Technical FAQs

How long are the access / refresh tokens and consents valid for?

Intent (validity) - how long the PSU has to confirm the intent after a POST/ Consent or POST/ Payment is made by a TPP.
Access token (validity) - how long the ACG / DG token, which is needed to call the APIs, is valid for.
Refresh token (validity) - how long the refresh token, which is required to get a new access token, is valid for.
Consent (validity) - how long the consent given to the TPP from the PSU, is valid for.

Intent typeIntent (validity)Access token (validity)Refresh token (validity)Consent (validity)
Accounts15 mins24 hours90 days90 days for GB, 180 days for the other supported countries
Card Accounts15 mins24 hours90 days90 days for GB, 180 days for the other supported countries
Payments15 mins15 minsN/A15 mins
Confirmation of Funds15 mins15 minsN/AUntil consent is removed

Important: The above times are what the value times are currently set at. However, please always use the expires_in parameter value rather than hard-coding the set time values (e.g. 24 hours, 15 mins), as these could change in the future.

How do I integrate with your authorization flow?

Please refer to our Technical Guidelines, specifically the ones dedicated to SCA Decoupled and SCA Redirect



How can I update the Redirect URL for my App?

At the moment, we don't support functionality for updating Apps (other than adding subscriptions). So to update the Redirect URL for your App, you'll need to register a new App with the new Redirect URL. The functionality to update the Redirect URL for an existing App is in our road map for future improvements.

How does the SCA Decoupled authentication flow work in case we don't support QR codes?

The BankID app always needs to be started with an autoStartToken. The autoStartToken is used in two ways:

1) If the Mobile BankID app is on a different device, you have to build a QR code based on the autoStartToken.
2) If the Mobile BankID is on the same device, you can use the autoStartToken as a query-parameter.