Consent Management
Our interface provides endpoints allowing authorised TPPs to query and manage the status of AIS consents they’ve requested.
All consent endpoints are served over MTLS. Therefore, the TPP must present a valid OpenBanking transport certificate to successfully connect.
Query Account Request
TPPs can query the status of any consent that they own by sending a GET request to /account-access-consents/{ConsentId} with an access token in the Authorization header that was issued by the authorization server in response to a client_credentials grant.
Attempting to access an invalid Consent ID, or one owned by a different client to the one to which the access token was issued, will result in an error response.
GET /account-access-consents/{$ConsentId}
Retrieves the Account Access Consent for the specified ConsentId. TPPs can use this endpoint to query the status of an Account Access Consent that they previously created.
Request Arguments
| Parameter | Description |
|---|---|
ConsentId Required | The ID of the Account Access Consent to retrieve. |
accessToken Required | The access token you were provided. |
$ curl -X get "https://open-banking.capitalone.co.uk/open-banking/v3.1/aisp/account-access-consents/$ConsentId" \
-H "accept: application/json" \
-H 'Authorization: Bearer $accessToken'
Response Arguments
| Parameter | Description |
|---|---|
ConsentId | A uinque identifier for the consent. This value should be used by the TPP in subsequent requests to reference the consent. |
Status | The current status of the consent. |
StatusUpdateDateTime | The Date/Time (UTC) that the consent was last updated. |
CreationDateTime | The Date/Time (UTC) that the consent was created. |
Permissions | The list of Open Banking TPP permissions that are associated with this consent. |
ExpirationDateTime | The Date/Time (UTC) at which the consent will no longer be deemed valid. |
TransactionFromDateTime | The Date/Time (UTC) from which transactions data will be reported for the PSU in relation to this consent. |
TransactionToDateTime | The Date/Time (UTC) up to which transactions data will be reported for the PSU in relation to this consent. |
Self | An absolute URL that references this resource. |
TotalPages | The total number of pages available in the response. |
Example 200 Response
{
"Data": {
"ConsentId": "string",
"Status": "AwaitingAuthorisation",
"StatusUpdateDateTime": "2019-11-07T19:08:46.759Z",
"CreationDateTime": "2019-11-07T19:08:46.759Z",
"Permissions": ["ReadAccountsBasic"],
"ExpirationDateTime": "2019-11-07T19:08:46.759Z",
"TransactionFromDateTime": "2019-11-07T19:08:46.759Z",
"TransactionToDateTime": "2019-11-07T19:08:46.759Z"
},
"Risk": {},
"Links": {
"Self": "string"
},
"Meta": {
"TotalPages": 1
}
}
Query Funds Confirmation Request
TPPs can query the status of any consent that they own by sending a GET request to /funds-confirmation-consents/{ConsentId} with an access token in the Authorization header that was issued by the authorization server in response to a client_credentials grant.
Attempting to access an invalid Consent ID, or one owned by a different client to the one to which the access token was issued, will result in an error response.
GET /funds-confirmation-consents/{ConsentId}
Retrieves the Funds Confirmation Consent for the specified ConsentId. CBPIIs can use this endpoint to query the status of a Funds Confirmation Consent that they previously created.
Request Arguments
| Parameter | Description |
|---|---|
ConsentId Required | The ID of the Funds Confirmation Consent to retrieve. |
accessToken Required | The access token you were provided. |
$ curl -X get "https://open-banking.capitalone.co.uk/open-banking/v3.1/cbpii/funds-confirmation-consents/$ConsentId" \
-H "accept: application/json" \
-H 'Authorization: Bearer $accessToken'
Response Arguments
| Parameter | Description |
|---|---|
ConsentId | A unique identifier for the consent. This value should be used by the TPP in subsequent requests to reference the consent. |
CreationDateTime | The Date/Time (UTC) that the consent was created. |
Status | The current status of the consent. |
StatusUpdateDateTime | The Date/Time (UTC) that the consent was last updated. |
ExpirationDateTime | The Date/Time (UTC) at which the consent will no longer be deemed valid. |
SchemeName | Name of the identification scheme. The only supported value is UK.OBIE.PAN. |
Identification | The last 4 digits of the customer's PAN. |
Name | Name of the account, as assigned by the account servicing institution. |
SecondaryIdentification | This is secondary identification of the account, as assigned by the account servicing institution. |
Self | An absolute URL that references this resource. |
TotalPages | The total number of pages available in the response. |
Example 200 Response
{
"Data": {
"ConsentId": "string",
"CreationDateTime": "2019-11-07T19:08:46.759Z",
"Status": "Authorised",
"StatusUpdateDateTime": "2019-11-07T19:08:46.759Z",
"ExpirationDateTime": "2019-11-07T19:08:46.759Z",
"DebtorAccount": {
"SchemeName": "UK.OBIE.PAN",
"Identification": "string",
"Name": "string",
"SecondaryIdentification": "string"
}
},
"Links": {
"Self": "string"
},
"Meta": {
"TotalPages": 0
}
}
Delete Account Request
An authorised TPP may also revoke a given consent by sending a DELETE request to /account-access-consents/{ConsentId} with an access token in the Authorization header that was issued by the authorization server in response to a client_credentials grant.
Attempting to delete a consent ID owned by a different client to the one to which the access token was issued, will result in an error response.
Once deleted by a TPP, access to the customer's data using tokens issued in relation to this consent will be rejected. The TPP will also no longer be able to query the status of that particular consent, although it will remain visible to the customer from within the Capital One's account servicing facility for their reference.
Note: Consent can be unilaterally revoked by the customer at any time from within the Capital One account servicing facility. Once this has been done, access to the customer's data using tokens issued in relation to this consent will be rejected.
TPPs will still be able to query the status of the consent as described above. If the consent has been revoked by the customer, the Status field will be updated to Revoked.
DELETE /account-access-consents/{$ConsentId}
Deletes the specified Account Access Consent. TPPs should use this endpoint to notify Capital One that a customer has revoked their consent with the TPP.
Request Arguments
| Parameter | Description |
|---|---|
ConsentId Required | The ID of the Account Access Consent to delete |
accessToken Required | The access token you were provided. |
$ curl -X delete "https://open-banking.capitalone.co.uk/open-banking/v3.1/aisp/account-access-consents/$ConsentId" \
-H "accept: */*" \
-H 'Authorization: Bearer $accessToken'
Response Arguments
| Parameter | Description |
|---|---|
Status: 204 | The specified Account Access Consent was deleted. |
Status: 401 | The Authorization header was either missing, or its value was not valid (e.g. the token may have expired). A new access token should be obtained via a refresh_token grant to the /token endpoint. |
Status: 403 | The client does not have access to the specified Account Access Consent |
Refreshing Consent
Customers must re-confirm consent to share their data at least every 90 days.
This can be completed by using the existing intent ID in a request to the /authorize endpoint (as per the OBIE specifications).