How long are the access / refresh tokens and consents valid for?
Intent (validity) - how long the PSU has to confirm the intent after a POST/ Consent or POST/ Payment is made by a TPP.
Access token (validity) - how long the ACG / DG token, which is needed to call the APIs, is valid for.
Refresh token (validity) - how long the refresh token, which is required to get a new access token, is valid for.
Consent (validity) - how long the consent given to the TPP from the PSU, is valid for.
|Intent type||Intent (validity)||Access token (validity)||Refresh token (validity)||Consent (validity)|
|Accounts||15 mins||24 hours||90 days||90 days for GB, 180 days for the other supported countries|
|Card Accounts||15 mins||24 hours||90 days||90 days for GB, 180 days for the other supported countries|
|Payments||15 mins||15 mins||N/A||15 mins|
|Confirmation of Funds||15 mins||15 mins||N/A||Until consent is removed|
Important: The above times are what the value times are currently set at. However, please always use the expires_in parameter value rather than hard-coding the set time values (e.g. 24 hours, 15 mins), as these could change in the future.
How do I integrate with your authorization flow?
How can I update the Redirect URL for my App?
At the moment, we don't support functionality for updating Apps (other than adding subscriptions). So to update the Redirect URL for your App, you'll need to register a new App with the new Redirect URL. The functionality to update the Redirect URL for an existing App is in our road map for future improvements.
How does the SCA Decoupled authentication flow work in case we don't support QR codes?
The BankID app always needs to be started with an autoStartToken. The autoStartToken is used in two ways:
1) If the Mobile BankID app is on a different device, you have to build a QR code based on the autoStartToken.
2) If the Mobile BankID is on the same device, you can use the autoStartToken as a query-parameter.