decoupled – providing an additional option for Standards Users to gain customer consent.

The authentication flows define a safe and secure process for an API Provider to confirm a customer has authorised a Third Party’s consent request. The functionality in each flow applies to both the Payment Initiation and Account Information APIs.

You can view more information about our authentication flows in Confluence.

Redirect authentication flow

The redirect authentication flow allows a customer to be transferred from a Third Party website or app, to the API Provider (e.g. the customer’s bank), and back again (once authentication and authorisation of consent have been completed).  

The redirect flow requires the customer’s interactions with the Third Party and the API Provider to take place on the same device and platform (website or app), and at the same time.

In v2.0 and above of the standard, the redirect flow is considered a mandatory function that API Providers must provide to customers.

When the redirect flow is used:

  • The Third Party agrees the parameters of the consent request with the customer.
  • The Third Party submits the consent request and transfers the customer to the API Provider to authenticate themselves.
  • The customer then authorises the consent request and confirmation is provided back to the API Provider, who transfers the customer back to the Third Party along with the approved consent.

Redirect authentication flow illustration

Decoupled authentication flow

The decoupled flow makes it possible for the API Provider (e.g. the customer’s bank) to send the customer an authorisation request notification, separating the API Provider and Third Party interactions with a customer.

Unlike the redirect flow, the decoupled flow allows the customer to authorise a consent request on a different device and platform, or at a different time.

In v2.0 and above the decoupled flow is considered an optional function that API Providers can choose to provide to customers.

When the decoupled flow is used:

  • The Third Party sends a consent request notification to the API Provider, based on what has been agreed with the customer. The customer does not need to be present for the Third Party to initiate consent with the API Provider.
  • The API Provider sends the customer an authentication request notification. The API Provider can interact with the customer via different channels to request authorisation (i.e. via text message, banking app, etc.).
  • The customer can authorise the request in their own time on a device of their choosing.
  • The Third Party is notified by the API Provider when the customer has authenticated the request.

Decoupled authentication flow illustration