Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Version Control

3.0-draft7 OB R/W API Team

This is the initial draft version for draft7

3.0-RC2 OB R/W API Team

RC2 Changes:

  • Renamed to Event Notification API Specification
  • Separated ASPSP and TPP usage examples
  • Added Version to the CallbackUrl data model
  • Further SET alignment
    • Added subject to data model
    • Updated notification response code to 202
  • Updated MSD to make clear a GET request for the updated resource is made by the TPP
  • Added Event Notification Retry Policy
  • Rename Scope (Any) to Scope for consistency with other specifications
  • Added that ASPSP will maintain at most a single Callback-URI resource per TPP
  • Removed CallbackUrlId from GET endpoint, and created an associated response. Updated usage example.
  • Renamed to callback-url for consistency.
  • Added Release Management specification for the /callback-urls endpoint
  • Added Transport Level Security - TPP Endpoints section to Basics.
  • Added Swagger specifications.
3.0-RC3 OB R/W API Team


  • Updated MSD to clarify URL is retrieved from rlk claim.
  • Swapped the class names in the data dictionary for urn:uk:org:openbanking:events:resource-update and subject

RC3 Changes:

  • Clarified that resource links must be populated for all supported versions of a resource.
  • Added Swagger-based API specification encoded in JSON and YAML.
3.0 OB R/W API TeamSwagger URLs updated to point to latest stable version.


The Event Notification API Specification describes the flows and payloads to allow ASPSPs to deliver event notifications to TPPs. 

The ASPSP API endpoints described here allow a TPP to:

  • Register a callback URL with an ASPSP to receive event notifications.
  • Optionally read, update or delete a registered callback URL.

The TPP API endpoint described here allow an ASPSP to:

  • Notify a TPP that an event has occurred.

This specification should be read in conjunction with the Payments, Accounts, and Confirmation of Funds API specifications. These specifications detail the circumstances under which an event notification may be delivered.

Implementation of the Event Notification API Specification is optional for both ASPSPs and TPPs.

Design Principles

Security Event Token Alignment

Event notifications are aligned with the Security Event Token standard - a proposed IETF standard for exchanging information about security events. See An event notification is structured as a JWT, indicating an event has occurred through a set of claims.

A resource-update event (rurn:uk:org:openbanking:events:resource-update) is used to communicate that a specific resource has been updated. It contains identifiers for the resource and links to retrieve it.

Event Notification Message Signing

Event Notifications are singed for non-repudiation using the approach defined in the R/W API specification, with the following difference:

  • The JWT's signature (JWS) is sent in the HTTP body of the request, as opposed to a detached JWS sent in the HTTP header.



The steps and sequence diagram below provide a general outline of a notification flow for all resources in the R/W APIs.


Step 1: Setup Event Notification Configuration

  • This flow begins with a TPP creating a callback-url resource with an ASPSP.
  • The callback URL must be specified at this stage.

Step 2: Event Notification Required

  • When an event occurs on a resource that requires a notification, the ASPSP identifies the callback-url associated with the TPP owning the affected resource.
  • The ASPSP sends the event notification to the callback URL, detailing the nature of the event and identifying the affected resource.
  • The TPP initiates a client credential grant and retrieves the resource using the details contained in the event notification.

Step 3: Retrieve/Update/Delete Event Notification Configuration

  • The TPP may optionally read/update/delete the callback-url resource.

Sequence Diagram

Code Block
participant TPP
participant ASPSP Authorisation Server
participant ASPSP Resource Server
participant ASPSP Notification Service
note over TPP, ASPSP Notification Service
Step 1: Setup Event Notification Configuration
end note

TPP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA
TPP -> ASPSP Authorisation Server: Initiate Client Credentials Grant
ASPSP Authorisation Server -> TPP: access-token
TPP <-> ASPSP Resource Server: Establish TLS 1.2 MA
TPP -> ASPSP Resource Server: POST /callback-urls
ASPSP Resource Server -> TPP: HTTP 201 (Created),  CallbackUrlId

note over TPP, ASPSP Notification Service
 Step 2: Event Notification Required
end note

note left of ASPSP Notification Service
- Create EventNotification
- Sign EventNotification
end note

loop Retry Until Successful (as per retry policy)
ASPSP Notification Service -> TPP: POST /event-notifications, EventNotification, signature
alt success
TPP -> ASPSP Notification Service: HTTP 202 Accepted
else failure
TPP -> ASPSP Notification Service: HTTP 500/400 
end alt
end loop

note right of TPP
TPP verifies signature

URL for resource contained in the 
EventNotification rlk (resource links) claim
end note

TPP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA
TPP -> ASPSP Authorisation Server: Initiate Client Credentials Grant
ASPSP Authorisation Server -> TPP: access-token

TPP <-> ASPSP Resource Server: Establish TLS 1.2 MA
TPP -> ASPSP Resource Server: GET Resource
ASPSP Resource Server -> TPP: HTTP 200 (OK),  Resource

note over TPP, ASPSP Notification Service
Step 3: Retrieve/Update/Delete Event Notification Configuration
end note

TPP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA
TPP -> ASPSP Authorisation Server: Initiate Client Credentials Grant
ASPSP Authorisation Server -> TPP: access-token
TPP <-> ASPSP Resource Server: Establish TLS 1.2 MA
alt Retrive
TPP -> ASPSP Resource Server: GET /callback-urls
ASPSP Resource Server -> TPP: HTTP 200 (OK)
else Update
TPP -> ASPSP Resource Server: PUT /callback-urls/{CallbackUrlId}
ASPSP Resource Server -> TPP: HTTP 200 (OK)
else Delete
TPP -> ASPSP Resource Server: DELETE /callback-urls/{CallbackUrlId}
ASPSP Resource Server -> TPP: HTTP 204 (OK)
end alt
option footer=bar

Callback URL

TPPs must register a callback URL for TPP hosted services to receive event notifications from an ASPSP. The callback URL must end with the Event Notification API specification version number, followed by ‘/event-notifications'.

For example: 

Release Management

This section overviews the release management and versioning strategy for the Event Notification API.

Callback-URL Resource

TPPs must register for event-notification callbacks with the version of Event Notification API they have implemented. The version element of the Callback-URL resource is used for this purpose.


  • A TPP must only create a callback-url on one version


  • A TPP must not access a callback-url on an older version, via the CallbackUrlId for a callback-url created in a newer version
    • E.g., A callback-url created in v4, accessed via v3
  • An ASPSP must allow a callback-url resource to be accessed in a newer version
  • An ASPSP must ensure callback-url fields are unchanged when accessed in a different version


  • A TPP must not update a callback-url on an older version via a CallbackUrlId created in a newer version
    • E.g., A callback-url is created in v4, and request PUT on v3
  • An ASPSP must support updating a callback-url from a previous version via a CallbackUrlId created in a newer version
    • E.g., A callback-url is created in v3, and request PUT on v4


  • A TPP must not delete a callback-url on an older version via a CallbackUrlId created in a newer version
    • E.g. A callback-url is created in v4, and request DELETE on v3
  • An ASPSP must support deleting a callback-url from a previous version via a CallbackUrlId created in a newer version
    • E.g., A callback-url is created in v3, and request DELETE on v4

Callback-URL per TPP

An ASPSP will maintain at most, a single Callback-URL resource per TPP.

Transport Level Security - TPP Endpoints

TPP hosted endpoints must be protected using TLS 1.2, as per the FAPI R/W specification (details here

TPP hosted endpoints must be protected using an OB issued network certificate.

MA-TLS is not applicable to TPP hosted endpoints.

ASPSP Endpoints

A TPP will set up and maintain its call back details (URL and version number) using the callback-url resource.


ResourceHTTP OperationEndpointMandatory ?ScopeGrant TypeMessage SigningIdempotency KeyRequest ObjectResponse Object
callback-urlPOSTPOST /callback-urlsOptional




Client Credentials

Signed Request

Signed Response

callback-urlGETGET /callback-urlsMandatory (if resource POST implemented)




Client CredentialsSigned ResponseNon/aOBCallbackUrlsResponse1
callback-urlPUTPUT /callback-urls/{CallbackUrlId}Mandatory (if resource POST implemented)




Client Credentials

Signed Request

Signed Response

callback-urlDELETEDELETE /callback-urls/{CallbackUrlId}Mandatory (if resource POST implemented)




Client Credentialsn/aNon/an/a

POST /callback-urls 

Code Block
POST /callback-urls

The API endpoint allows the TPP to ask an ASPSP to create a new callback-url resource.

  • The POST action allows the TPP to register a callback URL for an ASPSP to send event notifications to.
  • The ASPSP creates the callback-url resource and responds with a unique CallbackUrlId to refer to the resource.
  • An ASPSP must respond with a 409 error if a callback-url exists for that TPP.

GET /callback-urls

Code Block
GET /callback-urls

The API endpoint allows the TPP to ask an ASPSP to retrieve its callback-url resource.

  • The ASPSP retrieves the callback-url resource and responds with the resource.

PUT /callback-urls/{CallbackUrlId}

Code Block
PUT /callback-urls/{CallbackUrlId}

The API endpoint allows the TPP to ask an ASPSP to update a callback-url resource.

  • The PUT action allows the TPP to update a callback URL for an ASPSP to send event notifications to.
  • The ASPSP updates the callback-url resource and responds with the updated resource.

DELETE /callback-urls/{CallbackUrlId}

Code Block
DELETE /callback-urls/{CallbackUrlId}

The API endpoint allows the TPP to ask an ASPSP to delete a callback-url resource.

  • The ASPSP deletes the callback-url resource.

ASPSP Data Model

Callback Url - Request

The OBCallbackurl1 object will be used for the call to:

  • POST /callback-urls

UML Diagram

Data Dictionary



Url1..1OBCallbackUrl1/Data/UrlCallback URL for a TPP hosted service. Will be used by ASPSPs, in conjunction with the resource name, to construct a URL to send event notifications to.xs:anyURI

Version1..1OBCallbackUrl1/Data/VersionVersion for the event notification.Max10Text

Callback Url - Response

The OBCallbackUrlResponse1 object will be used for a response to a call to:

  • POST /callback-urls
  • PUT /callback-urls/{CallbackUrlId}

The OBCallbackUrlResponse1 object will also be used for the call to:

  • PUT /callback-urls


Data Dictionary



CallbackUrlId1..1OBCallbackUrlResponse1/Data/CallbackUrlIdUnique identification as assigned by the ASPSP to uniquely identify the callback URL resource.Max40Text

Url1..1OBCallbackUrlResponse1/Data/UrlCallback URL for a TPP hosted service. Will be used by ASPSPs, in conjunction with the resource name, to construct a URL to send event notifications to.xs:anyURI

Version1..1OBCallbackUrlResponse1/Data/VersionVersion for the event notification.Max10Text

Callback Urls - Response

The OBCallbackUrlsResponse1 object will be used for a response to a call to:

  • GET /callback-urls


Data Dictionary




CallbackUrlId1..1OBCallbackUrlsResponse1/Data/CallbackUrl/CallbackUrlIdUnique identification as assigned by the ASPSP to uniquely identify the callback url resource.Max40Text

Url1..1OBCallbackUrlsResponse1/Data/CallbackUrl/UrlCallback URL for a TPP hosted service. Will be used by ASPSPs, in conjunction with the resource name, to construct a URL to send event notifications to.xs:anyURI

Version1..1OBCallbackUrlsResponse1/Data/CallbackUrl/VersionVersion for the event notification.Max10Text

ASPSP Usage Examples

Create Callback Url

POST /callback-urls

Code Block
titleCallback Url Request
POST /callback-urls HTTP/1.1
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
x-jws-signature: TGlmZSdzIGEgam91cm5leSBub3QgYSBkZXN0aW5hdGlvbiA=..T2ggZ29vZCBldmVuaW5nIG1yIHR5bGVyIGdvaW5nIGRvd24gPw==
x-fapi-financial-id: OB/2017/001
x-fapi-interaction-id: 86ebcd82-8e38-4f2d-a79c-965b41d15865
Content-Type: application/json
Accept: application/json

  "Data": {
	"Url": "",
	"Version": "3.0"

POST /callback-urls response

Code Block
titleCallback Url Response
HTTP/1.1 201 Created
x-jws-signature: V2hhdCB3ZSBnb3QgaGVyZQ0K..aXMgZmFpbHVyZSB0byBjb21tdW5pY2F0ZQ0K
x-fapi-interaction-id: 86ebcd82-8e38-4f2d-a79c-965b41d15865
Content-Type: application/json

  "Data": {
	"CallbackUrlId": "CB-101",
	"Url": "",
	"Version": "3.0"

Get Callback Urls

GET /callback-urls

Code Block
titleGET Callback Url Request
GET /callback-urls HTTP/1.1
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
x-fapi-financial-id: OB/2017/001
x-fapi-interaction-id: 86ebcd82-8e38-4f2d-a79c-965b41d15865
Accept: application/json

GET /callback-urls response

Code Block
titleGET Callback Url Response
GET/1.1 200 OK
x-jws-signature: V2hhdCB3ZSBnb3QgaGVyZQ0K..aXMgZmFpbHVyZSB0byBjb21tdW5pY2F0ZQ0K
x-fapi-interaction-id: 86ebcd82-8e38-4f2d-a79c-965b41d15865
Content-Type: application/json

  "Data": {
	"CallbackUrl": [
	    "CallbackUrlId": "CB-101",
	    "Url": "",
	    "Version": "3.0"

ASPSP Swagger Specification

The Swagger Specification for Event Notification ASPSP APIs can be downloaded from the following links:

TPP Endpoints

An ASPSP will send event notifications to a TPP using the event-notification resource.


ResourceHTTP OperationEndpointMandatory ?ScopeGrant TypeMessage SigningIdempotency KeyRequest ObjectResponse Object
event-notificationPOSTPOST /event-notificationsOptionaln/an/a

Signed Request



  • A TPP must make available a callback notification endpoint to receive event notifications.
  • A TPP must acknowledge an event notification with a 202 HTTP response and include the provided x-fapi-interaction-id.

POST /event-notifications

Code Block
POST /event-notifications

The API endpoint allows the ASPSP to send an event-notification resource to a TPP.

TPP Data Model

Event Notification - Request

The OBEventNotification1 object will be used for a call to:

  • POST /event-notifications

The OBEventNotification1 object is aligned with the Security Event Token ( It contains a single OBEventResourceUpdate1 event object within the events claim.

UML Diagram

The rid, rty and rlk claims are prefixed with the OB namespace in the data model. The namespace has been removed from the diagram for clarity.


For the OBEventNotification1 object:  

  • The array of resource links ( must contain links to all supported versions of the resource.

Data Dictionary

OBEventNotification1OBEventNotification1The resource-update event.OBEventNotification1


iat1..1OBEventNotification1/iatIssued At. Max10NumericText[0-9]{1,10}
jti1..1OBEventNotification1/jtiJWT ID.Max128Text



txn1..1OBEventNotification1/txnTransaction Identifier.Max128Text

toe1..1OBEventNotification1/toeTime of Event.Max10NumericText[0-9]{1,10}

urn:uk:org:openbanking:events:resource-update1..1OBEventNotification1/events/urn:uk:org:openbanking:events:resource-updateResource-Update Event.OBEventResourceUpdate1

subject1..1OBEventNotification1/events/urn:uk:org:openbanking:events:resource-update/subjectThe resource-update event.OBEventSubject1

subject_type1..1OBEventNotification1/events/urn:uk:org:openbanking:events:resource-update/subject/subject_typeSubject type for the updated resource. Max128Text Id for the updated resource.Max128Text Type for the updated resource.Max128Text links to other available versions of the resource.OBEventLink1

version1..1OBEventNotification1/events/urn:uk:org:openbanking:events:resource-update/subject/ version.Max10Text

link1..1OBEventNotification1/events/urn:uk:org:openbanking:events:resource-update/subject/ link.xs:anyURI

Event Notification Retry Policy


An ASPSP's Event Notification Retry Policy defines behaviour when an event notification is unacknowledged or the ASPSP receives a 5xx error.

  • An Event Notification Retry Policy must define an Exponential Backoff Policy to calculate the Retry Time Interval
  • An Event Notification Retry Policy must define the Maximum Number of Retries an ASPSP will make before declaring the TPP Event Notification endpoint unresponsive and ceasing further attempts
  • An Event Notification Retry Policy must define the Maximum Time Interval for Retries, after which an ASPSP will declare the TPP Event Notification endpoint unresponsive and cease further attempts


A TPP may make GET requests for its resources if its /event-notifications endpoint was unavailable for the Maximum Time Interval for Retries, as defined in an ASPSP's Event Notification Retry Policy.

TPP Usage Examples

Send Event Notification

POST /event-notifications

Code Block
titleEvent Notification Request
POST /event-notifications HTTP/1.1
x-fapi-financial-id: OB/2018/002
x-fapi-interaction-id: 14ba1762-a316-4a87-8d6e-5bfbefaf01d7
Content-Type: application/jwt


Code Block
titleDecoded JWT Body - Event Notification Payload
  "iss": "",
  "iat": "1516239022",
  "jti": "b460a07c-4962-43d1-85ee-9dc10fbb8f6c",
  "sub": "",
  "aud": "7umx5nTR33811QyQfi",
  "events": {
    "urn:uk:org:openbanking:events:resource-update": {
      "subject": {
        "subject_type": "",
        "": "pmt-7290-003",
        "": "domestic-payment",
        "": [
            "version": "v3.0",
            "link": ""
            "version": "v1.1",
            "link": ""
  "txn": "dfc51628-3479-4b81-ad60-210b43d02306",
  "toe": "1516239022"

POST /event-notifications response

Code Block
titleEvent Notification Response
HTTP/1.1 202 Accepted
x-fapi-interaction-id: 14ba1762-a316-4a87-8d6e-5bfbefaf01d7

TPP Swagger Specification

The Swagger Specification for Event Notification TPP APIs can be downloaded from the following links:

The Swagger Specification for Callback URLs can be downloaded from the following links: