get familiar with tokens

  • token types
  • obtaining and renewing tokens
  • API endpoint-token restricions

Using K&H’s APIs requires tokens in addition to the certificate referred to in the previous chapter. The tokens are passed as Authorisation Bearer tokens described in the http standard upon each API call; upon redirection to the K&H redirection screen for customer authentication, the token must be passed as an URL parameter.

Important: In the Authorization header the Bearer Token should always look the following:
„Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.ew0KCSJpc3MiOiAiYXBpLWFjdC5raC5odSIsDQoJImp0aSI6……”
Note: Bearer is case sensitive, should be followed by exactly one space, then the JWT token itself. Bearer is expected as a prefix, no other prefixes are allowed.
 

There are two token types:

  • application authentication tokens;
  • and consent tokens.

For testing purposes and the proper usage of our sandbox the valid tokens can be generated on your side via the dedicated sandox token generator endpoint after the finalization of your registration.

Tokens expire and must be renewed after a certain time period. The TPP receives an error message if the token used is expired.

application authentication token

An application authentication token is used for the identification of the TPP’s application:

  • when K&H’s API is used;
  • upon redirection to the K&H redirection screen for customer authentication.

obtaining an application authentication token

Creating an application is necessary to use our APIs. An application authentication token can be obtained when the application is registered. For testing purposes application and other tokens to be used are generated for you after finalization of your registration. 

renewing or regenerating an application authentication token

Use the unique application ID to request a new application authentication token through the relevant API, in case you your application authentication token has expired or receives “token unknown” as a response. 

expired TPP App based token usage and retrieve a new one

consent tokens

At least one token is connected to each consent. This token must be used for the operations requiring the consent. A consent token also identifies the application creating that consent; so if that token is used, it is not necessary to use the application authentication token as well.

obtaining a consent token

The response of the API used to query the consent status contains the consent token (the token field in the header) if the consent status is “valid”.

renewing or regenerating a consent token

A consent token is renewed in the same way that it is obtained because the API used to query the consent status creates a new token upon every call if the consent status is „valid”. This can be used in case your application authentication token has expired or receives “token unknown” as a response. 

expired consent based token usage and retrieve a new one

which kind of token you can use for which API endpoint

API endpoint

TPP application authentication token

PSU identification token

Account balance token

Transaction history token

Funds confirmation token

/v1/payments/payment-order POST

x

x

 

 

 

/v1/payments/payment-order/{paymentId} GET

 

x

 

 

 

/v1/payments/payment-order/{paymentId}/status GET

x

x

 

 

 

/v1/payments/payment-order/{paymentId} DELETE   x      

/v1/payments/payment-order/{paymentId}/authorisations POST

x

x

 

 

 

/v1/payments/payment-order/{paymentId}/authorisations GET

x

x

 

 

 

/v1/payments/payment-order/{paymentId}/authorisations/{authorisationId} PUT

 

x

 

 

 

/v1/payments/payment-order/{paymentId}/authorisations/{authorisationId} GET

x

x

 

 

 

/v1/bulk-payments/payment-order POST x x      
/v1/bulk-payments/payment-order/{paymentId} GET   x      
/v1/bulk-payments/payment-order/{paymentId}/status GET x x      
/v1/bulk-payments/payment-order/{paymentId} DELETE   x      
/v1/bulk-payments/payment-order/{paymentId}/authorisations POST x x      
/v1/bulk-payments/payment-order/{paymentId}/authorisations GET x x      
/v1/bulk-payments/payment-order/{paymentId}/authorisations/{authorisationId} PUT   x      
/v1/bulk-payments/payment-order/{paymentId}/authorisations/{authorisationId} GET x x      

/v1/periodic-payments/standing-order POST

x

x

 

 

 

/v1/periodic-payments/standing-order/{paymentId} GET

 

x

 

 

 

/v1/periodic-payments/standing-order/{paymentId}/status GET

x

x

 

 

 

/v1/periodic-payments/standing-order/{paymentId} DELETE   x      

/v1/periodic-payments/standing-order/{paymentId}/authorisations POST

x

x

 

 

 

/v1/periodic-payments/standing-order/{paymentId}/authorisations GET

x

x

 

 

 

/v1/periodic-payments/standing-order/{paymentId}/authorisations/{authorisationId} PUT

 

x

 

 

 

/v1/periodic-payments/standing-order/{paymentId}/authorisations/{authorisationId} GET

x

x

 

 

 

/v1/signing-baskets POST x x      
/v1/signing-baskets/{basketId} GET x x      
/v1/signing-baskets/{basketId} DELETE x x      
/v1/signing-baskets/{basketId}/authorisations GET x x      
/v1/signing-baskets/{basketId}/authorisations/{authorisationId} PUT   x      
/v1/signing-baskets/{basketId}/authorisations/{authorisationId} GET x x      
/v1/bulk-payments/payment-order/{paymentId}/cancellation-authorisations POST x x      
/v1/bulk-payments/payment-order/{paymentId}/cancellation-authorisations GET x x      
/v1/bulk-payments/payment-order/{paymentId}/cancellation-authorisations/{cancellationId} PUT   x      
/v1/bulk-payments/payment-order/{paymentId}/cancellation-authorisations/{cancellationId} GET x x      
/v1/payments/payment-order/{paymentId}/cancellation-authorisations POST x x      
/v1/payments/payment-order/{paymentId}/cancellation-authorisations GET x x      
/v1/payments/payment-order/{paymentId}/cancellation-authorisations/{cancellationId} PUT   x      
/v1/payments/payment-order/{paymentId}/cancellation-authorisations/{cancellationId} GET x x      
/v1/periodic-payments/standing-order/{paymentId}/cancellation-authorisations POST x x      
/v1/periodic-payments/standing-order/{paymentId}/cancellation-authorisations GET x x      
/v1/periodic-payments/standing-order/{paymentId}/cancellation-authorisations/{cancellationId} PUT   x      
/v1/periodic-payments/standing-order/{paymentId}/cancellation-authorisations/{cancellationId} GET x x      

/v1/accounts/{account-id} GET

 

 

x

x

 

/v1/accounts/{account-id}/balances GET

 

 

x

 

 

/v1/accounts/{account-id}/transactions GET

 

 

 

x

 

/v1/accounts/{account-id}/transactions/download/{downloadid}  GET

 

 

 

x

 

/v1/consents/ POST

x

x

 

 

 

/v1/consents/{consentId} GET

 

x

 

 

 

/v1/consents/{consentId}/authorisations POST

x

x

 

 

 

/v1/consents/{consentId}/authorisations GET

x

x

 

 

 

/v1/consents/{consentId}/authorisations/{authorisationId} GET

x

x

 

 

 

/v1/consents/{consentId}/authorisations/{authorisationId} PUT

x

x

 

 

 

/v1/consents/{consentId}/status GET

x

x

 

 

 

/v1/consents/{consentId} DELETE

x

x

 

 

 

/v1/funds-confirmations POST

 

 

 

 

x

/v1/tpp/app POST

 

 

 

 

 

/v1/tpp/contact PUT

 

 

 

 

 

/v1/tpp/app/token POST