Versions Compared

Old Version 7

changes.mady.by.user Edward Lisley

Saved on

compared with

New Version 8

changes.mady.by.user Edward Lisley

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Improvement

Delivery date

Summary: We will refresh the expiry of Refresh tokens so long as Access Tokens are refreshed within a 90-day period.

Solution

  • Capital One UK already issues refresh tokens alongside access tokens, in response to requests from TPPs.
  • Going forward, whenever a TPP makes a request to us using an access token and refresh token that we have issued them, we’ll issue brand new refresh tokens with each response to a TPP.
  • The new refresh tokens will be issued with a validity period of 90 days from the date of issue. Once a new token is issued, the previously issued token will be invalidated.
  • During this 90 day validity period, the TPP can then get another refresh token for another 90 days - and so on.
  • This allows perpetual access, so long as the TPP fetches a new refresh token within the 90 day window.

TPP Changes

  • As a TPP integrating with Capital One UK, you should ensure that you are always capturing and storing the refresh_token from each request, rather than only capturing the initial refresh_token on a first time request for a given customer. This is in line with the Oauth standard recommendation. Only the most recent refresh token will ever be valid.
  • You should also ensure that you have fallback mechanisms in place to ensure that you fetch a new refresh token within the 90 day validity period, for as long as the customer has granted you consent.

limit the access to Transaction data to 90 days without SCA

Solution

  • Following customer authentication, access to more than 90 days worth of transaction data will be possible for up to a 5 minute window. After this has elapsed or for any information requests without a customer authentication journey, Capital One will proactively trim any requests for more than 90 days worth of data.

TPP Changes

  • For this reason, as of 234th August 2023, if you require data older than 90 days you must request it following a successful customer authentication journey. You must also make the request within a 5 minute period following Capital One receiving confirmation that customer authentication has been completed.

 



On-boarding

Supports dynamic client registration (Y/N)Y
Instructions for manual onboardingN/A
OIDC .well-known endpoint

https://integrations.capitalone.co.uk/.well-known/openid-configuration

Notes on testingTPPs must be registered with the Open Banking Directory
Other on-boarding notes
  • There is currently no support for Client Management
  • SSA must be issued by Open Banking
  • redirect_uris MUST match or be a subset of the software_redirect_uris claim in the SSA
  • See well-known endpoint for supported configurations
  • When onboarding if any challenges arise please contact ukdevelopersupport@capitalone.com

  • private_key_jwt must be specified as the the token_endpoint_auth_method
Documentation URL


https://open-banking-developer.capitalone.co.uk/

...