Web Redirection Decryption

Overview

This API decrypts the encrypted response URL that your Financial Information User (FIU) application receives from the Account Aggregator (AA) platform. You should call this API after the user is redirected back to your application from the AA, following the user’s approval or rejection of a consent request. The decrypted response contains important information about the consent status, user details, and any error codes that indicate why a consent might have failed.

Authentication

This API requires the following authentication headers to be included with every request:

Header	Type	Required	Description
`client_id`	string	Yes	An API key issued to your organisation for authentication purposes
`client_secret`	string	Yes	A secret API key issued to your server-side application for secure authentication
`organisationId`	string	Yes	A unique identifier assigned to your organisation by the platform
`appIdentifier`	string	Yes	A unique identifier assigned to your client application for tracking API usage
`Content-Type`	string	Yes	Must be set to `application/json` to specify the request body format

Request Body

webRedirectionURL

object

required

An object containing the encrypted response parameters received from the Account Aggregator when the user is redirected back to your application.

Show webRedirectionURL properties

ecres

string

required

The encrypted response string containing the consent status and user information. This is the primary encrypted payload returned by the AA platform that needs to be decrypted to understand the consent flow outcome.

resdate

string

required

The date and time when the response was generated by the Account Aggregator. This timestamp is in the format ddmmyyyyhh24misss where:

dd: Day (01-31)
mm: Month (01-12)
yyyy: Year (e.g., 2021)
hh24: Hour in 24-hour format (00-23)
mi: Minutes (00-59)
sss: Seconds and milliseconds (000-999)

Example: 270820211238139 represents 27th August 2021, 12:38:139

string

required

The base64-encoded Entity ID of the Account Aggregator. This identifier helps the system determine which AA platform processed the consent request.

Response

status

string

required

Indicates the overall status of the API request. Possible values are success or failure.

ver

string

required

The current version of the API being used for this request.

message

string

A human-readable message describing the result of the API call, providing success confirmation or failure details.

data

object

Contains the decrypted consent flow information and user details.

Show data properties

status

string

required

The status of the consent flow. Possible values:

S: Success - User has accepted the consent
F: Failure - User rejected the consent or an error occurred

errorcode

string

required

A numeric error code indicating the outcome of the consent flow. See the Error Codes section below for detailed descriptions. A value of 0 indicates success.

txnid

string

The unique transaction identifier (UUID) that was included in the original ecreq field of the encryption request. Use this to correlate the response with your original consent request.

sessionid

string

The session identifier that was included in the original ecreq field. This helps track the user’s session across the consent flow.

srcref

string

The consent handle(s) that were included in the original ecreq request’s srcref field. This allows you to match the response to the specific consent request(s).

userid

string

The Virtual User Account (VUA) identifier issued by the Account Aggregator when the user registered with the AA platform. This unique identifier represents the user within the AA ecosystem.Format: Typically in the format phonenumber@aa-handle (e.g., 1999999999@onemoney)

redirect

string

The URL of your FIU application page where the user should be redirected to after completing the AA consent flow. This is typically the page where you handle the consent outcome.

Example Request

{
  "webRedirectionURL": {
    "ecres": "1r8dWQqy3c5IY7uJdBkAERYhV_P01dAs6dMGrieo-D001LXoGuKnFtp_OXKVtpbpAEJVstVx_rCRHVpDEZvRGKkFnpJp9RbvdReWg4mi6hdQPa_hgGnYaOkSbWhBdYWfM6-kBgB4DfomidIWpTRMXe3BGko0tyMeL2gIW8jyp5hHMPovCar_Ux6QhNIyFGLaQmB-M_vE4Q0hi9erfXEHgKClubw12jzRrwJo2eC5NhX1UaWV3uFLtfB4XWGWQ2lAmGpMdhESJ91R94C5mcQ0OOF2jW69YLo6RspvzP454DrproVKy-PdHa3k9QRgt8f-",
    "resdate": "270820211238139",
    "fi": "XVlVVV1eV0g"
  }
}

Example Success Response

{
  "ver": "1.15.0",
  "status": "success",
  "data": {
    "status": "S",
    "errorcode": "0",
    "txnid": "f32503c5-0af0-4831-a443-7adc500ccd22",
    "sessionid": "lJ4ImY1ET3yplGtIp3IvrrU",
    "srcref": "64cd9ace-f0e5-44cc-a686-1fe82bfa4ed8",
    "userid": "1999999999@onemoney",
    "redirect": "https://sandbox.moneyone.in/finproadminweb_sandbox"
  },
  "message": "Success"
}

Example Error Response

{
  "ver": "1.21.0",
  "timestamp": "2025-10-01T11:45:48.706Z",
  "errorCode": "invalidWebRedirectionUrl",
  "errorMsg": "Invalid webRedirection Url is passed"
}

Error Codes from Account Aggregator

The following error codes are returned by the Account Aggregator to your FIU when the user is redirected back to your application. These codes help you understand what happened during the user’s consent journey on the AA platform.

Mandatory Error Codes

These error codes will always be returned in appropriate scenarios:

Error Code	Message	Status	Description
`0`	Success	S	The user has successfully accepted the consent request and linked their accounts
`1`	Consent is rejected	F	The user explicitly rejected the consent request on the AA platform
`2`	Consent not available	F	The consent request was not found on the Account Aggregator platform
`3`	Invalid request	F	The redirection request contained invalid or malformed data

Optional Error Codes

These error codes provide detailed information about specific failure scenarios:

Authentication and Session Errors

Error Code	Message	Status	Description
`4`	User authentication failed	F	The user was unable to authenticate themselves on the AA platform (e.g., wrong credentials, failed OTP)
`6`	Session timeout	F	The user did not take any action on the login page and the session expired

Account Discovery Errors

Error Code	Message	Status	Description
`7`	Account not discovered	F	A specific FIP ID was provided but accounts were not found at that FIP (404 error), and the user cancelled or went back from the AA page
`8`	Account not discovered	F	A specific FIP ID was provided but account discovery failed due to an error at the FIP (non-404 error), and the user cancelled or went back
`9`	Account not discovered	F	Multiple FIP IDs were provided (or none), and no accounts were discovered at any FIP due to errors or missing accounts

Account Linking Errors

Error Code	Message	Status	Description
`10`	Account not linked	F	Accounts were successfully discovered, but the user did not link any accounts and the session timed out
`11`	Account not linked	F	Accounts were successfully discovered, but the user chose to cancel instead of linking any accounts

Error Code	Message	Status	Description
`12`	Account link OTP not attempted	F	Accounts were discovered and the user clicked the link button, but did not enter the OTP and then cancelled the process
`13`	Account link OTP not attempted	F	Accounts were discovered and the user clicked the link button, but did not enter the OTP and the session timed out
`14`	OTP authentication failed	F	All account linking attempts failed because the user entered incorrect OTPs, and then cancelled the process
`15`	OTP authentication failed	F	All account linking attempts failed because the user entered incorrect OTPs, and the session timed out
`16`	Account link failed	F	The user entered a valid OTP, but all account linking attempts failed at the FIP level due to system errors

Partial Success/Failure Errors

These errors occur when dealing with multiple FIPs:

Error Code	Message	Status	Description
`17`	OTP failed (some accounts)	F	Multiple FIPs were involved; some account linking attempts failed due to incorrect OTPs, and the user cancelled
`18`	OTP failed (some accounts)	F	Multiple FIPs were involved; some account linking attempts failed due to incorrect OTPs, and the session timed out
`19`	Account link failed (partial)	F	Multiple FIPs were involved; some account linking attempts failed at the FIP level, and the user cancelled

General Error

Error Code	Message	Status	Description
`20`	Unknown error	F	The Account Aggregator was unable to send any valid error code due to an unexpected system error

Usage Notes

Handle All Error Codes: Implement proper error handling for all error codes in your application. The mandatory error codes (0-3) will always be returned, while optional codes (4-20) provide granular details about specific failure scenarios.
Success Status: A status of S and errorcode of 0 indicates successful consent approval and account linking. In this case, you can proceed to fetch financial data using the consent.
Failure Status: A status of F indicates that the consent was not successfully approved. Use the errorcode to determine the specific reason for failure and provide appropriate feedback to the user.
User Communication: Based on the error code, provide clear and actionable feedback to users. For example:
- Error code 1: Inform the user they rejected the consent and offer to retry
- Error codes 7-9: Suggest checking if the user has accounts at the specified FIP
- Error codes 12-15: Guide the user on OTP verification process
- Error code 20: Display a generic error message and suggest contacting support
Transaction Correlation: Use the txnid field to correlate the decrypted response with your original consent request. This is especially important in high-traffic applications where multiple consent flows may be in progress simultaneously.
VUA Storage: Store the userid (VUA) securely in your system as it uniquely identifies the user within the Account Aggregator ecosystem. You’ll need this for future consent requests and data fetching operations.
Security Considerations:
- Always validate the resdate to ensure the response is recent and not a replay attack
- Verify that the decrypted srcref matches your original consent handle
- Process the decrypted response immediately and do not store the encrypted ecres for extended periods
Partial Success Handling: Error codes 17-19 indicate partial success scenarios where some accounts were linked successfully. Consider implementing logic to handle these cases gracefully, allowing users to proceed with linked accounts or retry failed ones.

Rate Limiting

This API is subject to rate limiting with the following limits:

Limit: 1000 requests per time window
Remaining: Returned in the X-RateLimit-Remaining header
Reset: The time when the rate limit resets, returned in the X-RateLimit-Reset header

Monitor these headers in the API response to ensure you stay within the allowed rate limits.

Consent Management

Data Management

Web Redirection

User Management

Miscellaneous

Overview

Authentication

Request Body

Response

Example Request

Example Success Response

Example Error Response

Error Codes from Account Aggregator

Mandatory Error Codes

Optional Error Codes

Authentication and Session Errors

Account Discovery Errors

Account Linking Errors

Partial Success/Failure Errors

General Error

Usage Notes

Rate Limiting

Consent Management

Data Management

Web Redirection

User Management

Miscellaneous

​Overview

​Authentication

​Request Body

​Response

​Example Request

​Example Success Response

​Example Error Response

​Error Codes from Account Aggregator

​Mandatory Error Codes

​Optional Error Codes

​Authentication and Session Errors

​Account Discovery Errors

​Account Linking Errors

​OTP-Related Errors

​Partial Success/Failure Errors

​General Error

​Usage Notes

​Rate Limiting

Overview

Authentication

Request Body

Response

Example Request

Example Success Response

Example Error Response

Error Codes from Account Aggregator

Mandatory Error Codes

Optional Error Codes

Authentication and Session Errors

Account Discovery Errors

Account Linking Errors

OTP-Related Errors

Partial Success/Failure Errors

General Error

Usage Notes

Rate Limiting