Versions Compared

Old Version 5

changes.mady.by.user Timothy Perkins

Saved on

compared with

New Version 6

changes.mady.by.user Peter Brown

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Change to Production:

Improvement

Delivery date

Client Registration support for private_key_jwt:

TPPs will need to register specifying private_key_jwt as the token_endpoint_auth_method (as shown through our Open ID Configuration.) Note: Clients already registered with client_secret_post and client_secret_basic will be able to continue requesting tokens with their respective method. The intention is that the TPPs currently using client_secret_basic and client_secret_post will be asked to update clients to use private_key_jwt in the future.

Summary: We will refresh the expiry of Refresh tokens so long as Access Tokens are refreshed within a 90-day period.

Solution

  • Capital One UK already issues refresh tokens alongside access tokens, in response to requests from TPPs.
  • Going forward, whenever a TPP makes a request to us using an access token and refresh token that we have issued them, we’ll issue brand new refresh tokens with each response to a TPP.
  • The new refresh tokens will be issued with a validity period of 90 days from the date of issue. Once a new token is issued, the previously issued token will be invalidated.
  • During this 90 day validity period, the TPP can then get another refresh token for another 90 days - and so on.
  • This allows perpetual access, so long as the TPP fetches a new refresh token within the 90 day window.

TPP Changes

  • As a TPP integrating with Capital One UK, you should ensure that you are always capturing and storing the refresh_token from each request, rather than only capturing the initial refresh_token on a first time request for a given customer. This is in line with the Oauth standard recommendation. Only the most recent refresh token will ever be valid.
  • You should also ensure that you have fallback mechanisms in place to ensure that you fetch a new refresh token within the 90 day validity period, for as long as the customer has granted you consent.

 



On-boarding

Supports dynamic client registration (Y/N)Y
Instructions for manual onboardingN/A
OIDC .well-known endpoint

https://integrations.capitalone.co.uk/.well-known/openid-configuration

Notes on testingTPPs must be registered with the Open Banking Directory
Other on-boarding notes
  • There is currently no support for Client Management
  • SSA must be issued by Open Banking
  • redirect_uris MUST match or be a subset of the software_redirect_uris claim in the SSA
  • See well-known endpoint for supported configurations
  • When onboarding if any challenges arise please contact ukdevelopersupport@capitalone.com

  • private_key_jwt must be specified as the the token_endpoint_auth_method
Documentation URL


https://developer.capitalone.co.uk/api/open-banking/index.html


Account Information API

Note to ASPSP: Please add a column per brand if relevant

Swagger versionv3
Base URI
https://open-banking.capitalone.co.uk/open-banking/v3.1/aisp
General variances to specification 

Time format - our interface supports the following data time format 2011-12-03T10:15:30

Non-functional limitations

Pagination is not supportedRe-authentication - Customers must re-confirm consent to share their data at least every 90 days. This can be completed by using the existing intent ID in a request to the /authorize endpoint (as per the OBIE specifications).

API Call Limits - Our interface implements rate-limiting on TPP data requests where the Customer is not present (as indicated by x-fapi-customer-ip-address header) where reached a 429 response will be returned.

...