> ## Documentation Index
> Fetch the complete documentation index at: https://developer.moneyone.in/llms.txt
> Use this file to discover all available pages before exploring further.

# Web Redirection Decryption

> Decrypt the encrypted response URL received from Account Aggregator after user consent flow

## Overview

This API decrypts the encrypted response URL that your Financial Information User (FIU) application receives from the Account Aggregator (AA) platform. You should call this API after the user is redirected back to your application from the AA, following the user's approval or rejection of a consent request. The decrypted response contains important information about the consent status, user details, and any error codes that indicate why a consent might have failed.

## Authentication

This API requires the following authentication headers to be included with every request:

| Header           | Type   | Required | Description                                                                       |
| ---------------- | ------ | -------- | --------------------------------------------------------------------------------- |
| `client_id`      | string | Yes      | An API key issued to your organisation for authentication purposes                |
| `client_secret`  | string | Yes      | A secret API key issued to your server-side application for secure authentication |
| `organisationId` | string | Yes      | A unique identifier assigned to your organisation by the platform                 |
| `appIdentifier`  | string | Yes      | A unique identifier assigned to your client application for tracking API usage    |
| `Content-Type`   | string | Yes      | Must be set to `application/json` to specify the request body format              |

## Request Body

<ParamField body="webRedirectionURL" type="object" required>
  An object containing the encrypted response parameters received from the Account Aggregator when the user is redirected back to your application.

  <Expandable title="webRedirectionURL properties">
    <ParamField body="ecres" type="string" required>
      The encrypted response string containing the consent status and user information. This is the primary encrypted payload returned by the AA platform that needs to be decrypted to understand the consent flow outcome.
    </ParamField>

    <ParamField body="resdate" type="string" required>
      The date and time when the response was generated by the Account Aggregator. This timestamp is in the format `ddmmyyyyhh24misss` where:

      * `dd`: Day (01-31)
      * `mm`: Month (01-12)
      * `yyyy`: Year (e.g., 2021)
      * `hh24`: Hour in 24-hour format (00-23)
      * `mi`: Minutes (00-59)
      * `sss`: Seconds and milliseconds (000-999)

      **Example**: `270820211238139` represents 27th August 2021, 12:38:139
    </ParamField>

    <ParamField body="fi" type="string" required>
      The base64-encoded Entity ID of the Account Aggregator. This identifier helps the system determine which AA platform processed the consent request.
    </ParamField>
  </Expandable>
</ParamField>

## Response

<ResponseField name="status" type="string" required>
  Indicates the overall status of the API request. Possible values are `success` or `failure`.
</ResponseField>

<ResponseField name="ver" type="string" required>
  The current version of the API being used for this request.
</ResponseField>

<ResponseField name="message" type="string">
  A human-readable message describing the result of the API call, providing success confirmation or failure details.
</ResponseField>

<ResponseField name="data" type="object">
  Contains the decrypted consent flow information and user details.

  <Expandable title="data properties">
    <ResponseField name="status" type="string" required>
      The status of the consent flow. Possible values:

      * `S`: Success - User has accepted the consent
      * `F`: Failure - User rejected the consent or an error occurred
    </ResponseField>

    <ResponseField name="errorcode" type="string" required>
      A numeric error code indicating the outcome of the consent flow. See the Error Codes section below for detailed descriptions. A value of `0` indicates success.
    </ResponseField>

    <ResponseField name="txnid" type="string">
      The unique transaction identifier (UUID) that was included in the original `ecreq` field of the encryption request. Use this to correlate the response with your original consent request.
    </ResponseField>

    <ResponseField name="sessionid" type="string">
      The session identifier that was included in the original `ecreq` field. This helps track the user's session across the consent flow.
    </ResponseField>

    <ResponseField name="srcref" type="string">
      The consent handle(s) that were included in the original `ecreq` request's `srcref` field. This allows you to match the response to the specific consent request(s).
    </ResponseField>

    <ResponseField name="userid" type="string">
      The Virtual User Account (VUA) identifier issued by the Account Aggregator when the user registered with the AA platform. This unique identifier represents the user within the AA ecosystem.

      **Format**: Typically in the format `phonenumber@aa-handle` (e.g., `1999999999@onemoney`)
    </ResponseField>

    <ResponseField name="redirect" type="string">
      The URL of your FIU application page where the user should be redirected to after completing the AA consent flow. This is typically the page where you handle the consent outcome.
    </ResponseField>
  </Expandable>
</ResponseField>

## Example Request

```json theme={null}
{
  "webRedirectionURL": {
    "ecres": "1r8dWQqy3c5IY7uJdBkAERYhV_P01dAs6dMGrieo-D001LXoGuKnFtp_OXKVtpbpAEJVstVx_rCRHVpDEZvRGKkFnpJp9RbvdReWg4mi6hdQPa_hgGnYaOkSbWhBdYWfM6-kBgB4DfomidIWpTRMXe3BGko0tyMeL2gIW8jyp5hHMPovCar_Ux6QhNIyFGLaQmB-M_vE4Q0hi9erfXEHgKClubw12jzRrwJo2eC5NhX1UaWV3uFLtfB4XWGWQ2lAmGpMdhESJ91R94C5mcQ0OOF2jW69YLo6RspvzP454DrproVKy-PdHa3k9QRgt8f-",
    "resdate": "270820211238139",
    "fi": "XVlVVV1eV0g"
  }
}
```

## Example Success Response

```json theme={null}
{
  "ver": "1.15.0",
  "status": "success",
  "data": {
    "status": "S",
    "errorcode": "0",
    "txnid": "f32503c5-0af0-4831-a443-7adc500ccd22",
    "sessionid": "lJ4ImY1ET3yplGtIp3IvrrU",
    "srcref": "64cd9ace-f0e5-44cc-a686-1fe82bfa4ed8",
    "userid": "1999999999@onemoney",
    "redirect": "https://sandbox.moneyone.in/finproadminweb_sandbox"
  },
  "message": "Success"
}
```

## Example Error Response

```json theme={null}
{
  "ver": "1.21.0",
  "timestamp": "2025-10-01T11:45:48.706Z",
  "errorCode": "invalidWebRedirectionUrl",
  "errorMsg": "Invalid webRedirection Url is passed"
}
```

## Error Codes from Account Aggregator

The following error codes are returned by the Account Aggregator to your FIU when the user is redirected back to your application. These codes help you understand what happened during the user's consent journey on the AA platform.

### Mandatory Error Codes

These error codes will always be returned in appropriate scenarios:

| Error Code | Message               | Status | Description                                                                      |
| ---------- | --------------------- | ------ | -------------------------------------------------------------------------------- |
| `0`        | Success               | S      | The user has successfully accepted the consent request and linked their accounts |
| `1`        | Consent is rejected   | F      | The user explicitly rejected the consent request on the AA platform              |
| `2`        | Consent not available | F      | The consent request was not found on the Account Aggregator platform             |
| `3`        | Invalid request       | F      | The redirection request contained invalid or malformed data                      |

### Optional Error Codes

These error codes provide detailed information about specific failure scenarios:

#### Authentication and Session Errors

| Error Code | Message                    | Status | Description                                                                                             |
| ---------- | -------------------------- | ------ | ------------------------------------------------------------------------------------------------------- |
| `4`        | User authentication failed | F      | The user was unable to authenticate themselves on the AA platform (e.g., wrong credentials, failed OTP) |
| `6`        | Session timeout            | F      | The user did not take any action on the login page and the session expired                              |

#### Account Discovery Errors

| Error Code | Message                | Status | Description                                                                                                                                 |
| ---------- | ---------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------- |
| `7`        | Account not discovered | F      | A specific FIP ID was provided but accounts were not found at that FIP (404 error), and the user cancelled or went back from the AA page    |
| `8`        | Account not discovered | F      | A specific FIP ID was provided but account discovery failed due to an error at the FIP (non-404 error), and the user cancelled or went back |
| `9`        | Account not discovered | F      | Multiple FIP IDs were provided (or none), and no accounts were discovered at any FIP due to errors or missing accounts                      |

#### Account Linking Errors

| Error Code | Message            | Status | Description                                                                                             |
| ---------- | ------------------ | ------ | ------------------------------------------------------------------------------------------------------- |
| `10`       | Account not linked | F      | Accounts were successfully discovered, but the user did not link any accounts and the session timed out |
| `11`       | Account not linked | F      | Accounts were successfully discovered, but the user chose to cancel instead of linking any accounts     |

#### OTP-Related Errors

| Error Code | Message                        | Status | Description                                                                                                             |
| ---------- | ------------------------------ | ------ | ----------------------------------------------------------------------------------------------------------------------- |
| `12`       | Account link OTP not attempted | F      | Accounts were discovered and the user clicked the link button, but did not enter the OTP and then cancelled the process |
| `13`       | Account link OTP not attempted | F      | Accounts were discovered and the user clicked the link button, but did not enter the OTP and the session timed out      |
| `14`       | OTP authentication failed      | F      | All account linking attempts failed because the user entered incorrect OTPs, and then cancelled the process             |
| `15`       | OTP authentication failed      | F      | All account linking attempts failed because the user entered incorrect OTPs, and the session timed out                  |
| `16`       | Account link failed            | F      | The user entered a valid OTP, but all account linking attempts failed at the FIP level due to system errors             |

#### Partial Success/Failure Errors

These errors occur when dealing with multiple FIPs:

| Error Code | Message                       | Status | Description                                                                                                        |
| ---------- | ----------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------ |
| `17`       | OTP failed (some accounts)    | F      | Multiple FIPs were involved; some account linking attempts failed due to incorrect OTPs, and the user cancelled    |
| `18`       | OTP failed (some accounts)    | F      | Multiple FIPs were involved; some account linking attempts failed due to incorrect OTPs, and the session timed out |
| `19`       | Account link failed (partial) | F      | Multiple FIPs were involved; some account linking attempts failed at the FIP level, and the user cancelled         |

#### General Error

| Error Code | Message       | Status | Description                                                                                      |
| ---------- | ------------- | ------ | ------------------------------------------------------------------------------------------------ |
| `20`       | Unknown error | F      | The Account Aggregator was unable to send any valid error code due to an unexpected system error |

## Usage Notes

* **Handle All Error Codes**: Implement proper error handling for all error codes in your application. The mandatory error codes (0-3) will always be returned, while optional codes (4-20) provide granular details about specific failure scenarios.

* **Success Status**: A `status` of `S` and `errorcode` of `0` indicates successful consent approval and account linking. In this case, you can proceed to fetch financial data using the consent.

* **Failure Status**: A `status` of `F` indicates that the consent was not successfully approved. Use the `errorcode` to determine the specific reason for failure and provide appropriate feedback to the user.

* **User Communication**: Based on the error code, provide clear and actionable feedback to users. For example:
  * Error code `1`: Inform the user they rejected the consent and offer to retry
  * Error codes `7-9`: Suggest checking if the user has accounts at the specified FIP
  * Error codes `12-15`: Guide the user on OTP verification process
  * Error code `20`: Display a generic error message and suggest contacting support

* **Transaction Correlation**: Use the `txnid` field to correlate the decrypted response with your original consent request. This is especially important in high-traffic applications where multiple consent flows may be in progress simultaneously.

* **VUA Storage**: Store the `userid` (VUA) securely in your system as it uniquely identifies the user within the Account Aggregator ecosystem. You'll need this for future consent requests and data fetching operations.

* **Security Considerations**:
  * Always validate the `resdate` to ensure the response is recent and not a replay attack
  * Verify that the decrypted `srcref` matches your original consent handle
  * Process the decrypted response immediately and do not store the encrypted `ecres` for extended periods

* **Partial Success Handling**: Error codes 17-19 indicate partial success scenarios where some accounts were linked successfully. Consider implementing logic to handle these cases gracefully, allowing users to proceed with linked accounts or retry failed ones.

## Rate Limiting

This API is subject to rate limiting with the following limits:

* **Limit**: 1000 requests per time window
* **Remaining**: Returned in the `X-RateLimit-Remaining` header
* **Reset**: The time when the rate limit resets, returned in the `X-RateLimit-Reset` header

Monitor these headers in the API response to ensure you stay within the allowed rate limits.


## OpenAPI

````yaml POST /webRedirection/decryptUrl
openapi: 3.0.3
info:
  title: FinPro API
  description: MoneyOne FinPro - Account Aggregator FIU Platform APIs
  version: 1.21.0
servers:
  - url: '{baseUrl}'
    description: FinPro API Server
    variables:
      baseUrl:
        default: https://scramblerpay-uat.moneyone.in
        description: API Base URL - change this to your environment
security:
  - clientId: []
    clientSecret: []
    organisationId: []
    appIdentifier: []
paths:
  /webRedirection/decryptUrl:
    post:
      tags:
        - Web Redirection
      summary: Decrypt Web Redirection URL
      description: >-
        Decrypt the encrypted response URL received from Account Aggregator
        after user consent flow. Call this API after the user is redirected back
        to your application from the AA, following the user's approval or
        rejection of a consent request. The decrypted response contains
        important information about the consent status, user details, and any
        error codes that indicate why a consent might have failed.
      operationId: decryptWebRedirectionUrl
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/DecryptWebRedirectionUrlRequest'
            example:
              webRedirectionURL:
                ecres: >-
                  1r8dWQqy3c5IY7uJdBkAERYhV_P01dAs6dMGrieo-D001LXoGuKnFtp_OXKVtpbpAEJVstVx_rCRHVpDEZvRGKkFnpJp9RbvdReWg4mi6hdQPa_hgGnYaOkSbWhBdYWfM6-kBgB4DfomidIWpTRMXe3BGko0tyMeL2gIW8jyp5hHMPovCar_Ux6QhNIyFGLaQmB-M_vE4Q0hi9erfXEHgKClubw12jzRrwJo2eC5NhX1UaWV3uFLtfB4XWGWQ2lAmGpMdhESJ91R94C5mcQ0OOF2jW69YLo6RspvzP454DrproVKy-PdHa3k9QRgt8f-
                resdate: '270820211238139'
                fi: XVlVVV1eV0g
      responses:
        '200':
          description: URL decrypted successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/DecryptWebRedirectionUrlResponse'
              example:
                ver: 1.15.0
                status: success
                data:
                  status: S
                  errorcode: '0'
                  txnid: f32503c5-0af0-4831-a443-7adc500ccd22
                  sessionid: lJ4ImY1ET3yplGtIp3IvrrU
                  srcref: 64cd9ace-f0e5-44cc-a686-1fe82bfa4ed8
                  userid: 1999999999@onemoney
                  redirect: https://sandbox.moneyone.in/finproadminweb_sandbox
                message: Success
        '400':
          description: Bad Request - Invalid webRedirection URL
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              example:
                ver: 1.21.0
                timestamp: '2025-10-01T11:45:48.706Z'
                errorCode: invalidWebRedirectionUrl
                errorMsg: Invalid webRedirection Url is passed
        '401':
          description: Authentication Failed - Invalid credentials
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '429':
          description: Too Many Requests - Rate limit exceeded
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      security:
        - clientId: []
          clientSecret: []
          organisationId: []
          appIdentifier: []
components:
  schemas:
    DecryptWebRedirectionUrlRequest:
      type: object
      description: >-
        Request body for decrypting the web redirection URL received from
        Account Aggregator.
      required:
        - webRedirectionURL
      properties:
        webRedirectionURL:
          type: object
          description: >-
            An object containing the encrypted response parameters received from
            the Account Aggregator when the user is redirected back to your
            application.
          required:
            - ecres
            - resdate
            - fi
          properties:
            ecres:
              type: string
              description: >-
                The encrypted response string containing the consent status and
                user information. This is the primary encrypted payload returned
                by the AA platform that needs to be decrypted to understand the
                consent flow outcome.
            resdate:
              type: string
              description: >-
                The date and time when the response was generated by the Account
                Aggregator. This timestamp is in the format ddmmyyyyhh24misss
                where: dd=Day (01-31), mm=Month (01-12), yyyy=Year, hh24=Hour in
                24-hour format (00-23), mi=Minutes (00-59), sss=Seconds and
                milliseconds (000-999). Example: 270820211238139 represents 27th
                August 2021, 12:38:139
            fi:
              type: string
              description: >-
                The base64-encoded Entity ID of the Account Aggregator. This
                identifier helps the system determine which AA platform
                processed the consent request.
    DecryptWebRedirectionUrlResponse:
      type: object
      description: >-
        Response containing the decrypted consent flow information and user
        details.
      properties:
        ver:
          type: string
          description: The current version of the API being used for this request.
        status:
          type: string
          description: >-
            Indicates the overall status of the API request. Possible values are
            success or failure.
        message:
          type: string
          description: >-
            A human-readable message describing the result of the API call,
            providing success confirmation or failure details.
        data:
          $ref: '#/components/schemas/DecryptWebRedirectionUrlData'
    ErrorResponse:
      type: object
      properties:
        ver:
          type: string
          description: API version
        timestamp:
          type: string
          format: date-time
          description: When the error occurred
        errorCode:
          type: string
          description: Error category code
        errorMsg:
          type: string
          description: Detailed error message
        status:
          type: string
          description: FinPro-specific error code (FPxxxx format)
    DecryptWebRedirectionUrlData:
      type: object
      description: Contains the decrypted consent flow information and user details.
      properties:
        status:
          type: string
          description: >-
            The status of the consent flow. Possible values: S (Success - User
            has accepted the consent), F (Failure - User rejected the consent or
            an error occurred).
          enum:
            - S
            - F
        errorcode:
          type: string
          description: >-
            A numeric error code indicating the outcome of the consent flow. A
            value of 0 indicates success. See documentation for detailed error
            code descriptions (0-20).
        txnid:
          type: string
          format: uuid
          description: >-
            The unique transaction identifier (UUID) that was included in the
            original ecreq field of the encryption request. Use this to
            correlate the response with your original consent request.
        sessionid:
          type: string
          description: >-
            The session identifier that was included in the original ecreq
            field. This helps track the user's session across the consent flow.
        srcref:
          type: string
          description: >-
            The consent handle(s) that were included in the original ecreq
            request's srcref field. This allows you to match the response to the
            specific consent request(s).
        userid:
          type: string
          description: >-
            The Virtual User Account (VUA) identifier issued by the Account
            Aggregator when the user registered with the AA platform. This
            unique identifier represents the user within the AA ecosystem.
            Format: Typically in the format phonenumber@aa-handle (e.g.,
            1999999999@onemoney)
        redirect:
          type: string
          format: uri
          description: >-
            The URL of your FIU application page where the user should be
            redirected to after completing the AA consent flow. This is
            typically the page where you handle the consent outcome.
  securitySchemes:
    clientId:
      type: apiKey
      in: header
      name: client_id
      description: Your unique client identifier provided by MoneyOne during FIU onboarding
    clientSecret:
      type: apiKey
      in: header
      name: client_secret
      description: Your confidential client secret provided by MoneyOne
    organisationId:
      type: apiKey
      in: header
      name: organisationId
      description: Your organization's unique identifier in the FinPro system
    appIdentifier:
      type: apiKey
      in: header
      name: appIdentifier
      description: Application-specific identifier for tracking API calls

````