Web Redirection Decryption
Decrypt the encrypted response URL received from Account Aggregator after user consent flow
Overview
This API decrypts the encrypted response URL that your Financial Information User (FIU) application receives from the Account Aggregator (AA) platform. You should call this API after the user is redirected back to your application from the AA, following the user’s approval or rejection of a consent request. The decrypted response contains important information about the consent status, user details, and any error codes that indicate why a consent might have failed.Authentication
This API requires the following authentication headers to be included with every request:| Header | Type | Required | Description |
|---|---|---|---|
client_id | string | Yes | An API key issued to your organisation for authentication purposes |
client_secret | string | Yes | A secret API key issued to your server-side application for secure authentication |
organisationId | string | Yes | A unique identifier assigned to your organisation by the platform |
appIdentifier | string | Yes | A unique identifier assigned to your client application for tracking API usage |
Content-Type | string | Yes | Must be set to application/json to specify the request body format |
Request Body
Response
success or failure.Example Request
Example Success Response
Example Error Response
Error Codes from Account Aggregator
The following error codes are returned by the Account Aggregator to your FIU when the user is redirected back to your application. These codes help you understand what happened during the user’s consent journey on the AA platform.Mandatory Error Codes
These error codes will always be returned in appropriate scenarios:| Error Code | Message | Status | Description |
|---|---|---|---|
0 | Success | S | The user has successfully accepted the consent request and linked their accounts |
1 | Consent is rejected | F | The user explicitly rejected the consent request on the AA platform |
2 | Consent not available | F | The consent request was not found on the Account Aggregator platform |
3 | Invalid request | F | The redirection request contained invalid or malformed data |
Optional Error Codes
These error codes provide detailed information about specific failure scenarios:Authentication and Session Errors
| Error Code | Message | Status | Description |
|---|---|---|---|
4 | User authentication failed | F | The user was unable to authenticate themselves on the AA platform (e.g., wrong credentials, failed OTP) |
6 | Session timeout | F | The user did not take any action on the login page and the session expired |
Account Discovery Errors
| Error Code | Message | Status | Description |
|---|---|---|---|
7 | Account not discovered | F | A specific FIP ID was provided but accounts were not found at that FIP (404 error), and the user cancelled or went back from the AA page |
8 | Account not discovered | F | A specific FIP ID was provided but account discovery failed due to an error at the FIP (non-404 error), and the user cancelled or went back |
9 | Account not discovered | F | Multiple FIP IDs were provided (or none), and no accounts were discovered at any FIP due to errors or missing accounts |
Account Linking Errors
| Error Code | Message | Status | Description |
|---|---|---|---|
10 | Account not linked | F | Accounts were successfully discovered, but the user did not link any accounts and the session timed out |
11 | Account not linked | F | Accounts were successfully discovered, but the user chose to cancel instead of linking any accounts |
OTP-Related Errors
| Error Code | Message | Status | Description |
|---|---|---|---|
12 | Account link OTP not attempted | F | Accounts were discovered and the user clicked the link button, but did not enter the OTP and then cancelled the process |
13 | Account link OTP not attempted | F | Accounts were discovered and the user clicked the link button, but did not enter the OTP and the session timed out |
14 | OTP authentication failed | F | All account linking attempts failed because the user entered incorrect OTPs, and then cancelled the process |
15 | OTP authentication failed | F | All account linking attempts failed because the user entered incorrect OTPs, and the session timed out |
16 | Account link failed | F | The user entered a valid OTP, but all account linking attempts failed at the FIP level due to system errors |
Partial Success/Failure Errors
These errors occur when dealing with multiple FIPs:| Error Code | Message | Status | Description |
|---|---|---|---|
17 | OTP failed (some accounts) | F | Multiple FIPs were involved; some account linking attempts failed due to incorrect OTPs, and the user cancelled |
18 | OTP failed (some accounts) | F | Multiple FIPs were involved; some account linking attempts failed due to incorrect OTPs, and the session timed out |
19 | Account link failed (partial) | F | Multiple FIPs were involved; some account linking attempts failed at the FIP level, and the user cancelled |
General Error
| Error Code | Message | Status | Description |
|---|---|---|---|
20 | Unknown error | F | The Account Aggregator was unable to send any valid error code due to an unexpected system error |
Usage Notes
- Handle All Error Codes: Implement proper error handling for all error codes in your application. The mandatory error codes (0-3) will always be returned, while optional codes (4-20) provide granular details about specific failure scenarios.
-
Success Status: A
statusofSanderrorcodeof0indicates successful consent approval and account linking. In this case, you can proceed to fetch financial data using the consent. -
Failure Status: A
statusofFindicates that the consent was not successfully approved. Use theerrorcodeto determine the specific reason for failure and provide appropriate feedback to the user. -
User Communication: Based on the error code, provide clear and actionable feedback to users. For example:
- Error code
1: Inform the user they rejected the consent and offer to retry - Error codes
7-9: Suggest checking if the user has accounts at the specified FIP - Error codes
12-15: Guide the user on OTP verification process - Error code
20: Display a generic error message and suggest contacting support
- Error code
-
Transaction Correlation: Use the
txnidfield to correlate the decrypted response with your original consent request. This is especially important in high-traffic applications where multiple consent flows may be in progress simultaneously. -
VUA Storage: Store the
userid(VUA) securely in your system as it uniquely identifies the user within the Account Aggregator ecosystem. You’ll need this for future consent requests and data fetching operations. -
Security Considerations:
- Always validate the
resdateto ensure the response is recent and not a replay attack - Verify that the decrypted
srcrefmatches your original consent handle - Process the decrypted response immediately and do not store the encrypted
ecresfor extended periods
- Always validate the
- Partial Success Handling: Error codes 17-19 indicate partial success scenarios where some accounts were linked successfully. Consider implementing logic to handle these cases gracefully, allowing users to proceed with linked accounts or retry failed ones.
Rate Limiting
This API is subject to rate limiting with the following limits:- Limit: 1000 requests per time window
- Remaining: Returned in the
X-RateLimit-Remainingheader - Reset: The time when the rate limit resets, returned in the
X-RateLimit-Resetheader
Authorizations
Your unique client identifier provided by MoneyOne during FIU onboarding
Your confidential client secret provided by MoneyOne
Your organization's unique identifier in the FinPro system
Application-specific identifier for tracking API calls
Body
Request body for decrypting the web redirection URL received from Account Aggregator.
An object containing the encrypted response parameters received from the Account Aggregator when the user is redirected back to your application.
Response
URL decrypted successfully
Response containing the decrypted consent flow information and user details.
The current version of the API being used for this request.
Indicates the overall status of the API request. Possible values are success or failure.
A human-readable message describing the result of the API call, providing success confirmation or failure details.
Contains the decrypted consent flow information and user details.
