Access for Third Party Providers
Third Party Providers (TPPs) can use the Weavr Open Banking APIs to:
- Access end-customer account information.
- Submit a payment for an end-customer.
Open a Weavr Sandbox TPP account
Open a Sandbox TPP account by sending a request to the support team. You need to provide the following information:
- Company Name
- eIDAS/OBWAC certificate
- Contact details
- Name & Surname
- Email address
- Position
- Innovator applications to access
- Access level
- Account Information
- Payment Initiation
- Redirect URL (for consent flow completion)
You can use the Sandbox environment even if you haven't received a valid certificate yet. In this case, you can send a Certificate Signing Request (CSR) instead. A signed Sandbox certificate will be issued for you.
TPP Authentication
Requests performed to the Weavr Open Banking APIs must present the following headers as means of authentication:
Digest
TPP-Signature
Programme-Key
Digest
The Digest header contains a hash of the HTTP request body. It should take the form of Digest: {digest-algorithm}={base64-encoded-digest}
. Only SHA-256 and SHA-512 are allowed as {digest-algorithm}
.
To obtain the digest, ensure that it is computed over the unmodified body contents. If the request does not require a body, then the Digest should be that of a null input.
TPP-Signature
The TPP-Signature header should take the form of:
TPP-Signature: keyId="{key-identifier}",algorithm="{signature-algorithm}",headers="{header1} {header2} {headerN}",signature="{message-signature}"
-
{key-identifier}
is the key identifier provided by Weavr during registration. -
{signature-algorithm}
is the identifier of the algorithm used to sign the message, one of rsa-sha256 or rsa-sha512. -
{headers}
is the list of message header parameters included in{signing string}
(read more below). It’s mandatory to include at least the following:Date
(in standard RFC 1123 format)Digest
TPP-Consent-ID
(if required for the request, then it will be required for the signature)
-
{key-identifier}
is the key identifier provided by Weavr during registration. -
{signature-algorithm}
is the identifier of the algorithm used to sign the message, one of rsa-sha256 or rsa-sha512. -
{headers}
is the list of message header parameters included in{signing string}
(read more below). It’s mandatory to include at least the following:Date
(in standard RFC 1123 format)Digest
TPP-Consent-ID
(if required for the request, then it will be required for the signature)
-
{signature}
is the base64 encoded result of the signature algorithm.
The {signing string}
should be obtained by concatenating all the headers specified in {headers}
, in the same order, and observing the following rules:
- The included header names are in lowercase
- The included header names are immediately followed by an ASCII colon : (with no spaces in between)
- The
:
is followed by a single space. - Each header is followed by a newline (\n) character, except the last header
Accessing Account Information
In order to access account information, you must first obtain consent from the user with the appropriate authentication headers:
POST {{server-url}}/openbanking/account_information/consents
// empty body
Example response:
{
"createdTimestamp": 1640194737893,
"expiry": 1647970737893,
"id": "107491802074120201",
"lastUpdated": 1640194737893,
"links": {
"redirect": "https://openbanking.weavr.io/consent?programmeKey=1WH5wMcFqRYBfeM3MsMACQ%3D%3D&scope=ACCOUNT_INFORMATION&consentId=107491802074120201&tppId=107491800561942537"
},
"state": "AWAITING_AUTHORISATION",
"tppId": "107491800561942537",
"tppName": "Test2"
}
From this point, redirect the user to the given URL to obtain their consent. Once the user completes the flow, they will be redirected to the redirection URL provided during registration, with the additional request-parameters:
consentId
: The original consentId that this flow corresponded toconsentState
: The state of the consent, which at this point could either beAUTHORISED
orREJECTED
Once the consent flow is completed, the following endpoints are available to obtain account and transaction information by inclusion of the additional Consent-ID
header:
Initiating a Payment
With the Weavr Open Banking APIs, you can initiate wire transfers from managed accounts.
Initiate a payment by sending a outgoing wire transfer payment initiation request.
POST {{server-url}}/openbanking/payment_initiation/outgoing_wire_transfers
{
"sourceInstrument": {
"type": "managed_accounts",
"id": "107485916782985225"
},
"transferAmount": {
"currency": "EUR",
"amount": "9000"
},
"tag": "tag",
"description": "wired transfer test",
"destinationBeneficiary": {
"name": "test beneficiary",
"bankAccountDetails": {
"iban": "DE75512108001245126199",
"bankIdentifierCode": "AARBDE5W250"
},
"address": "address",
"bankName": "bank name",
"bankAddress": "bank address",
"bankCountry": "DE"
}
}
Example response:
{
"consent": {
"createdTimestamp": 1640194918703,
"expiry": 1647970918703,
"id": "107491813923684361",
"lastUpdated": 1640194918703,
"links": {
"redirect": "https://openbanking.weavr.io/consent?programmeKey=1WH5wMcFqRYBfeM3MsMACQ%3D%3D&scope=PAYMENT_INITIATION&consentId=107491813923684361&tppId=107491800561942537&paymentType=OUTGOING_WIRE_TRANSFER"
},
"state": "AWAITING_AUTHORISATION",
"tppId": "107491800561942537",
"tppName": "Test2"
},
"paymentRequest": {
"description": "wired transfer test",
"destinationBeneficiary": {
"address": "address",
"bankAccountDetails": {
"bankIdentifierCode": "AARBDE5W250",
"iban": "DE75512108001245126199"
},
"bankAddress": "bank address",
"bankCountry": "DE",
"bankName": "bank name",
"name": "test beneficiary"
},
"sourceInstrument": {
"id": "107485916782985225",
"type": "managed_accounts"
},
"tag": "tag",
"transferAmount": {
"amount": 9000,
"currency": "EUR"
}
}
}
From this point, redirect the user to the given URL to obtain their consent. Once the user completes the flow, they will be redirected to the redirection URL provided during registration, with the additional request-parameters:
consentId
: The original consentId that this flow corresponded toconsentState
: The state of the consent, which at this point could either beAUTHORISED
orREJECTED