Consents
The Consent Service is used to create and manage consents for accessing account data in the Account Information Service (AIS). A consent is an object that holds information about what permissions a PSU has given you to fetch its account information from a particular bank. This guide shows the steps for creating a consent and authorizing it through the various SCA flows.
For requests to the Consent Service API, you need an access token with scope
accountinformationcorporate.
Always include PSU-ID in all requests to ensure proper consent tracking per user and maintain a seamless user experience.
1. Create Consent
Endpoint
POST /psd2/consent/v1/consentshttp
Request Headers
| Name | Type | Description |
|---|---|---|
X-Request-ID | string(uuid) | The ID of the request, unique to the call, as determined by the initiating party. |
X-BicFi | string | The BIC of the bank to which the request is addressed. |
PSU-ID | string | The ID used to identify the PSU at the bank. Typically a local social security number or another unique login ID. |
PSU-Corporate-ID | string | The Corporate ID of the PSU when acting on behalf of an organization, e.g. Org. nummer for SE, KVK for NL. |
TPP-Redirect-Preferred | boolean | Indicates a preference for redirect-based SCA over decoupled when set to true. The bank may not support both types. |
PSU-IP-Address | string(ipv4) | The IP address of the PSU to be forwarded to the bank. Only included if the request was actively initiated by the PSU. |
Request Body
| Name | Type | Description |
|---|---|---|
access | object | Requested access services for a consent. This can be left empty to access all available accounts, or it can be populated with IBANs to limit consent to specific accounts. |
combinedServiceIndicator | boolean | Indicates that the Payment Initiation Service (PIS) will be addressed in the same session. |
frequencyPerDay | integer | The number of times per day the TPP may access the account data without PSU interaction. For one-off access, this attribute is set to “1”. If not otherwise agreed bilaterally between TPP and bank, the frequency is less equal to 4. |
recurringIndicator | boolean | Indicates that access to the data should be recurring when set to true. |
validUntil | string(date) | The end date of the consent in ISO 8601 format, e.g. 2025-10-31. |
curl -X POST "https://api.openbankingplatform.com/psd2/consent/v1/consents" \
-H "Accept: application/json" \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIn0..." \
-H "Content-Type: application/json" \
-H "X-Request-ID: 8ef6348b-3f9f-4e1c-a768-fc586af7badf" \
-H "X-BicFi: ESSESESS" \
-H "PSU-ID: 123456789001" \
-H "PSU-Corporate-ID: 1234567890" \
-H "TPP-Redirect-Preferred: false" \
-H "PSU-IP-Address: 152.120.171.187" \
-d '{
"access": {},
"combinedServiceIndicator": false,
"frequencyPerDay": 4,
"recurringIndicator": true,
"validUntil": "2099-12-31"
}'bashResponse
{
"consentStatus": "received",
"consentId": "70c6d203-e1d1-43ff-9e42-07e5dda640ba",
"scaMethods": [
{
"authenticationType": "PUSH_OTP",
"authenticationMethodId": "mbid",
"name": "Mobilt BankID"
},
{
"authenticationType": "CHIP_OTP",
"authenticationMethodId": "mbid_same_device",
"name": "Mobile BankID on this device"
},
{
"authenticationType": "PHOTO_OTP",
"authenticationMethodId": "mbid_animated_qr_image",
"name": "Mobile BankID on another device"
}
],
"_links": {
"self": {
"href": "/psd2/consent/v1/consents/70c6d203-e1d1-43ff-9e42-07e5dda640ba"
},
"status": {
"href": "/psd2/consent/v1/consents/70c6d203-e1d1-43ff-9e42-07e5dda640ba/status"
},
"startAuthorisation": {
"href": "/psd2/consent/v1/consents/70c6d203-e1d1-43ff-9e42-07e5dda640ba/authorisations"
}
}
}jsonOnce the consent is created, it must be authorised by the PSU before it can be used. See the Authorisations guide for instructions on how to complete the authorisation process.
5. Get Consent Status
After the PSU authorises the consent and you receive a final scaStatus, check the status of the consent by polling the Get Consent Status endpoint.
Endpoint
GET /psd2/consent/v1/consents/{consentId}/statushttpPath Parameters
| Name | Type | Description |
|---|---|---|
consentId | string(uuid) | The ID of the consent that was created. |
Request Headers
| Name | Type | Description |
|---|---|---|
X-Request-ID | string(uuid) | The ID of the request, unique to the call, as determined by the initiating party. |
X-BicFi | string | The BIC of the bank to which the request is addressed. |
PSU-ID | string | The ID used to identify the PSU at the bank. Typically a local social security number or another unique login ID. |
PSU-Corporate-ID | string | The Corporate ID of the PSU when acting on behalf of an organization, e.g. Org. nummer for SE, KVK for NL. |
TPP-Redirect-Preferred | boolean | Indicates a preference for redirect-based SCA over decoupled when set to true. The bank may not support both types. |
PSU-IP-Address | string(ipv4) | The IP address of the PSU to be forwarded to the bank. Only included if the request was actively initiated by the PSU. |
curl -X GET "https://api.openbankingplatform.com/psd2/consent/v1/consents/70c6d203-e1d1-43ff-9e42-07e5dda640ba/status" \ -H "Accept: application/json" \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIn0..." \ -H "Content-Type: application/json" \ -H "X-Request-ID: 5a441866-935b-41e9-ba3a-2952a351b706" \ -H "X-BicFi: ESSESESS" \ -H "PSU-ID: 123456789001" \ -H "PSU-Corporate-ID: 1234567890" \ -H "TPP-Redirect-Preferred: false" \ -H "PSU-IP-Address: 152.120.171.187"bash
Response
{
"consentStatus": "valid"
}jsonConsents can have a number of different statuses. Here, you want to check if the consent was rejected, in which case consentStatus would have the value rejected. If not, then you are done.