Standards

Authenticating the customer is critical for the safety of open banking and an important step in the customer’s experience.  

Our standards offer two options – redirect and decoupled flow – enabling both online and in-person experiences.  

Both authentication options enable a safe and secure process for an API Provider to confirm a customer’s identity before asking them to authorise a payment or data sharing consent.

Redirect authentication flow

The redirect authentication flow allows a customer to be transferred from a Third Party website or app to their bank’s website or app, where they can authorise an open banking payment or data access consent. 

The redirect flow requires the customer’s interactions with the Third Party and the API Provider to take place on the same device. 

When the redirect flow is used: 

  • The customer agrees (with the Third Party) to the payment or data access consent.  
  • The customer is redirected to their selected bank’s website or app. 
  • The bank will present their preferred method to authenticate the customer (i.e. either a username and password, biometric authentication, or a passkey). 
  • The customer is shown the consent request and if they authorise it, their bank (API Provider) will redirect them back to the Third Party website or app. 

Redirect authentication flow illustration

Decoupled authentication flow

Unlike the redirect flow, the decoupled flow allows the customer to authorise a consent request on a different device, or at a different time. This is useful for in-person payments.  

When the decoupled flow is used: 

  • The customer agrees (with the Third Party) to the payment or data access consent.  
  • The Third Party sends the consent request directly to the customer’s bank (API Provider). 
  • The customer’s bank will notify the customer that a request has been received.  
  • The customer can login to their bank web or mobile app to view and authorise the request in their own time on a device of their choosing. 
  • The Third Party is notified by the API Provider when the customer has authorised the request. 

Decoupled authentication flow illustration