openapi: 3.0.2 info: title: Mojaloop Third Party API (DFSP) version: '1.0' description: | A Mojaloop API for DFSPs supporting Third Party functions. DFSPs who want to enable Payment Initiation Service Providers (PISPs) to perform actions on behalf of a DFSP's user should implement this API. PISPs should implement the accompanying API - Mojaloop Third Party API (PISP) instead. license: name: Open API for FSP Interoperability (FSPIOP) (Implementation Friendly Version) url: 'https://github.com/mojaloop/mojaloop-specification/blob/main/LICENSE.md' servers: - url: / paths: '/accounts/{ID}': parameters: - name: ID in: path required: true schema: type: string description: The identifier value. - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' get: operationId: GetAccountsByUserId summary: GetAccountsByUserId description: | The HTTP request `GET /accounts/{ID}` is used to retrieve the list of potential accounts available for linking. tags: - accounts - sampled parameters: - $ref: '#/paths/~1consents/post/parameters/0' responses: '202': $ref: '#/paths/~1consents/post/responses/202' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' put: description: | The HTTP request `PUT /accounts/{ID}` is used to return the list of potential accounts available for linking operationId: UpdateAccountsByUserId summary: UpdateAccountsByUserId tags: - accounts - sampled parameters: - $ref: '#/paths/~1consents/post/parameters/1' requestBody: required: true content: application/json: schema: title: AccountsIDPutResponse type: object description: |- Callback and data model information for GET /accounts/{ID}: Callback - PUT /accounts/{ID} Error Callback - PUT /accounts/{ID}/error Data Model - Empty body The PUT /accounts/{ID} response is used to inform the requester of the result of a request for accounts information. The identifier ID given in the call are the values given in the original request. https://github.com/mojaloop/documentation/blob/main/website/versioned_docs/v1.0.1/api/thirdparty/data-models.md#31121--put-accountsid properties: accountList: title: AccountList type: array description: |- The AccountList data model is used to hold information about the accounts that a party controls. https://github.com/mojaloop/documentation/blob/main/website/versioned_docs/v1.0.1/api/thirdparty/data-models.md#3213-accountlist items: title: Account type: object description: |- Data model for the complex type Account. https://github.com/mojaloop/documentation/blob/main/website/versioned_docs/v1.0.1/api/thirdparty/data-models.md#3211-account properties: accountNickname: title: Name type: string pattern: '^(?!\s*$)[\w .,''-]{1,128}$' description: |- The API data type Name is a JSON String, restricted by a regular expression to avoid characters which are generally not used in a name. Regular Expression - The regular expression for restricting the Name type is "^(?!\s*$)[\w .,'-]{1,128}$". The restriction does not allow a string consisting of whitespace only, all Unicode characters are allowed, as well as the period (.) (apostrophe (‘), dash (-), comma (,) and space characters ( ). **Note:** In some programming languages, Unicode support must be specifically enabled. For example, if Java is used, the flag UNICODE_CHARACTER_CLASS must be enabled to allow Unicode characters. address: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/scopes/items/properties/address' currency: $ref: '#/paths/~1thirdpartyRequests~1transactions/post/requestBody/content/application~1json/schema/properties/amount/allOf/0/properties/currency' required: - accountNickname - address - currency minItems: 1 maxItems: 256 extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - accounts example: - accountNickname: dfspa.user.nickname1 id: dfspa.username.1234 currency: ZAR - accountNickname: dfspa.user.nickname2 id: dfspa.username.5678 currency: USD responses: '200': description: OK '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' '/accounts/{ID}/error': parameters: - $ref: '#/paths/~1accounts~1%7BID%7D/parameters/0' - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' put: description: | The HTTP request `PUT /accounts/{ID}/error` is used to return error information operationId: UpdateAccountsByUserIdError summary: UpdateAccountsByUserIdError tags: - accounts - sampled parameters: - $ref: '#/paths/~1consents/post/parameters/1' requestBody: description: Details of the error returned. required: true content: application/json: schema: title: ErrorInformationObject type: object description: Data model for the complex type object that contains ErrorInformation. properties: errorInformation: title: ErrorInformation type: object description: Data model for the complex type ErrorInformation. properties: errorCode: title: ErrorCode type: string pattern: '^[1-9]\d{3}$' description: 'The API data type ErrorCode is a JSON String of four characters, consisting of digits only. Negative numbers are not allowed. A leading zero is not allowed. Each error code in the API is a four-digit number, for example, 1234, where the first number (1 in the example) represents the high-level error category, the second number (2 in the example) represents the low-level error category, and the last two numbers (34 in the example) represent the specific error.' example: '5100' errorDescription: title: ErrorDescription type: string minLength: 1 maxLength: 128 description: Error description string. extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - errorCode - errorDescription required: - errorInformation responses: '200': $ref: '#/paths/~1accounts~1%7BID%7D/put/responses/200' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' /consentRequests: parameters: - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' post: tags: - consentRequests - sampled operationId: CreateConsentRequest summary: CreateConsentRequest description: | The HTTP request **POST /consentRequests** is used to request a DFSP to grant access to one or more accounts owned by a customer of the DFSP for the PISP who sends the request. parameters: - $ref: '#/paths/~1consents/post/parameters/0' - $ref: '#/paths/~1consents/post/parameters/1' requestBody: description: The consentRequest to create required: true content: application/json: schema: title: ConsentRequestsPostRequest type: object description: |- Used by: PISP The HTTP request POST /consentRequests is used to request a DFSP to grant access to one or more accounts owned by a customer of the DFSP for the PISP who sends the request. Callback and data model for POST /consentRequests: Callback: PUT /consentRequests/{ID} Error callback: PUT /consentRequests/{ID}/error Data model - see below url https://github.com/mojaloop/documentation/blob/main/website/versioned_docs/v1.0.1/api/thirdparty/data-models.md#31212-post-consentrequests properties: consentRequestId: title: CorrelationId type: string pattern: '^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$' description: 'Identifier that correlates all messages of the same sequence. The API data type UUID (Universally Unique Identifier) is a JSON String in canonical format, conforming to [RFC 4122](https://tools.ietf.org/html/rfc4122), that is restricted by a regular expression for interoperability reasons. A UUID is always 36 characters long, 32 hexadecimal symbols and 4 dashes (‘-‘).' example: b51ec534-ee48-4575-b6a9-ead2955b8069 userId: type: string description: 'The identifier used in the **GET /accounts/**_{ID}_. Used by the DFSP to correlate an account lookup to a `consentRequest`' minLength: 1 maxLength: 128 scopes: type: array minLength: 1 maxLength: 256 items: title: Scope type: object description: |- The Scope element contains an identifier defining, in the terms of a DFSP, an account on which access types can be requested or granted. It also defines the access types which are requested or granted. https://github.com/mojaloop/documentation/blob/main/website/versioned_docs/v1.0.1/api/thirdparty/data-models.md#32121-scope properties: address: title: AccountAddress type: string description: |- The AccountAddress data type is a variable length string with a maximum size of 1023 characters and consists of: Alphanumeric characters, upper or lower case. (Addresses are case-sensitive so that they can contain data encoded in formats such as base64url.) - Underscore (_) - Tilde (~) - Hyphen (-) - Period (.) Addresses MUST NOT end in a period (.) character An entity providing accounts to parties (i.e. a participant) can provide any value for an AccountAddress that is meaningful to that entity. It does not need to provide an address that makes the account identifiable outside the entity's domain. IMPORTANT: The policy for defining addresses and the life-cycle of these is at the discretion of the address space owner (the payer DFSP in this case). https://github.com/mojaloop/documentation/blob/main/website/versioned_docs/v1.0.1/api/thirdparty/data-models.md#3212-accountaddress pattern: '^([0-9A-Za-z_~\-\.]+[0-9A-Za-z_~\-])$' minLength: 1 maxLength: 1023 actions: type: array minItems: 1 maxItems: 32 items: title: ScopeAction type: string description: | The ScopeAction element contains an access type which a PISP can request from a DFSP, or which a DFSP can grant to a PISP. It must be a member of the appropriate enumeration. - ACCOUNTS_GET_BALANCE: PISP can request a balance for the linked account - ACCOUNTS_TRANSFER: PISP can request a transfer of funds from the linked account in the DFSP - ACCOUNTS_STATEMENT: PISP can request a statement of individual transactions on a user's account enum: - ACCOUNTS_GET_BALANCE - ACCOUNTS_TRANSFER - ACCOUNTS_STATEMENT required: - address - actions authChannels: type: array minLength: 1 maxLength: 256 items: title: ConsentRequestChannelType type: string enum: - WEB - OTP description: | The auth channel being used for the consent request. - WEB - DFSP can support authorization via a web-based login. - OTP - DFSP can support authorization via a One Time PIN. callbackUri: title: Uri type: string pattern: '^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?' minLength: 1 maxLength: 512 description: | The API data type Uri is a JSON string in a canonical format that is restricted by a regular expression for interoperability reasons. extensionList: title: ExtensionList type: object description: 'Data model for the complex type ExtensionList. An optional list of extensions, specific to deployment.' properties: extension: type: array items: title: Extension type: object description: Data model for the complex type Extension. properties: key: title: ExtensionKey type: string minLength: 1 maxLength: 32 description: Extension key. value: title: ExtensionValue type: string minLength: 1 maxLength: 128 description: Extension value. required: - key - value minItems: 1 maxItems: 16 description: Number of Extension elements. required: - extension required: - consentRequestId - userId - scopes - authChannels - callbackUri responses: '202': $ref: '#/paths/~1consents/post/responses/202' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' '/consentRequests/{ID}': parameters: - $ref: '#/paths/~1accounts~1%7BID%7D/parameters/0' - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' get: operationId: GetConsentRequestsById summary: GetConsentRequestsById description: | The HTTP request `GET /consentRequests/{ID}` is used to get information about a previously requested consent. The *{ID}* in the URI should contain the consentRequestId that was assigned to the request by the PISP when the PISP originated the request. tags: - consentRequests - sampled parameters: - $ref: '#/paths/~1consents/post/parameters/0' responses: '202': $ref: '#/paths/~1consents/post/responses/202' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' put: tags: - consentRequests - sampled operationId: UpdateConsentRequest summary: UpdateConsentRequest description: | A DFSP uses this callback to (1) inform the PISP that the consentRequest has been accepted, and (2) communicate to the PISP which `authChannel` it should use to authenticate their user with. When a PISP requests a series of permissions from a DFSP on behalf of a DFSP’s customer, not all the permissions requested may be granted by the DFSP. Conversely, the out-of-band authorization process may result in additional privileges being granted by the account holder to the PISP. The **PUT /consentRequests/**_{ID}_ resource returns the current state of the permissions relating to a particular authorization request. parameters: - $ref: '#/paths/~1consents/post/parameters/1' requestBody: required: true content: application/json: schema: oneOf: - title: ConsentRequestsIDPutResponseWeb type: object description: | The object sent in a `PUT /consentRequests/{ID}` request. Schema used in the request consent phase of the account linking web flow, the result is the PISP being instructed on a specific URL where this supposed user should be redirected. This URL should be a place where the user can prove their identity (e.g., by logging in). properties: scopes: type: array minLength: 1 maxLength: 256 items: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/scopes/items' authChannels: type: array minLength: 1 maxLength: 1 items: title: ConsentRequestChannelTypeWeb type: string enum: - WEB description: | The web auth channel being used for `PUT /consentRequest/{ID}` request. callbackUri: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/callbackUri' authUri: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/callbackUri' extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - scopes - authChannels - callbackUri - authUri additionalProperties: false - title: ConsentRequestsIDPutResponseOTP type: object description: | The object sent in a `PUT /consentRequests/{ID}` request. Schema used in the request consent phase of the account linking OTP/SMS flow. properties: scopes: type: array minLength: 1 maxLength: 256 items: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/scopes/items' authChannels: type: array minLength: 1 maxLength: 1 items: title: ConsentRequestChannelTypeOTP type: string enum: - OTP description: | The OTP auth channel being used for `PUT /consentRequests/{ID}` request. callbackUri: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/callbackUri' extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - scopes - authChannels additionalProperties: false responses: '202': $ref: '#/paths/~1consents/post/responses/202' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' patch: tags: - consentRequests - sampled operationId: PatchConsentRequest summary: PatchConsentRequest description: | After the user completes an out-of-band authorization with the DFSP, the PISP will receive a token which they can use to prove to the DFSP that the user trusts this PISP. parameters: - $ref: '#/paths/~1consents/post/parameters/0' - $ref: '#/paths/~1consents/post/parameters/1' requestBody: required: true content: application/json: schema: title: ConsentRequestsIDPatchRequest type: object description: |- Used by: PISP After the user completes an out-of-band authorization with the DFSP, the PISP will receive a token which they can use to prove to the DFSP that the user trusts this PISP. https://github.com/mojaloop/documentation/blob/main/website/versioned_docs/v1.0.1/api/thirdparty/data-models.md#31222-patch-consentrequestsid properties: authToken: type: string pattern: '^[A-Za-z0-9-_]+[=]{0,2}$' description: 'The API data type BinaryString is a JSON String. The string is a base64url encoding of a string of raw bytes, where padding (character ‘=’) is added at the end of the data if needed to ensure that the string is a multiple of 4 characters. The length restriction indicates the allowed number of characters.' extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - authToken responses: '202': $ref: '#/paths/~1consents/post/responses/202' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' '/consentRequests/{ID}/error': parameters: - $ref: '#/paths/~1accounts~1%7BID%7D/parameters/0' - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' put: tags: - consentRequests operationId: NotifyErrorConsentRequests summary: NotifyErrorConsentRequests description: | DFSP responds to the PISP if something went wrong with validating an OTP or secret. parameters: - $ref: '#/paths/~1consents/post/parameters/1' requestBody: description: Error information returned. required: true content: application/json: schema: $ref: '#/paths/~1accounts~1%7BID%7D~1error/put/requestBody/content/application~1json/schema' responses: '200': $ref: '#/paths/~1accounts~1%7BID%7D/put/responses/200' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' /consents: parameters: - name: Content-Type in: header schema: type: string required: true description: The `Content-Type` header indicates the specific version of the API used to send the payload body. - name: Date in: header schema: type: string required: true description: The `Date` header field indicates the date when the request was sent. - name: X-Forwarded-For in: header schema: type: string required: false description: |- The `X-Forwarded-For` header field is an unofficially accepted standard used for informational purposes of the originating client IP address, as a request might pass multiple proxies, firewalls, and so on. Multiple `X-Forwarded-For` values should be expected and supported by implementers of the API. **Note:** An alternative to `X-Forwarded-For` is defined in [RFC 7239](https://tools.ietf.org/html/rfc7239). However, to this point RFC 7239 is less-used and supported than `X-Forwarded-For`. - name: FSPIOP-Source in: header schema: type: string required: true description: The `FSPIOP-Source` header field is a non-HTTP standard field used by the API for identifying the sender of the HTTP request. The field should be set by the original sender of the request. Required for routing and signature verification (see header field `FSPIOP-Signature`). - name: FSPIOP-Destination in: header schema: type: string required: false description: 'The `FSPIOP-Destination` header field is a non-HTTP standard field used by the API for HTTP header based routing of requests and responses to the destination. The field must be set by the original sender of the request if the destination is known (valid for all services except GET /parties) so that any entities between the client and the server do not need to parse the payload for routing purposes. If the destination is not known (valid for service GET /parties), the field should be left empty.' - name: FSPIOP-Encryption in: header schema: type: string required: false description: The `FSPIOP-Encryption` header field is a non-HTTP standard field used by the API for applying end-to-end encryption of the request. - name: FSPIOP-Signature in: header schema: type: string required: false description: The `FSPIOP-Signature` header field is a non-HTTP standard field used by the API for applying an end-to-end request signature. - name: FSPIOP-URI in: header schema: type: string required: false description: 'The `FSPIOP-URI` header field is a non-HTTP standard field used by the API for signature verification, should contain the service URI. Required if signature verification is used, for more information, see [the API Signature document](https://github.com/mojaloop/docs/tree/main/Specification%20Document%20Set).' - name: FSPIOP-HTTP-Method in: header schema: type: string required: false description: 'The `FSPIOP-HTTP-Method` header field is a non-HTTP standard field used by the API for signature verification, should contain the service HTTP method. Required if signature verification is used, for more information, see [the API Signature document](https://github.com/mojaloop/docs/tree/main/Specification%20Document%20Set).' post: tags: - consents - sampled operationId: PostConsents summary: PostConsents description: | The **POST /consents** request is used to request the creation of a consent for interactions between a PISP and the DFSP who owns the account which a PISP’s customer wants to allow the PISP access to. parameters: - name: Accept in: header required: true schema: type: string description: The `Accept` header field indicates the version of the API the client would like the server to use. - name: Content-Length in: header required: false schema: type: integer description: |- The `Content-Length` header field indicates the anticipated size of the payload body. Only sent if there is a body. **Note:** The API supports a maximum size of 5242880 bytes (5 Megabytes). requestBody: required: true content: application/json: schema: oneOf: - title: ConsentPostRequestAUTH type: object description: | The object sent in a `POST /consents` request to the Auth-Service by a DFSP to store registered Consent and credential properties: consentId: allOf: - $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/consentRequestId' description: | Common ID between the PISP and FSP for the Consent object determined by the DFSP who creates the Consent. consentRequestId: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/consentRequestId' scopes: minLength: 1 maxLength: 256 type: array items: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/scopes/items' credential: allOf: - $ref: '#/paths/~1consents~1%7BID%7D/put/requestBody/content/application~1json/schema/oneOf/0/properties/credential' status: title: ConsentStatus type: string enum: - ISSUED - REVOKED description: |- Allowed values for the enumeration ConsentStatus - ISSUED - The consent has been issued by the DFSP - REVOKED - The consent has been revoked extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - consentId - scopes - credential - status additionalProperties: false - title: ConsentPostRequestPISP type: object description: | The provisional Consent object sent by the DFSP in `POST /consents`. properties: consentId: allOf: - $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/consentRequestId' description: | Common ID between the PISP and the Payer DFSP for the consent object. The ID should be reused for re-sends of the same consent. A new ID should be generated for each new consent. consentRequestId: allOf: - $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/consentRequestId' description: | The ID given to the original consent request on which this consent is based. scopes: type: array minLength: 1 maxLength: 256 items: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/scopes/items' status: $ref: '#/paths/~1consents/post/requestBody/content/application~1json/schema/oneOf/0/properties/status' extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - consentId - consentRequestId - scopes - status responses: '202': description: Accepted '400': description: Bad Request content: application/json: schema: title: ErrorInformationResponse type: object description: Data model for the complex type object that contains an optional element ErrorInformation used along with 4xx and 5xx responses. properties: errorInformation: $ref: '#/paths/~1accounts~1%7BID%7D~1error/put/requestBody/content/application~1json/schema/properties/errorInformation' headers: Content-Length: required: false schema: type: integer description: |- The `Content-Length` header field indicates the anticipated size of the payload body. Only sent if there is a body. **Note:** The API supports a maximum size of 5242880 bytes (5 Megabytes). Content-Type: schema: type: string required: true description: The `Content-Type` header indicates the specific version of the API used to send the payload body. '401': description: Unauthorized content: application/json: schema: $ref: '#/paths/~1consents/post/responses/400/content/application~1json/schema' headers: Content-Length: $ref: '#/paths/~1consents/post/responses/400/headers/Content-Length' Content-Type: $ref: '#/paths/~1consents/post/responses/400/headers/Content-Type' '403': description: Forbidden content: application/json: schema: $ref: '#/paths/~1consents/post/responses/400/content/application~1json/schema' headers: Content-Length: $ref: '#/paths/~1consents/post/responses/400/headers/Content-Length' Content-Type: $ref: '#/paths/~1consents/post/responses/400/headers/Content-Type' '404': description: Not Found content: application/json: schema: $ref: '#/paths/~1consents/post/responses/400/content/application~1json/schema' headers: Content-Length: $ref: '#/paths/~1consents/post/responses/400/headers/Content-Length' Content-Type: $ref: '#/paths/~1consents/post/responses/400/headers/Content-Type' '405': description: Method Not Allowed content: application/json: schema: $ref: '#/paths/~1consents/post/responses/400/content/application~1json/schema' headers: Content-Length: $ref: '#/paths/~1consents/post/responses/400/headers/Content-Length' Content-Type: $ref: '#/paths/~1consents/post/responses/400/headers/Content-Type' '406': description: Not Acceptable content: application/json: schema: $ref: '#/paths/~1consents/post/responses/400/content/application~1json/schema' headers: Content-Length: $ref: '#/paths/~1consents/post/responses/400/headers/Content-Length' Content-Type: $ref: '#/paths/~1consents/post/responses/400/headers/Content-Type' '501': description: Not Implemented content: application/json: schema: $ref: '#/paths/~1consents/post/responses/400/content/application~1json/schema' headers: Content-Length: $ref: '#/paths/~1consents/post/responses/400/headers/Content-Length' Content-Type: $ref: '#/paths/~1consents/post/responses/400/headers/Content-Type' '503': description: Service Unavailable content: application/json: schema: $ref: '#/paths/~1consents/post/responses/400/content/application~1json/schema' headers: Content-Length: $ref: '#/paths/~1consents/post/responses/400/headers/Content-Length' Content-Type: $ref: '#/paths/~1consents/post/responses/400/headers/Content-Type' '/consents/{ID}': parameters: - $ref: '#/paths/~1accounts~1%7BID%7D/parameters/0' - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' get: description: | The **GET /consents/**_{ID}_ resource allows a party to enquire after the status of a consent. The *{ID}* used in the URI of the request should be the consent request ID which was used to identify the consent when it was created. tags: - consents operationId: GetConsent summary: GetConsent parameters: - $ref: '#/paths/~1consents/post/parameters/0' responses: '202': $ref: '#/paths/~1consents/post/responses/202' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' patch: description: | The HTTP request `PATCH /consents/{ID}` is used - In account linking in the Credential Registration phase. Used by a DFSP to notify a PISP a credential has been verified and registered with an Auth service. - In account unlinking by a hub hosted auth service and by DFSPs in non-hub hosted scenarios to notify participants of a consent being revoked. Called by a `auth-service` to notify a PISP and DFSP of consent status in hub hosted scenario. Called by a `DFSP` to notify a PISP of consent status in non-hub hosted scenario. tags: - consents - sampled operationId: PatchConsentByID summary: PatchConsentByID requestBody: required: true content: application/json: schema: oneOf: - title: ConsentsIDPatchResponseVerified description: | PATCH /consents/{ID} request object. Sent by the DFSP to the PISP when a consent is issued and verified. Used in the "Register Credential" part of the Account linking flow. type: object properties: credential: type: object properties: status: title: CredentialStatusVerified type: string enum: - VERIFIED description: | The status of the Credential. - "VERIFIED" - The Credential is valid and verified. required: - status extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - credential - title: ConsentsIDPatchResponseRevoked description: | PATCH /consents/{ID} request object. Sent to both the PISP and DFSP when a consent is revoked. Used in the "Unlinking" part of the Account Unlinking flow. type: object properties: status: title: ConsentStatusRevoked type: string enum: - REVOKED description: |- Allowed values for the enumeration ConsentStatus - REVOKED - The consent has been revoked revokedAt: $ref: '#/paths/~1thirdpartyRequests~1transactions~1%7BID%7D/patch/requestBody/content/application~1json/schema/properties/completedTimestamp' extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - status - revokedAt parameters: - $ref: '#/paths/~1consents/post/parameters/0' - $ref: '#/paths/~1consents/post/parameters/1' responses: '200': $ref: '#/paths/~1accounts~1%7BID%7D/put/responses/200' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' put: description: | The HTTP request `PUT /consents/{ID}` is used by the PISP and Auth Service. - Called by a `PISP` to after signing a challenge. Sent to an DFSP for verification. - Called by a `auth-service` to notify a DFSP that a credential has been verified and registered. tags: - consents - sampled operationId: PutConsentByID summary: PutConsentByID requestBody: required: true content: application/json: schema: oneOf: - title: ConsentsIDPutResponseSigned type: object description: | The HTTP request `PUT /consents/{ID}` is used by the PISP to update a Consent with a signed challenge and register a credential. Called by a `PISP` to after signing a challenge. Sent to a DFSP for verification. properties: status: title: ConsentStatusIssued type: string enum: - ISSUED description: |- Allowed values for the enumeration ConsentStatus - ISSUED - The consent has been issued by the DFSP scopes: type: array items: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/scopes/items' credential: title: SignedCredential type: object description: | A credential used to allow a user to prove their identity and access to an account with a DFSP. SignedCredential is a special formatting of the credential to allow us to be more explicit about the `status` field - it should only ever be PENDING when updating a credential. properties: credentialType: title: CredentialType type: string enum: - FIDO - GENERIC description: |- The type of the Credential. - "FIDO" - The credential is based on a FIDO challenge. Its payload is a FIDOPublicKeyCredentialAttestation object. - "GENERIC" - The credential is based on a simple public key validation. Its payload is a GenericCredential object. https://github.com/mojaloop/documentation/blob/main/website/versioned_docs/v1.0.1/api/thirdparty/data-models.md#3226-credentialtype status: title: CredentialStatusPending type: string enum: - PENDING description: | The status of the Credential. - "PENDING" - The credential has been created, but has not been verified genericPayload: title: GenericCredential type: object description: | A publicKey + signature of a challenge for a generic public/private keypair. properties: publicKey: $ref: '#/paths/~1consentRequests~1%7BID%7D/patch/requestBody/content/application~1json/schema/properties/authToken' signature: $ref: '#/paths/~1consentRequests~1%7BID%7D/patch/requestBody/content/application~1json/schema/properties/authToken' required: - publicKey - signature additionalProperties: false fidoPayload: title: FIDOPublicKeyCredentialAttestation type: object description: | A data model representing a FIDO Attestation result. Derived from [`PublicKeyCredential` Interface](https://w3c.github.io/webauthn/#iface-pkcredential). The `PublicKeyCredential` interface represents the below fields with a Type of Javascript [ArrayBuffer](https://heycam.github.io/webidl/#idl-ArrayBuffer). For this API, we represent ArrayBuffers as base64 encoded utf-8 strings. properties: id: type: string description: | credential id: identifier of pair of keys, base64 encoded https://w3c.github.io/webauthn/#ref-for-dom-credential-id minLength: 59 maxLength: 118 rawId: type: string description: | raw credential id: identifier of pair of keys, base64 encoded minLength: 59 maxLength: 118 response: type: object description: | AuthenticatorAttestationResponse properties: clientDataJSON: type: string description: | JSON string with client data minLength: 121 maxLength: 512 attestationObject: type: string description: | CBOR.encoded attestation object minLength: 306 maxLength: 2048 required: - clientDataJSON - attestationObject additionalProperties: false type: type: string description: 'response type, we need only the type of public-key' enum: - public-key required: - id - response - type additionalProperties: false required: - credentialType - status additionalProperties: false extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - scopes - credential additionalProperties: false - title: ConsentsIDPutResponseVerified type: object description: | The HTTP request `PUT /consents/{ID}` is used by the DFSP or Auth-Service to update a Consent object once it has been Verified. Called by a `auth-service` to notify a DFSP that a credential has been verified and registered. properties: status: $ref: '#/paths/~1consents~1%7BID%7D/put/requestBody/content/application~1json/schema/oneOf/0/properties/status' scopes: type: array items: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/scopes/items' credential: title: VerifiedCredential type: object description: | A credential used to allow a user to prove their identity and access to an account with a DFSP. VerifiedCredential is a special formatting of Credential to allow us to be more explicit about the `status` field - it should only ever be VERIFIED when updating a credential. properties: credentialType: $ref: '#/paths/~1consents~1%7BID%7D/put/requestBody/content/application~1json/schema/oneOf/0/properties/credential/properties/credentialType' status: $ref: '#/paths/~1consents~1%7BID%7D/patch/requestBody/content/application~1json/schema/oneOf/0/properties/credential/properties/status' genericPayload: $ref: '#/paths/~1consents~1%7BID%7D/put/requestBody/content/application~1json/schema/oneOf/0/properties/credential/properties/genericPayload' fidoPayload: $ref: '#/paths/~1consents~1%7BID%7D/put/requestBody/content/application~1json/schema/oneOf/0/properties/credential/properties/fidoPayload' required: - credentialType - status additionalProperties: false extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - scopes - credential additionalProperties: false parameters: - $ref: '#/paths/~1consents/post/parameters/1' responses: '200': $ref: '#/paths/~1accounts~1%7BID%7D/put/responses/200' '202': $ref: '#/paths/~1consents/post/responses/202' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' delete: description: | Used by PISP, DFSP The **DELETE /consents/**_{ID}_ request is used to request the revocation of a previously agreed consent. For tracing and auditing purposes, the switch should be sure not to delete the consent physically; instead, information relating to the consent should be marked as deleted and requests relating to the consent should not be honoured. operationId: DeleteConsentByID parameters: - $ref: '#/paths/~1consents/post/parameters/0' tags: - consents responses: '202': $ref: '#/paths/~1consents/post/responses/202' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' '/consents/{ID}/error': parameters: - $ref: '#/paths/~1accounts~1%7BID%7D/parameters/0' - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' put: tags: - consents operationId: NotifyErrorConsents summary: NotifyErrorConsents description: | DFSP responds to the PISP if something went wrong with validating or storing consent. parameters: - $ref: '#/paths/~1consents/post/parameters/1' requestBody: description: Error information returned. required: true content: application/json: schema: $ref: '#/paths/~1accounts~1%7BID%7D~1error/put/requestBody/content/application~1json/schema' responses: '200': $ref: '#/paths/~1accounts~1%7BID%7D/put/responses/200' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' /thirdpartyRequests/authorizations: parameters: - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' post: description: | The HTTP request **POST /thirdpartyRequests/authorizations** is used to request the validation by a customer for the transfer described in the request. operationId: PostThirdpartyRequestsAuthorizations summary: PostThirdpartyRequestsAuthorizations tags: - authorizations parameters: - $ref: '#/paths/~1consents/post/parameters/0' - $ref: '#/paths/~1consents/post/parameters/1' requestBody: description: Authorization request details required: true content: application/json: schema: title: ThirdpartyRequestsAuthorizationsPostRequest description: |- Used by: DFSP The HTTP request POST /thirdpartyRequests/authorizations is used to request the validation by a customer for the transfer described in the request. Callback and data model information for POST /thirdpartyRequests/authorizations: Callback - PUT /thirdpartyRequests/authorizations/{ID} Error Callback - PUT /thirdpartyRequests/authorizations/{ID}/error Data Model - See below url https://github.com/mojaloop/documentation/blob/main/website/versioned_docs/v1.0.1/api/thirdparty/data-models.md#31612-post-thirdpartyrequestsauthorizations type: object properties: authorizationRequestId: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/consentRequestId' transactionRequestId: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/consentRequestId' challenge: type: string description: The challenge that the PISP's client is to sign transferAmount: allOf: - $ref: '#/paths/~1thirdpartyRequests~1transactions/post/requestBody/content/application~1json/schema/properties/amount/allOf/0' description: The amount that will be debited from the sending customer's account as a consequence of the transaction. payeeReceiveAmount: allOf: - $ref: '#/paths/~1thirdpartyRequests~1transactions/post/requestBody/content/application~1json/schema/properties/amount/allOf/0' description: The amount that will be credited to the receiving customer's account as a consequence of the transaction. fees: allOf: - $ref: '#/paths/~1thirdpartyRequests~1transactions/post/requestBody/content/application~1json/schema/properties/amount/allOf/0' description: The amount of fees that the paying customer will be charged as part of the transaction. payer: allOf: - $ref: '#/paths/~1thirdpartyRequests~1transactions/post/requestBody/content/application~1json/schema/properties/payer/allOf/0' description: 'Information about the Payer type, id, sub-type/id, FSP Id in the proposed financial transaction.' payee: allOf: - $ref: '#/paths/~1thirdpartyRequests~1transactions/post/requestBody/content/application~1json/schema/properties/payee/allOf/0' description: Information about the Payee in the proposed financial transaction. transactionType: title: TransactionType type: object description: Data model for the complex type TransactionType. properties: scenario: title: TransactionScenario type: string enum: - DEPOSIT - WITHDRAWAL - TRANSFER - PAYMENT - REFUND description: |- Below are the allowed values for the enumeration. - DEPOSIT - Used for performing a Cash-In (deposit) transaction. In a normal scenario, electronic funds are transferred from a Business account to a Consumer account, and physical cash is given from the Consumer to the Business User. - WITHDRAWAL - Used for performing a Cash-Out (withdrawal) transaction. In a normal scenario, electronic funds are transferred from a Consumer’s account to a Business account, and physical cash is given from the Business User to the Consumer. - TRANSFER - Used for performing a P2P (Peer to Peer, or Consumer to Consumer) transaction. - PAYMENT - Usually used for performing a transaction from a Consumer to a Merchant or Organization, but could also be for a B2B (Business to Business) payment. The transaction could be online for a purchase in an Internet store, in a physical store where both the Consumer and Business User are present, a bill payment, a donation, and so on. - REFUND - Used for performing a refund of transaction. example: DEPOSIT subScenario: title: TransactionSubScenario type: string pattern: '^[A-Z_]{1,32}$' description: 'Possible sub-scenario, defined locally within the scheme (UndefinedEnum Type).' example: LOCALLY_DEFINED_SUBSCENARIO initiator: title: TransactionInitiator type: string enum: - PAYER - PAYEE description: |- Below are the allowed values for the enumeration. - PAYER - Sender of funds is initiating the transaction. The account to send from is either owned by the Payer or is connected to the Payer in some way. - PAYEE - Recipient of the funds is initiating the transaction by sending a transaction request. The Payer must approve the transaction, either automatically by a pre-generated OTP or by pre-approval of the Payee, or by manually approving in his or her own Device. example: PAYEE initiatorType: title: TransactionInitiatorType type: string enum: - CONSUMER - AGENT - BUSINESS - DEVICE description: |- Below are the allowed values for the enumeration. - CONSUMER - Consumer is the initiator of the transaction. - AGENT - Agent is the initiator of the transaction. - BUSINESS - Business is the initiator of the transaction. - DEVICE - Device is the initiator of the transaction. example: CONSUMER refundInfo: title: Refund type: object description: Data model for the complex type Refund. properties: originalTransactionId: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/consentRequestId' refundReason: title: RefundReason type: string minLength: 1 maxLength: 128 description: Reason for the refund. example: Free text indicating reason for the refund. required: - originalTransactionId balanceOfPayments: title: BalanceOfPayments type: string pattern: '^[1-9]\d{2}$' description: '(BopCode) The API data type [BopCode](https://www.imf.org/external/np/sta/bopcode/) is a JSON String of 3 characters, consisting of digits only. Negative numbers are not allowed. A leading zero is not allowed.' example: '123' required: - scenario - initiator - initiatorType expiration: allOf: - $ref: '#/paths/~1thirdpartyRequests~1transactions~1%7BID%7D/patch/requestBody/content/application~1json/schema/properties/completedTimestamp' description: 'The time by which the transfer must be completed, set by the payee DFSP.' extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - authorizationRequestId - transactionRequestId - challenge - transferAmount - payeeReceiveAmount - fees - payer - payee - transactionType - expiration additionalProperties: false responses: '202': $ref: '#/paths/~1consents/post/responses/202' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' '/thirdpartyRequests/authorizations/{ID}': parameters: - $ref: '#/paths/~1accounts~1%7BID%7D/parameters/0' - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' get: description: | The HTTP request **GET /thirdpartyRequests/authorizations/**_{ID}_ is used to get information relating to a previously issued authorization request. The *{ID}* in the request should match the `authorizationRequestId` which was given when the authorization request was created. operationId: GetThirdpartyRequestsAuthorizationsById summary: GetThirdpartyRequestsAuthorizationsById tags: - authorizations parameters: - $ref: '#/paths/~1consents/post/parameters/0' responses: '202': $ref: '#/paths/~1consents/post/responses/202' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' put: description: | After receiving the **POST /thirdpartyRequests/authorizations**, the PISP will present the details of the transaction to their user, and request that the client sign the `challenge` field using the credential they previously registered. The signed challenge will be sent back by the PISP in **PUT /thirdpartyRequests/authorizations/**_{ID}_: operationId: PutThirdpartyRequestsAuthorizationsById summary: PutThirdpartyRequestsAuthorizationsById tags: - authorizations parameters: - $ref: '#/paths/~1consents/post/parameters/1' requestBody: description: Signed authorization object required: true content: application/json: schema: oneOf: - title: ThirdpartyRequestsAuthorizationsIDPutResponseRejected type: object description: 'The object sent in the PUT /thirdpartyRequests/authorizations/{ID} callback.' properties: responseType: title: AuthorizationResponseTypeRejected description: | The customer rejected the terms of the transfer. type: string enum: - REJECTED extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - responseType - title: ThirdpartyRequestsAuthorizationsIDPutResponseFIDO type: object description: 'The object sent in the PUT /thirdpartyRequests/authorizations/{ID} callback.' properties: responseType: title: AuthorizationResponseType description: | The customer accepted the terms of the transfer type: string enum: - ACCEPTED signedPayload: title: SignedPayloadFIDO type: object properties: signedPayloadType: $ref: '#/paths/~1thirdpartyRequests~1verifications/post/requestBody/content/application~1json/schema/oneOf/0/properties/signedPayloadType' fidoSignedPayload: $ref: '#/paths/~1thirdpartyRequests~1verifications/post/requestBody/content/application~1json/schema/oneOf/0/properties/fidoSignedPayload' required: - signedPayloadType - fidoSignedPayload additionalProperties: false extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - responseType - signedPayload additionalProperties: false - title: ThirdpartyRequestsAuthorizationsIDPutResponseGeneric type: object description: 'The object sent in the PUT /thirdpartyRequests/authorizations/{ID} callback.' properties: responseType: $ref: '#/paths/~1thirdpartyRequests~1authorizations~1%7BID%7D/put/requestBody/content/application~1json/schema/oneOf/1/properties/responseType' signedPayload: title: SignedPayloadGeneric type: object properties: signedPayloadType: $ref: '#/paths/~1thirdpartyRequests~1verifications/post/requestBody/content/application~1json/schema/oneOf/1/properties/signedPayloadType' genericSignedPayload: $ref: '#/paths/~1consentRequests~1%7BID%7D/patch/requestBody/content/application~1json/schema/properties/authToken' required: - signedPayloadType - genericSignedPayload additionalProperties: false extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - responseType - signedPayload additionalProperties: false responses: '200': $ref: '#/paths/~1accounts~1%7BID%7D/put/responses/200' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' '/thirdpartyRequests/authorizations/{ID}/error': parameters: - $ref: '#/paths/~1accounts~1%7BID%7D/parameters/0' - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' put: tags: - thirdpartyRequests - sampled operationId: PutThirdpartyRequestsAuthorizationsByIdAndError summary: PutThirdpartyRequestsAuthorizationsByIdAndError description: | The HTTP request `PUT /thirdpartyRequests/authorizations/{ID}/error` is used by the DFSP or PISP to inform the other party that something went wrong with a Thirdparty Transaction Authorization Request. The PISP may use this to tell the DFSP that the Thirdparty Transaction Authorization Request is invalid or doesn't match a `transactionRequestId`. The DFSP may use this to tell the PISP that the signed challenge returned in `PUT /thirdpartyRequest/authorizations/{ID}` was invalid. parameters: - $ref: '#/paths/~1consents/post/parameters/1' requestBody: description: Error information returned. required: true content: application/json: schema: $ref: '#/paths/~1accounts~1%7BID%7D~1error/put/requestBody/content/application~1json/schema' responses: '200': $ref: '#/paths/~1accounts~1%7BID%7D/put/responses/200' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' /thirdpartyRequests/transactions: parameters: - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' post: operationId: ThirdpartyRequestsTransactionsPost summary: ThirdpartyRequestsTransactionsPost description: The HTTP request POST `/thirdpartyRequests/transactions` is used by a PISP to initiate a 3rd party Transaction request with a DFSP tags: - thirdpartyRequests parameters: - $ref: '#/paths/~1consents/post/parameters/0' - $ref: '#/paths/~1consents/post/parameters/1' requestBody: description: Transaction request to be created. required: true content: application/json: schema: title: ThirdpartyRequestsTransactionsPostRequest type: object description: |- Used by: PISP The HTTP request POST /thirdpartyRequests/transactions is used to request the creation of a transaction request on the server for the transfer described in the request. Callback and data model information for POST /thirdpartyRequests/transactions: Callback - PUT /thirdpartyRequests/transactions/{ID} Error Callback - PUT /thirdpartyRequests/transactions/{ID}/error Data Model - See link below https://github.com/mojaloop/documentation/blob/main/website/versioned_docs/v1.0.1/api/thirdparty/data-models.md#31712-post-thirdpartyrequeststransactions properties: transactionRequestId: allOf: - $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/consentRequestId' description: | Common ID between the PISP and the Payer DFSP for the transaction request object. The ID should be reused for resends of the same transaction request. A new ID should be generated for each new transaction request. payee: allOf: - title: Party type: object description: Data model for the complex type Party. properties: partyIdInfo: $ref: '#/paths/~1thirdpartyRequests~1transactions/post/requestBody/content/application~1json/schema/properties/payer/allOf/0' merchantClassificationCode: title: MerchantClassificationCode type: string pattern: '^[\d]{1,4}$' description: 'A limited set of pre-defined numbers. This list would be a limited set of numbers identifying a set of popular merchant types like School Fees, Pubs and Restaurants, Groceries, etc.' name: title: PartyName type: string minLength: 1 maxLength: 128 description: Name of the Party. Could be a real name or a nickname. personalInfo: title: PartyPersonalInfo type: object description: Data model for the complex type PartyPersonalInfo. properties: complexName: title: PartyComplexName type: object description: Data model for the complex type PartyComplexName. properties: firstName: title: FirstName type: string minLength: 1 maxLength: 128 pattern: '^(?!\s*$)[\p{L}\p{gc=Mark}\p{digit}\p{gc=Connector_Punctuation}\p{Join_Control} .,''''-]{1,128}$' description: First name of the Party (Name Type). example: Henrik middleName: title: MiddleName type: string minLength: 1 maxLength: 128 pattern: '^(?!\s*$)[\p{L}\p{gc=Mark}\p{digit}\p{gc=Connector_Punctuation}\p{Join_Control} .,''''-]{1,128}$' description: Middle name of the Party (Name Type). example: Johannes lastName: title: LastName type: string minLength: 1 maxLength: 128 pattern: '^(?!\s*$)[\p{L}\p{gc=Mark}\p{digit}\p{gc=Connector_Punctuation}\p{Join_Control} .,''''-]{1,128}$' description: Last name of the Party (Name Type). example: Karlsson dateOfBirth: title: DateofBirth (type Date) type: string pattern: '^(?:[1-9]\d{3}-(?:(?:0[1-9]|1[0-2])-(?:0[1-9]|1\d|2[0-8])|(?:0[13-9]|1[0-2])-(?:29|30)|(?:0[13578]|1[02])-31)|(?:[1-9]\d(?:0[48]|[2468][048]|[13579][26])|(?:[2468][048]|[13579][26])00)-02-29)$' description: Date of Birth of the Party. example: '1966-06-16' required: - partyIdInfo description: Information about the Payee in the proposed financial transaction. payer: allOf: - title: PartyIdInfo type: object description: Data model for the complex type PartyIdInfo. properties: partyIdType: title: PartyIdType type: string enum: - MSISDN - EMAIL - PERSONAL_ID - BUSINESS - DEVICE - ACCOUNT_ID - IBAN - ALIAS - CONSENT - THIRD_PARTY_LINK description: | Below are the allowed values for the enumeration. - MSISDN - An MSISDN (Mobile Station International Subscriber Directory Number, that is, the phone number) is used as reference to a participant. The MSISDN identifier should be in international format according to the [ITU-T E.164 standard](https://www.itu.int/rec/T-REC-E.164/en). Optionally, the MSISDN may be prefixed by a single plus sign, indicating the international prefix. - EMAIL - An email is used as reference to a participant. The format of the email should be according to the informational [RFC 3696](https://tools.ietf.org/html/rfc3696). - PERSONAL_ID - A personal identifier is used as reference to a participant. Examples of personal identification are passport number, birth certificate number, and national registration number. The identifier number is added in the PartyIdentifier element. The personal identifier type is added in the PartySubIdOrType element. - BUSINESS - A specific Business (for example, an organization or a company) is used as reference to a participant. The BUSINESS identifier can be in any format. To make a transaction connected to a specific username or bill number in a Business, the PartySubIdOrType element should be used. - DEVICE - A specific device (for example, a POS or ATM) ID connected to a specific business or organization is used as reference to a Party. For referencing a specific device under a specific business or organization, use the PartySubIdOrType element. - ACCOUNT_ID - A bank account number or FSP account ID should be used as reference to a participant. The ACCOUNT_ID identifier can be in any format, as formats can greatly differ depending on country and FSP. - IBAN - A bank account number or FSP account ID is used as reference to a participant. The IBAN identifier can consist of up to 34 alphanumeric characters and should be entered without whitespace. - ALIAS An alias is used as reference to a participant. The alias should be created in the FSP as an alternative reference to an account owner. Another example of an alias is a username in the FSP system. The ALIAS identifier can be in any format. It is also possible to use the PartySubIdOrType element for identifying an account under an Alias defined by the PartyIdentifier. - CONSENT - A Consent represents an agreement between a PISP, a Customer and a DFSP which allows the PISP permission to perform actions on behalf of the customer. A Consent has an authoritative source: either the DFSP who issued the Consent, or an Auth Service which administers the Consent. - THIRD_PARTY_LINK - A Third Party Link represents an agreement between a PISP, a DFSP, and a specific Customer's account at the DFSP. The content of the link is created by the DFSP at the time when it gives permission to the PISP for specific access to a given account. example: PERSONAL_ID partyIdentifier: title: PartyIdentifier type: string minLength: 1 maxLength: 128 description: Identifier of the Party. example: '16135551212' partySubIdOrType: title: PartySubIdOrType type: string minLength: 1 maxLength: 128 description: 'Either a sub-identifier of a PartyIdentifier, or a sub-type of the PartyIdType, normally a PersonalIdentifierType.' fspId: title: FspId type: string minLength: 1 maxLength: 32 description: FSP identifier. extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - partyIdType - partyIdentifier description: Information about the Payer in the proposed financial transaction. amountType: allOf: - title: AmountType type: string enum: - SEND - RECEIVE description: |- Below are the allowed values for the enumeration AmountType. - SEND - Amount the Payer would like to send, that is, the amount that should be withdrawn from the Payer account including any fees. - RECEIVE - Amount the Payer would like the Payee to receive, that is, the amount that should be sent to the receiver exclusive of any fees. example: RECEIVE description: 'SEND for sendAmount, RECEIVE for receiveAmount.' amount: allOf: - title: Money type: object description: Data model for the complex type Money. properties: currency: title: Currency description: 'The currency codes defined in [ISO 4217](https://www.iso.org/iso-4217-currency-codes.html) as three-letter alphabetic codes are used as the standard naming representation for currencies.' type: string minLength: 3 maxLength: 3 enum: - AED - AFN - ALL - AMD - ANG - AOA - ARS - AUD - AWG - AZN - BAM - BBD - BDT - BGN - BHD - BIF - BMD - BND - BOB - BRL - BSD - BTN - BWP - BYN - BZD - CAD - CDF - CHF - CLP - CNY - COP - CRC - CUC - CUP - CVE - CZK - DJF - DKK - DOP - DZD - EGP - ERN - ETB - EUR - FJD - FKP - GBP - GEL - GGP - GHS - GIP - GMD - GNF - GTQ - GYD - HKD - HNL - HRK - HTG - HUF - IDR - ILS - IMP - INR - IQD - IRR - ISK - JEP - JMD - JOD - JPY - KES - KGS - KHR - KMF - KPW - KRW - KWD - KYD - KZT - LAK - LBP - LKR - LRD - LSL - LYD - MAD - MDL - MGA - MKD - MMK - MNT - MOP - MRO - MUR - MVR - MWK - MXN - MYR - MZN - NAD - NGN - NIO - NOK - NPR - NZD - OMR - PAB - PEN - PGK - PHP - PKR - PLN - PYG - QAR - RON - RSD - RUB - RWF - SAR - SBD - SCR - SDG - SEK - SGD - SHP - SLL - SOS - SPL - SRD - STD - SVC - SYP - SZL - THB - TJS - TMT - TND - TOP - TRY - TTD - TVD - TWD - TZS - UAH - UGX - USD - UYU - UZS - VEF - VND - VUV - WST - XAF - XCD - XDR - XOF - XPF - XTS - XXX - YER - ZAR - ZMW - ZWD amount: title: Amount type: string pattern: '^([0]|([1-9][0-9]{0,17}))([.][0-9]{0,3}[1-9])?$' description: 'The API data type Amount is a JSON String in a canonical format that is restricted by a regular expression for interoperability reasons. This pattern does not allow any trailing zeroes at all, but allows an amount without a minor currency unit. It also only allows four digits in the minor currency unit; a negative value is not allowed. Using more than 18 digits in the major currency unit is not allowed.' example: '123.45' required: - currency - amount description: Requested amount to be transferred from the Payer to Payee. transactionType: allOf: - $ref: '#/paths/~1thirdpartyRequests~1authorizations/post/requestBody/content/application~1json/schema/properties/transactionType' description: Type of transaction. note: type: string minLength: 1 maxLength: 256 description: A memo that will be attached to the transaction. expiration: type: string description: | Date and time until when the transaction request is valid. It can be set to get a quick failure in case the peer FSP takes too long to respond. example: '2016-05-24T08:38:08.699-04:00' extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - transactionRequestId - payee - payer - amountType - amount - transactionType - expiration responses: '202': $ref: '#/paths/~1consents/post/responses/202' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' '/thirdpartyRequests/transactions/{ID}': parameters: - $ref: '#/paths/~1accounts~1%7BID%7D/parameters/0' - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' get: tags: - thirdpartyRequests - sampled operationId: GetThirdpartyTransactionRequests summary: GetThirdpartyTransactionRequests description: | The HTTP request `GET /thirdpartyRequests/transactions/{ID}` is used to request the retrieval of a third party transaction request. parameters: - $ref: '#/paths/~1consents/post/parameters/0' responses: '202': $ref: '#/paths/~1consents/post/responses/202' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' put: tags: - thirdpartyRequests - sampled operationId: UpdateThirdPartyTransactionRequests summary: UpdateThirdPartyTransactionRequests description: | The HTTP request `PUT /thirdpartyRequests/transactions/{ID}` is used by the DFSP to inform the client about the status of a previously requested thirdparty transaction request. Switch(Thirdparty API Adapter) -> PISP parameters: - $ref: '#/paths/~1consents/post/parameters/1' requestBody: required: true content: application/json: schema: title: ThirdpartyRequestsTransactionsIDPutResponse type: object description: |- Used by: DFSP After a PISP requests the creation of a Third Party Transaction request (POST /thirdpartyRequests/transactions) or the status of a previously created Third Party Transaction request (GET /thirdpartyRequests/transactions/{ID}), the DFSP will send this callback. https://github.com/mojaloop/documentation/blob/main/website/versioned_docs/v1.0.1/api/thirdparty/data-models.md#31721-put-thirdpartyrequeststransactionsid properties: transactionRequestState: title: TransactionRequestState type: string enum: - RECEIVED - PENDING - ACCEPTED - REJECTED description: |- Below are the allowed values for the enumeration. - RECEIVED - Payer FSP has received the transaction from the Payee FSP. - PENDING - Payer FSP has sent the transaction request to the Payer. - ACCEPTED - Payer has approved the transaction. - REJECTED - Payer has rejected the transaction. example: RECEIVED extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - transactionRequestState example: transactionRequestState: RECEIVED responses: '200': $ref: '#/paths/~1accounts~1%7BID%7D/put/responses/200' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' patch: operationId: NotifyThirdpartyTransactionRequests summary: NotifyThirdpartyTransactionRequests description: | The HTTP request `PATCH /thirdpartyRequests/transactions/{ID}` is used to notify a thirdparty of the outcome of a transaction request. Switch(Thirdparty API Adapter) -> PISP tags: - thirdpartyRequests parameters: - $ref: '#/paths/~1consents/post/parameters/0' - $ref: '#/paths/~1consents/post/parameters/1' requestBody: required: true content: application/json: schema: title: ThirdpartyRequestsTransactionsIDPatchResponse type: object description: |- Used by: DFSP The issuing PISP will expect a response to their request for a transfer which describes the finalized state of the requested transfer. This response will be given by a PATCH call on the /thirdpartyRequests/transactions/{ID} resource. The {ID} given in the query string should be the transactionRequestId which was originally used by the PISP to identify the transaction request. https://github.com/mojaloop/documentation/blob/main/website/versioned_docs/v1.0.1/api/thirdparty/data-models.md#31612-post-thirdpartyrequestsauthorizations properties: completedTimestamp: title: DateTime type: string pattern: '^(?:[1-9]\d{3}-(?:(?:0[1-9]|1[0-2])-(?:0[1-9]|1\d|2[0-8])|(?:0[13-9]|1[0-2])-(?:29|30)|(?:0[13578]|1[02])-31)|(?:[1-9]\d(?:0[48]|[2468][048]|[13579][26])|(?:[2468][048]|[13579][26])00)-02-29)T(?:[01]\d|2[0-3]):[0-5]\d:[0-5]\d(?:(\.\d{3}))(?:Z|[+-][01]\d:[0-5]\d)$' description: 'The API data type DateTime is a JSON String in a lexical format that is restricted by a regular expression for interoperability reasons. The format is according to [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html), expressed in a combined date, time and time zone format. A more readable version of the format is yyyy-MM-ddTHH:mm:ss.SSS[-HH:MM]. Examples are "2016-05-24T08:38:08.699-04:00", "2016-05-24T08:38:08.699Z" (where Z indicates Zulu time zone, same as UTC).' example: '2016-05-24T08:38:08.699-04:00' transactionRequestState: $ref: '#/paths/~1thirdpartyRequests~1transactions~1%7BID%7D/put/requestBody/content/application~1json/schema/properties/transactionRequestState' transactionState: title: TransactionState type: string enum: - RECEIVED - PENDING - COMPLETED - REJECTED description: |- Below are the allowed values for the enumeration. - RECEIVED - Payee FSP has received the transaction from the Payer FSP. - PENDING - Payee FSP has validated the transaction. - COMPLETED - Payee FSP has successfully performed the transaction. - REJECTED - Payee FSP has failed to perform the transaction. example: RECEIVED extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - transactionRequestState - transactionState example: transactionRequestState: ACCEPTED transactionState: COMMITTED responses: '200': $ref: '#/paths/~1accounts~1%7BID%7D/put/responses/200' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' '/thirdpartyRequests/transactions/{ID}/error': parameters: - $ref: '#/paths/~1accounts~1%7BID%7D/parameters/0' - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' put: tags: - thirdpartyRequests - sampled operationId: ThirdpartyTransactionRequestsError summary: ThirdpartyTransactionRequestsError description: | If the server is unable to find the transaction request, or another processing error occurs, the error callback `PUT /thirdpartyRequests/transactions/{ID}/error` is used. The `{ID}` in the URI should contain the `transactionRequestId` that was used for the creation of the thirdparty transaction request. parameters: - $ref: '#/paths/~1consents/post/parameters/1' requestBody: description: Error information returned. required: true content: application/json: schema: $ref: '#/paths/~1accounts~1%7BID%7D~1error/put/requestBody/content/application~1json/schema' responses: '200': $ref: '#/paths/~1accounts~1%7BID%7D/put/responses/200' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' /thirdpartyRequests/verifications: parameters: - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' post: tags: - thirdpartyRequests - sampled operationId: PostThirdpartyRequestsVerifications summary: PostThirdpartyRequestsVerifications description: | The HTTP request `POST /thirdpartyRequests/verifications` is used by the DFSP to verify a third party authorization. parameters: - $ref: '#/paths/~1consents/post/parameters/0' - $ref: '#/paths/~1consents/post/parameters/1' requestBody: description: The thirdparty authorization details to verify required: true content: application/json: schema: oneOf: - title: ThirdpartyRequestsVerificationsPostRequestFIDO type: object description: The object sent in the POST /thirdpartyRequests/verifications request. properties: verificationRequestId: allOf: - $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/consentRequestId' challenge: type: string description: Base64 encoded bytes - The challenge generated by the DFSP. consentId: allOf: - $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/consentRequestId' description: | The id of the stored consent object that contains the credential with which to verify the signed challenge against. signedPayloadType: title: SignedPayloadTypeFIDO type: string enum: - FIDO description: Describes a challenge that has been signed with FIDO Attestation flows fidoSignedPayload: title: FIDOPublicKeyCredentialAssertion type: object description: | A data model representing a FIDO Assertion result. Derived from PublicKeyCredential Interface in WebAuthN. The PublicKeyCredential interface represents the below fields with a Type of Javascript ArrayBuffer. For this API, we represent ArrayBuffers as base64 encoded utf-8 strings. https://github.com/mojaloop/documentation/blob/main/website/versioned_docs/v1.0.1/api/thirdparty/data-models.md#32128-fidopublickeycredentialassertion properties: id: type: string description: | credential id: identifier of pair of keys, base64 encoded https://w3c.github.io/webauthn/#ref-for-dom-credential-id minLength: 59 maxLength: 118 rawId: type: string description: | raw credential id: identifier of pair of keys, base64 encoded. minLength: 59 maxLength: 118 response: type: object description: | AuthenticatorAssertionResponse properties: authenticatorData: type: string description: | Authenticator data object. minLength: 49 maxLength: 256 clientDataJSON: type: string description: | JSON string with client data. minLength: 121 maxLength: 512 signature: type: string description: | The signature generated by the private key associated with this credential. minLength: 59 maxLength: 256 userHandle: type: string description: | This field is optionally provided by the authenticator, and represents the user.id that was supplied during registration. minLength: 1 maxLength: 88 required: - authenticatorData - clientDataJSON - signature additionalProperties: false type: type: string description: 'response type, we need only the type of public-key' enum: - public-key required: - id - rawId - response - type additionalProperties: false extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - verificationRequestId - challenge - consentId - signedPayloadType - fidoSignedPayload - title: ThirdpartyRequestsVerificationsPostRequestGeneric type: object description: The object sent in the POST /thirdpartyRequests/verifications request. properties: verificationRequestId: allOf: - $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/consentRequestId' challenge: type: string description: Base64 encoded bytes - The challenge generated by the DFSP. consentId: allOf: - $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/consentRequestId' description: | The id of the stored consent object that contains the credential with which to verify the signed challenge against. signedPayloadType: title: SignedPayloadTypeGeneric type: string enum: - GENERIC description: Describes a challenge that has been signed with a private key genericSignedPayload: $ref: '#/paths/~1consentRequests~1%7BID%7D/patch/requestBody/content/application~1json/schema/properties/authToken' extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - verificationRequestId - challenge - consentId - signedPayloadType - genericSignedPayload responses: '202': $ref: '#/paths/~1consents/post/responses/202' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' '/thirdpartyRequests/verifications/{ID}': parameters: - $ref: '#/paths/~1accounts~1%7BID%7D/parameters/0' - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' get: tags: - thirdpartyRequests - sampled operationId: GetThirdpartyRequestsVerificationsById summary: GetThirdpartyRequestsVerificationsById description: | The HTTP request `/thirdpartyRequests/verifications/{ID}` is used to get information regarding a previously created or requested authorization. The *{ID}* in the URI should contain the verification request ID parameters: - $ref: '#/paths/~1consents/post/parameters/0' responses: '202': $ref: '#/paths/~1consents/post/responses/202' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' put: tags: - thirdpartyRequests - sampled operationId: PutThirdpartyRequestsVerificationsById summary: PutThirdpartyRequestsVerificationsById description: |- The HTTP request `PUT /thirdpartyRequests/verifications/{ID}` is used by the Auth-Service to inform the DFSP of a successful result in validating the verification of a Thirdparty Transaction Request. If the validation fails, the auth-service will send back `PUT /thirdpartyRequests/verifications/{ID}` with `authenticationResponse: 'REJECTED'`. In unplanned error cases the Auth-Service MUST use `PUT /thirdpartyRequests/verifications/{ID}/error`. parameters: - $ref: '#/paths/~1consents/post/parameters/1' requestBody: description: The result of validating the Thirdparty Transaction Request required: true content: application/json: schema: title: ThirdpartyRequestsVerificationsIDPutResponse type: object description: |- Used by: Auth Service The callback PUT /thirdpartyRequests/verifications/{ID} is used to inform the client of the result of an authorization check. The {ID} in the URI should contain the authorizationRequestId which was used to request the check, or the {ID} that was used in the GET /thirdpartyRequests/verifications/{ID}. https://github.com/mojaloop/documentation/blob/main/website/versioned_docs/v1.0.1/api/thirdparty/data-models.md#31821-put-thirdpartyrequestsverificationsid properties: authenticationResponse: title: AuthenticationResponse type: string enum: - VERIFIED description: |- The AuthenticationResponse enumeration describes the result of authenticating verification request. Below are the allowed values for the enumeration AuthenticationResponse. - VERIFIED - The challenge was correctly signed. extensionList: $ref: '#/paths/~1consentRequests/post/requestBody/content/application~1json/schema/properties/extensionList' required: - authenticationResponse example: authenticationResponse: VERIFIED responses: '200': $ref: '#/paths/~1accounts~1%7BID%7D/put/responses/200' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503' '/thirdpartyRequests/verifications/{ID}/error': parameters: - $ref: '#/paths/~1accounts~1%7BID%7D/parameters/0' - $ref: '#/paths/~1consents/parameters/0' - $ref: '#/paths/~1consents/parameters/1' - $ref: '#/paths/~1consents/parameters/2' - $ref: '#/paths/~1consents/parameters/3' - $ref: '#/paths/~1consents/parameters/4' - $ref: '#/paths/~1consents/parameters/5' - $ref: '#/paths/~1consents/parameters/6' - $ref: '#/paths/~1consents/parameters/7' - $ref: '#/paths/~1consents/parameters/8' put: tags: - thirdpartyRequests - sampled operationId: PutThirdpartyRequestsVerificationsByIdAndError summary: PutThirdpartyRequestsVerificationsByIdAndError description: | The HTTP request `PUT /thirdpartyRequests/verifications/{ID}/error` is used by the Auth-Service to inform the DFSP of a failure in validating or looking up the verification of a Thirdparty Transaction Request. parameters: - $ref: '#/paths/~1consents/post/parameters/1' requestBody: description: Error information returned. required: true content: application/json: schema: $ref: '#/paths/~1accounts~1%7BID%7D~1error/put/requestBody/content/application~1json/schema' responses: '200': $ref: '#/paths/~1accounts~1%7BID%7D/put/responses/200' '400': $ref: '#/paths/~1consents/post/responses/400' '401': $ref: '#/paths/~1consents/post/responses/401' '403': $ref: '#/paths/~1consents/post/responses/403' '404': $ref: '#/paths/~1consents/post/responses/404' '405': $ref: '#/paths/~1consents/post/responses/405' '406': $ref: '#/paths/~1consents/post/responses/406' '501': $ref: '#/paths/~1consents/post/responses/501' '503': $ref: '#/paths/~1consents/post/responses/503'