Consent
In order to retrieve data via our Interface the customer must first have granted consent to each authorised TPP client.
To enable this our interface implements the Open Banking flavour of OAuth 2.0 allowing users to log in to applications without exposing their credentials.
Once granted by the customer, access can then be queried and managed through Consent Management endpoints.
Granting Consent
TPPs will need to create an AccountAccessConsent for each customer that they want to access data on behalf of. The details of this request are given in the OpenBanking specification.
The process involves several steps:
- Creation of an AccountAccessConsent for each customer that they want to access data on behalf of
- Redirect the customer to Capital One to authorise your app
- Acquire an access token, and optionally a refresh token
If you were issued a refresh token this can be used to refresh the access token when it expires.
Permissions
Capital One currently support a subset of Account Access Consents permissions. These align with the data endpoints supported by our API implementation. Account Access Consent requests with unsupported permissions will be rejected.
Supported Permissions:
- ReadAccountsBasic
- ReadAccountsDetail
- ReadBalances
- ReadStatementsBasic
- ReadStatementsDetail
- ReadTransactionsBasic
- ReadTransactionsDetail
- ReadTransactionsCredits
- ReadTransactionsDebits
Create Account Request
POST /account-access-consents
Creates a new Account Access Consent to which a customer can consent. The details of the consent (permissions, expiry date/time etc.) are contained in the body of the request.
Successful requests will result in a response containing a ConsentId that the TPP can use to reference the Account Access Consent that has been created.
Request Arguments
| Parameter | Description |
|---|---|
accessToken Required | The access token you were provided. |
Permissions Required | A list of permissions that the TPP is requesting from the PSU. See the Open Banking Specification for full details. Note: Capital One do not support the full list of permissions listed in the Open Banking Specification. Requests containing any values other than those listed in the above enumeration will be rejected. |
ExpirationDateTime | The Date/Time (UTC) at which the consent will no longer be deemed valid. |
TransactionFromDateTime | The Date/Time (UTC) from which transactions data will be reported for the PSU in relation to this consent. |
TransactionToDateTime | The Date/Time (UTC) up to which transactions data will be reported for the PSU in relation to this consent. |
Risk | A field that you pass an empty object by default. |
$ curl "https://open-banking.capitalone.co.uk/open-banking/v3.1/aisp/account-access-consents" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-H 'Authorization: Bearer $accessToken' \
-d '{"Data":{"Permissions":["ReadAccountsBasic"]}}'
Response Arguments
| Parameter | Description |
|---|---|
ConsentId | A unique identifier for the consent. This value should be used by the TPP in subsequent requests to reference the consent. |
Status | The current status of the consent. |
StatusUpdateDateTime | The Date/Time (UTC) that the consent was last updated. |
CreationDateTime | The Date/Time (UTC) that the consent was created. |
Permissions | The list of Open Banking TPP permissions that are associated with this consent. |
ExpirationDateTime | The Date/Time (UTC) at which the consent will no longer be deemed valid. |
TransactionFromDateTime | The Date/Time (UTC) from which transactions data will be reported for the PSU in relation to this consent. |
TransactionToDateTime | The Date/Time (UTC) up to which transactions data will be reported for the PSU in relation to this consent. |
Self | An absolute URL that references this resource. |
TotalPages | The total number of pages available in the response. |
Example 201 Response
{
"Data": {
"ConsentId": "string",
"Status": "AwaitingAuthorisation",
"StatusUpdateDateTime": "2019-11-07T18:28:28.062Z",
"CreationDateTime": "2019-11-07T18:28:28.062Z",
"Permissions": ["ReadAccountsBasic"],
"ExpirationDateTime": "2019-11-07T18:28:28.062Z",
"TransactionFromDateTime": "2019-11-07T18:28:28.062Z",
"TransactionToDateTime": "2019-11-07T18:28:28.062Z"
},
"Risk": {},
"Links": {
"Self": "string"
},
"Meta": {
"TotalPages": 1
}
}
Create Confirmation of Funds Request
POST /funds-confirmation-consents
Creates a new Funds Confirmation Consent to which a customer can consent. The details of the consent (debtor account, expiry date/time etc.) are contained in the body of the request.
Successful requests will result in a response containing a ConsentId that the CBPII can use to reference the Funds Confirmation Consent that has been created.
Request Arguments
| Parameter | Description |
|---|---|
accessToken Required | The access token you were provided. |
ExpirationDateTime | The Date/Time (UTC) at which the consent will no longer be deemed valid. |
SchemeName Required | Name of the identification scheme. The only supported value is UK.OBIE.PAN. |
Identification Required | The last 4 digits of the customer's PAN. |
Name | Name of the account, as assigned by the account servicing institution. |
SecondaryIdentification | This is secondary identification of the account, as assigned by the account servicing institution. |
$ curl "https://open-banking.capitalone.co.uk/open-banking/v3.1/cbpii/funds-confirmation-consents" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-H 'Authorization: Bearer $accessToken' \
-d '{"Data":{"DebtorAccount":{"SchemeName":"UK.OBIE.PAN","Identification":"1234","SecondaryIdentification":"Roll"}},"Risk":{}}'
Response Arguments
| Parameter | Description |
|---|---|
ConsentId | A unique identifier for the consent. This value should be used by the TPP in subsequent requests to reference the consent. |
CreationDateTime | The Date/Time (UTC) that the consent was created. |
Status | The current status of the consent. |
StatusUpdateDateTime | The Date/Time (UTC) that the consent was last updated. |
ExpirationDateTime | The Date/Time (UTC) at which the consent will no longer be deemed valid. |
SchemeName | Name of the identification scheme. The only supported value is UK.OBIE.PAN. |
Identification | The last 4 digits of the customer's PAN. |
Name | Name of the account, as assigned by the account servicing institution. |
SecondaryIdentification | This is secondary identification of the account, as assigned by the account servicing institution. |
Self | An absolute URL that references this resource. |
TotalPages | The total number of pages available in the response. |
Example 201 Response
{
"Data": {
"ConsentId": "string",
"CreationDateTime": "2019-11-07T18:28:28.062Z",
"Status": "Authorised",
"StatusUpdateDateTime": "2019-11-07T18:28:28.062Z",
"ExpirationDateTime": "2019-11-07T18:28:28.062Z",
"DebtorAccount": {
"SchemeName": "UK.OBIE.PAN",
"Identification": "string",
"Name": "string",
"SecondaryIdentification": "string"
}
},
"Risk": {},
"Links": {
"Self": "string"
},
"Meta": {
"TotalPages": 1
}
}
DELETE /funds-confirmation-consents/{$ConsentId}
Deletes the specified Funds Confirmation Consent.
Request Arguments
| Parameter | Description |
|---|---|
ConsentId Required | The ID of the Funds Confirmation Consent to delete |
accessToken Required | The access token you were provided. |
$ curl -X delete "https://open-banking.capitalone.co.uk/open-banking/v3.1/aisp/funds-confirmation-consents/$ConsentId" \
-H "accept: */*" \
-H 'Authorization: Bearer $accessToken'
Response Arguments
| Parameter | Description |
|---|---|
Status: 204 | The specified Funds Confirmation Consent was deleted. |
Status: 401 | The Authorization header was either missing, or its value was not valid (e.g. the token may have expired). A new access token should be obtained via a refresh_token grant to the /token endpoint. |
Status: 403 | The client does not have access to the specified Account Access Consent |
Redirection to Capital One for Customer Authorisation
GET /authorize
TPPs should redirect PSUs to this endpoint to begin the authentication and authorization process for consent.
See the Open Banking Security Profile for detailed information about the parameters to this endpoint.
Request Arguments
| Parameter | Description |
|---|---|
request Required | A JWS containing a Request Object as defined in OIDC Core |
response_type Required | The type of response required by the client as defined in OIDC Core |
redirect_uri Required | The URI to which the customer should be redirected at the end of the authorisation flow as defined in OIDC Core. This must match one of the redirect URIs registered by the client via Dynamic Client Registration. |
scope Required | The OAuth scopes being requested by this authorisation as defined in OIDC Core. The requested scopes must be a subset of the scopes registered for the client via Dynamic Client Registration. |
client_id Required | The ID of the client making the authorisation request as defined in OIDC Core. |
state | State provided by the client as defined in OIDC Core |
$ curl -X get "https://myaccount-data.capitalone.co.uk/authorize?request=$request&response_type=code%20id_token&redirect_uri=$redirect_uri&scope=$scope&client_id=$client_id&state=$state" \
-H "accept: */*" \
Response Arguments
| Parameter | Description |
|---|---|
Status: 302 | Redirect back to the requested redirect_uri. This may be the result of a successful authorization or as the result of an error to be communicated to the TPP. In the case of a successful authorization, the redirect URL will contain an authorization code and an ID token in the fragment of the URL. |
Authorization Code Exchange
POST /oauth/token
Obtain an OAuth access token
Request Arguments
| Parameter | Description |
|---|---|
grant_type Required | The requested grant type as defined in the OAuth specification. |
client_id | The ID of the client as issued by the authorization server during registration. |
client_secret | The secret issued to the client as issued by this service during registration. |
code | The authorization code being submitted (authorization_code grant type only). |
refresh_token | The refresh token being submitted (refresh_token grant type only). |
redirect_uri | The redirect URI that was used as part of the authorization flow (authorization_code grant type only). See the [OAuth specification] |
$ curl "https://open-banking.capitalone.co.uk/open-banking/oauth/token" \
-H "accept: application/json" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=$grant_type"
rfc6749 section 4.1.3 for more details.
client_assertion_type | OAuth assertion type must be 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
client_assertion | The authentication token JWT signed by the third party, as per OpenID Connect Core v1 section 9
Response Arguments
| Parameter | Description |
|---|---|
access_token Required | A bearer token issued to the client that it should present when making requests to the resource server. |
refresh_token | A token issued to the client to allow it to get a new access token by presenting the refresh token as part of a refresh_token grant to the token endpoint of the authorization server. |
id_token | A token containing claims about the authorization of the end user. |
scope Required | A space-separated list of scopes to which the access token is bound. |
expires_in Required | The number of seconds before the token included in this response expires. |
token_type | The type of the issued token. |
Example 200 Response
{
"access_token": "string",
"refresh_token": "string",
"id_token": "string",
"scope": "string",
"expires_in": 0,
"token_type": "Bearer"
}