Web Redirection Encryption
Generate an encrypted web redirection URL for Account Aggregator consent flow
Overview
This API is used by the Financial Information User (FIU) to generate an encrypted web redirection URL for the Account Aggregator (AA). The generated URL enables users to provide consent for data sharing through the AA’s application interface. The URL can be embedded in an iframe within your application or opened directly in a web browser, allowing users to complete their consent approval or rejection on the AA platform.Authentication
This API requires the following authentication headers to be included with every request:| Header | Type | Required | Description |
|---|---|---|---|
client_id | string | Yes | An API key issued to your organisation for authentication purposes |
client_secret | string | Yes | A secret API key issued to your server-side application for secure authentication |
organisationId | string | Yes | A unique identifier assigned to your organisation by the platform |
appIdentifier | string | Yes | A unique identifier assigned to your client application for tracking API usage |
Content-Type | string | Yes | Must be set to application/json to specify the request body format |
Request Body
3a3f2d96-fc3b-42e5-804f-e65d10a4be98)Note: When passing multiple consent handles, they must all belong to the same user’s Virtual User Account (VUA).https://www.yourapp.com/consent-callback^[A-Z]{5}[0-9]{4}[A-Z]{1}$ (e.g., ABCDE1234F)Note: Only provide this when integrating with FIPs that require PAN for account linking.Response
success or failure.Example Request
Example Response
Error Responses
When an error occurs, the API returns a JSON object with the following structure:Error Code Catalogue
| Error Code | Status | Description | Common Causes |
|---|---|---|---|
FP0021 | missingConsentInfo | Required parameters are missing from the request | The consentHandle field is empty, null, or not provided in the request body |
InvalidRequest | InvalidRequest | The consent handle format is invalid | The consentHandle is not a valid UUIDv4 format, or contains all zeros |
FP0024 | InvalidRequest | Multiple consent handles belong to different users | When passing an array of consent handles, they must all be associated with the same user’s VUA |
FP0024 | invalid_consent_handle | The provided consent handle does not exist | The consent handle is not found in the system or does not have a valid customer VUA |
FP0029 | InvalidAA | The Account Aggregator handle is invalid | The AA handle derived from the user’s VUA does not exist in the account aggregators registry |
InvalidRequest | InvalidRequest | The redirect URL format is incorrect | The redirectUrl field must be a valid string when provided |
InvalidRequest | InvalidRequest | The PAN format does not match requirements | The pan field does not follow the required pattern ^[A-Z]{5}[0-9]{4}[A-Z]{1}$ |
Usage Notes
- Security Consideration: The encrypted URL contains sensitive parameters. Ensure you transmit this URL over HTTPS only and do not log or cache it in plain text format.
- Single vs Multiple Consents: You can pass either a single consent handle string or an array of consent handle strings. When using multiple consent handles, ensure all of them belong to the same user to avoid errors.
-
Iframe Integration: When embedding the URL in an iframe, ensure your application has the appropriate
X-Frame-Optionsand Content Security Policy settings to allow iframe embedding from the AA domain. - Browser Compatibility: If opening the URL in a new browser window or tab, inform users that they may need to allow pop-ups for your application domain.
-
Redirect URL Override: The
redirectUrlparameter is optional and should only be used when you need to override the default redirect URL configured for your organisation. If not provided, the system will use the default redirect URL set during your FIU onboarding. -
PAN Requirements: Only include the
panparameter when integrating with Financial Information Providers that require PAN for account discovery. Providing PAN when not needed may cause unnecessary data exposure. - Consent Handle Validation: Always ensure the consent handle is in valid UUIDv4 format before making the API call to avoid validation errors.
Rate Limiting
This API is subject to rate limiting with the following limits:- Limit: 1000 requests per time window
- Remaining: Returned in the
X-RateLimit-Remainingheader - Reset: The time when the rate limit resets, returned in the
X-RateLimit-Resetheader
Authorizations
Your unique client identifier provided by MoneyOne during FIU onboarding
Your confidential client secret provided by MoneyOne
Your organization's unique identifier in the FinPro system
Application-specific identifier for tracking API calls
Body
Request body for generating an encrypted web redirection URL for Account Aggregator consent flow.
The unique consent handle identifier received in response to a consent request. This can be either a single consent handle string for one consent, or an array of consent handle strings for multiple consents. Must be a valid UUIDv4 format.
The URL where the user should be redirected after completing their consent journey on the Account Aggregator platform. Use this parameter when you need to override the default redirect URL configured for your FIU organisation.
"https://www.yourapp.com/consent-callback"
The Permanent Account Number (PAN) of the user. This is required for certain Financial Information Providers (FIPs) that mandate PAN for account discovery purposes.
^[A-Z]{5}[0-9]{4}[A-Z]{1}$"ABCDE1234F"
Response
Encrypted URL generated successfully
Response containing the encrypted web redirection URL for Account Aggregator consent flow.
Indicates the overall status of the API request.
success, failure The current version of the API being used for this request.
A human-readable message describing the result of the API call, providing success confirmation or failure details.
Container for the encrypted URL data.
The timestamp indicating when the transaction was processed, in ISO 8601 format.
