Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Table of Contents








Open Banking Read/Write API TeamPublished
Implementer's Draft v1.0.0


Open Banking Read/Write API TeamRenamed to Implementer's Draft. Client Registration section moved to OB Directory Specification
Implementer's Draft v1.0.1


Open Banking Read/Write API Team

Recreating document from up to date sub sections.

Clarifications to Implementation Guide

  • Enhanced Payments API Sequence Diagram to improve readability
  • Enhanced Accounts API Sequence Diagram to improve readability and add in the GET and DELETE flows for Account Requests
  • Removing the need to repeat the API scopes when the exchanging of an Authorization Code for an Access Token for Payments and Accounts API requests in the Sequence Diagram and example HTTP Requests
Implementer's Draft v1.1.0 Open Banking Read/Write API Team

Reflecting changes to the R/W API specifications for v1.1:

  • Updated Account Identification SchemeName and structure from BBAN to SortCodeAccountNumber
  • Corrected -00:00 timezone format to +00:00
  • Updated format for fields within Meta and Links sections to upper camel case
  • Corrected "AwaitingAuthentication" to "AwaitingAuthorisation” in non-normative example
  • Removed x-jws-signature headers from non-normative examples
    • Errata to add redirect_uri to header for the Request : Access Token Request using Authorization Code

Implementer's Draft v1.1.1

Open Banking Read/Write API Team

Reflecting errata updates resultant from live proving

  • Authorisation servers to provide a discovery endpoint over tls not ma-tls and via a browser acceptable root. TDA Decision 117

Removing duplicate references to FAPI Read Write or Read specifications.

Adding explicit line number references

Implementer's Draft v1.1.2
Open Banking Read/Write API Team

Reflecting errata updates resultant from live proving and errata issued from the OIDF Financial API Working Group

titlePlease Note

The MASTER location for this profile is located here:

Version Control is located here:

Git Commit Reference: 05-02-18 - c2df242

All . All changes are tracked as GIT commits for 100% transparency and visibility. Ideally comments, issues and pull requests will raised against the OIDF git repository however comments raised below as comments or on feedback pages will be responded too and incorporated during a transition period.

The tagged version in Bitbucket which corresponds to this specification version is included below.

UK Open Banking OIDC Security Profile

The TLS considerations in FAPI-RW section 8.5 shall be followed.

Bitbucket readme macro

titleCommit History

Bitbucket commits macro

This document is based on the OpenID Foundations Financial API Read+Write specification document, FAPI-RW, which in turn is based on the Read only specification document. The OpenBanking profile will further shape these two base profiles in some cases tightening restrictions and in others loosening requirements using keywords. Please see the introduction to FAPI-RW for a general introduction to the aims of this document.

The OpenBanking Profile detailed below outlines the differences between the FAPI-RW with clauses and provisions necessary to reduce delivery risk for ASPSPs OP.

Notational Conventions

The key words "shall", "shall not", "should", "should not", "may", and "can" in this document are to be interpreted as described in ISO Directive Part 2. These key words are not used as dictionary terms such that any occurence of them shall be interpreted as key words and are not to be interpreted with their natural language meanings.

1. Scope

As per FAPI, but specific to the UK Open Banking Standard.

2. Normative References

The following referenced documents are strongly recommended to be used in conjunction with this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

FAPI - FAPI ReadOnly profile

FAPI-RW - FAPI Read+Write profile

OIDC - OpenID Connect Core 1.0 incorporating errata set 1

MTLS - Mutual TLS Profile for OAuth 2.0

3. Terms and Definitions

As per FAPI.

4. Symbols and Abbreviated terms

ASPSP - Account Servicing Payment Services Provider (commonly a bank)

PSU - Payment Service User (a natural or legal person making use of a payment service as a payee, payer or both)

5. Read and Write API Security Profile

5.2 OB API Security Provisions

5.2.1 Introduction

Open Banking's API Profile does not distinguish between the security requirements from a technical level between "read" and "write" resources. The security requirements for accessing PSU resources held at ASPSPs requires more protection level than a basic RFC6749 supports.

As a profile of The OAuth 2.0 Authorization Framework, this document mandates the following to the OpenBanking Financial APIs.

5.2.2 Authorization Server

The Authorization Server

  1. shall support confidential clients;
  2. may support public clients;
  3. shall support user authentication at appropriate level as defined in PSD2;
  4. shall secure its token endpoint using mutually authenticated TLS;
  5. should require the response_type values code id_token; (weakened form of FAPI-RW
  6. may allow the response_type value code (as an interim measure if not yet able to support code id_token);
  7. shall authenticate the confidential client at the Token Endpoint using one of the following methods:
    1. tls_client_auth as per MTLS (Recommended); or
    2. client_secret_basic or client_secret_post provided the client identifier matches the client identifier bound to the underlying mutually authenticated TLS session (Allowed); or
    3. private_key_jwt or 'client_secret_jwt` (Recommended);
  8. shall issue an ID Token in the token response when openid was included in the requested scope as in Section of OIDC with its sub value corresponding to the "Intent Ticket ID" and optional acr value in ID Token.
  9. may support refresh tokens.
  10. shall provide a discovery endpoint that does not require a client certificate to authenticate using a tls certificate that should be trusted by the user agent.

Further, if it wishes to provide the authenticated user's identifier to the client in the token response, the authorization server

  1. shall issue an ID Token in the token response when openid was included in the requested scope as in Section of OIDC with its sub value corresponding to the authenticated user and mandatory acr value in ID Token.
  2. shall support Request Objects passed by value as in clause 6.3 of OIDC.

5.2.3 Public Client

OpenBanking OPs can support Public Clients at their discretion.

Should an OP wish to support public clients all provisions of FAPI-RW will be adhered too with exceptions below;

  1. shall request user authentication at appropriate level as defined in PSD2 be that LoA 3 or 2 or other.

5.2.4 Confidential Client

A Confidential Client

  1. may use separate and distinct Redirect URI for each Authorization Server that it talks to;
  2. shall accept signed ID Tokens;

6. Accessing Protected Resources

6.2 Access provisions

6.2.1 Protected resources provisions

The resource server with the FAPI endpoints

  1. shall mandate mutually authenticated TLS;
  2. shall verify that the client identifier bound to the underlying mutually authenticated TLS transport session matches the client that the access token was issued to;

6.2.2 Client provisions

The confidential client supporting this document

  1. shall use mutually authenticated TLS;
  2. shall supply the unique identifier of the financial institution (as assigned by OpenBanking) as defined by FAPI clause
  3. shall supply the last time the customer logged into the client as defined by FAPI clause; and
  4. shall supply the customer's IP address if this data is available as defined by FAPI clause;

Further, the client

  1. may supply the customers authentication context reference (ACR) or applicable in the x-fapi-customer-acr header, e.g., x-fapi-customer-acr;

7. Request object endpoint

7.1 Introduction

  1. OPs should support request_uri, OIDC Request Object by Reference.
  2. OPs shall support Request Objects passed by value as in clause 6.3 of OIDC.

8. Security Considerations

8.1 TLS Considerations

The TLS considerations in FAPI Part 1 section 7.1 shall be followed.

8.2 Message source authentication failure and message integrity protection failure

It is not mandated that the Authorization request and response are authenticated. To provide message source authentication and integrity protection:

  1. Authorization servers should support the Request Object Endpoint as per FAPI-RW clause 7
  2. Clients should Use request_uri (obtained from the Authorization Server) in the Authorization request as per FAPI-RW clause
  3. Authorization servers should return an ID token as a detached signature ot the authorization response as per FAPI-RW part 2 clause

8.3 Message containment failure

The Message containment failure considerations in FAPI section 7.4 shall be followed.

8.5 TLS Considerations


Security Architecture

OAuth 2.0, OIDC and FAPI


Examples are non-normative

HTTP Request
Code Block
GET /authorize?














Request JWS (Without Base64 encoding)


can be used to specify that it is Essential to return an auth_time Claim Value.If the value is false, it indicates that it is a Voluntary Claim. The default is false.By requesting Claims as Essential Claims, the RP indicates to the End-User that releasing these Claims will ensure a smooth authorization for the specific task requested by the End-User. Note that even if the Claims are not available because the End-User did not authorize their release or they are not present, the Authorization Server MUST NOT generate an error when Claims are not returned, whether they are Essential or Voluntary, unless otherwise specified in the description of the specific claim. OIDC Core

Code Block
















   "response_type""code id_token",






   "scope""openid payments accounts",






   "max_age": 86400,










       "openbanking_intent_id": {"value""urn:alphabank














       "openbanking_intent_id": {"value""urn










       "acr": {"essential":




                "values": ["urn:openbanking:psd2:sca",












id_token returned - Sub being populated with an EphemeralId of the IntentId - Non Normative
Code Block
















   "iat": 1234569795,
























   "exp": 1311281970,















id_token returned - Identity Claims and IntentId With sub being populated with an UserIdentifier - Non Normative

Code Block
















   "iat": 1234569795,







   "address""2 Thomas More Square",
















   "exp": 1311281970,















 ID Token Claims Details: Where appropriate please follow the JWT Good Practice Guides 














Required by



Required by



Issuer of the token

Token issuer will be specific to the business 


 A JSON string that represents the issuer identifier of the authorization server as defined in RFC7519. When a pure OAuth 2.0 is used, the value is the redirection URI. When OpenID Connect is used, the value is the issuer value of the authorization server.


Token subject identifier

A unique and non-repeating identifier for the subject i.e the customer.
  couple of rules:

  • It needs to be the same when created by the authorisation and Token endpoints during the Hybrid flow. 

Non Identity Services Providers:

Use the Intent/Consent ID for this field.

Identity Services Providers:

Value at the discretion of the OP's.




Intent ID of the originating request

A unique and non-repeating identifier containing the intentid.Use the Intent/Consent ID for this field.
NoYes - it's acknowledged that this field may duplicate the value in "sub" for many providers.
Audience that the ID token is intended for

OpenID Connect protocol mandates thisthis MUST include the client ID of the TPP.

Should contain the ClientID of the TPP's OAuth Client.Yes

Yes - as per FAPI RW / OpenID Standard.



Token expiration date/time


Expressed as an epoch i.e. number of seconds from
  1970-01-01T0:0:0Z as measured in UTC.


The validity length will be at the discretion of the Banks provided that it does not impact the functionality of the APIs. For example, an expiry time of 1 second is insufficient for all Resource Requests.

Token issuance date/time

Expressed as an epoch i.e. number of seconds from
  1970-01-01T0:0:0Z as measured in UTC. 




auth_timeDate/time when End User was authorisedThis field is Required when the max_age request is made or max_age is included as an essential claim. In order to be compliant with the protocol we therefore need to support it.Expressed as an epoch i.e. number of seconds from 1970-01-01T0:0:0Z as measured in UTC.Case-specific


Used to help mitigate against replay attacks
Value is passed in as a Request parameter. If present it must be replayed in the ID token




Required by FAPI Read Write (Hybrid explicitly required - required by OIDC Core for Hybrid Flow).

Hybrid Flow support is optional in the OB Security Profile.

acrAuthentication Context Class Reference
An identifier that qualifies what conditions the authentication performed satisfied. The acr SHOULD correspond to one of the values requested by the acr_values field on the request however even if not present on the request the aspsp should populate the acr with a value that attests that the aspsp performed or NOT performed an appropriate level of authentication such that the aspsp believes it has met the requirement for "Strong Customer Authentication".The values to be provided will be to urn:openbanking:psd2:ca or urn:openbanking:psd2:sca. To cover the exemptions cases of PSD2 the PISP / AISP must have a way to request that a Bank NOT perform SCA for some requests. It’s entirely within the banks gift to ignore the requested ACR_VALUES however the Bank must reply with what level of AuthN was performed. (Once RTS comes into affect).





Caveated: As RTS is not signed off and will not be delivered by initial go-live aspsps do not have to provide a response value.

Aspsps that do not wish to provide this as a claim should remove it from the well-known configuration endpoint.

As per OIDC Core, marking a claim as "essential" and an ASPSP can not fulfill it then an error should not be generated.


Authentication Methods ReferencesThe methods that are used in the authentication. For example, this field might contain indicators that a password was supplied or OTP initiated.

Note – industry direction is to consolidate on so expect this field to be replaced shortly. AMR doesn’t give the flexibility to address all the actual particulars of both the authn and the identity that sits behind it.

No requirement to specify as it is to be soon superseded by Vectors of Trust.
Authorized party

OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.

No specific requirement from OB.
s_hashState Hash ValueMay include state hash, s_hash, in the ID Token to protect the state value;Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the state value, where the hash algorithm used is the hash algorithm used in the algHeader Parameter of the ID Token's JOSE Header. For instance, if the alg is HS512, hash the code value with SHA-512, then take the left-most 256 bits and base64url encode them. The s_hashvalue is a case sensitive string.No

Recommended by OB

at_hashAccess Token Hash ValueAccess Token hash value.Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access_token value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, hash the access_token value with SHA-256, then take the left-most 128 bits and base64url encode them. The at_hash value is a case sensitive string.Conditional

As per Hybrid Flow (OIDC Core) - Yes

If the ID Token is issued from the Authorization Endpoint with an access_token value, which is the case for the response_type value code id_token token, this is REQUIRED; otherwise, its inclusion is OPTIONAL.

c_hashCode hash value.Code Hash ValueIts value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the code value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header.Conditional

As per Hybrid Flow (OIDC Core) - Yes.

If the ID Token is issued from the Authorization Endpoint with a code, which is the case for the response_type values code id_token and code id_token token, this is REQUIRED; otherwise, its inclusion is OPTIONAL.


1. The PISP can query for the status of a Payment-Submission by invoking the /payment-submissions using the known PaymentSubmissionId. This can use an existing access token with payments scope or the PISP can obtain a fresh access token by replaying the client credentials grant request as per Step 2 - Setup Single Payment Initiation.

Request: payment-submissions/{PaymentSubmissionId}Response: payment-submissions

Code Block
GET /payment-submissions/58923-001 HTTP/1.1
Authorization: Bearer SlAV32hkKG
x-fapi-financial-id: OB/2017/001
x-fapi-customer-last-logged-time: 2017-06-13T11:36:09
x-fapi-interaction-id: 93bac548-d2de-4546-b106-880a5018460d
Accept: application/json

Code Block
HTTP/1.1 200 OK
x-fapi-interaction-id: 93bac548-d2de-4546-b106-880a5018460d
Content-Type: application/json
  "Data": {
    "PaymentSubmissionId": "58923-001",
    "PaymentId": "58923",
    "Status": "AcceptedSettlementInProcess",
    "CreationDateTime": "2017-06-05T15:15:22+00:00"
  "Links": {
    "Self": ""
  "Meta": {}

2. A PISP can also optionally query for the status of a Payment resource by invoking /payments/{PaymentId}. This can use an existing access token with payments scope or the PISP can obtain a fresh access token by replaying the client credentials grant request as per Step 2 - Setup Single Payment Initiation.

Account API Specification
