<ČSOB SK> developer portal

Authorization code API call flow

API history

This API allows to exchange authorization code for access token and refresh token.

Step 1: Exchange authorization code for access token and refresh token

Initiate POST requests for Autrhorization code witth valid atuthorization code (valid 5 min):

Authorization code

Version1

URL LIVE

URL SANDBOX

POST https://api.csob.sk/identity-server/connect/authorizationcode

POST https://api.csob.sk/identity-server-test/connect/authorizationcode

In case of payment order authorization, access token is binded to specific payment order (one-time token), and can be used only once. For 90 days access to accounts, access token is valid 20 min and can be renewed with refresh token during 90 days period. See Authorization API / Refresh token section. On API Explorer web site there is a possibility to test API online (Try it) and download API definition (WADL, Open API).

Request:

Request parameters

Version1

grant_type={grant_type}&client_id={client_id}&client_secret={client_secret}&code={code}&redirect_uri={redirect_uri}&code_verifier={code_verifier}

Attributes structure	Optionality	Type	Description
grant_type	Mandatory	String	Value is „authorization_code“
client_id	Mandatory	String	TPP ID obtained from enrollment
client_secret	Mandatory	String	Secret obtained from enrollment
code	Mandatory	String	Authorization code obtained from SCA / payment authorization
redirect_uri	Mandatory	String	Redirect URL to be redirected after SCA, redirect URL must be in list of URL addresses from enrollment
code_verifier	Mandatory	String	Code_verifier used to generate code_challenge from a previous request

Response:

Attributes structure	Optionality	Type	Description
id_token	Mandatory	String	Encoded user‘s authentication information including nonce value
access_token	Mandatory	String	Access token
expires_in	Mandatory	String	Validity of access token in seconds
token_type	Mandatory	String	Value is „Bearer“
refresh_token	Optional	String	Can be used for renewing access token for 90 days access to account. For payment submitting, refresh token is not present.

Example:

Request for obtaining long-term token (90 days access to account)

POST https://api.csob.sk/identity-server/connect/authorizationcode HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Content-Length: 209 Host: api.csob.sk Connection: Keep-Alive User-Agent: Apache-HttpClient/4.1.1 (java 1.5) grant_type=authorization_code&client_id=TIDgjzKuS7k&client_secret=DuQugUbbqDS99VLdGgtLb7jSWi3Keg5A&code=1f8247638988812f93f93053b71da73e3ef9c9a83e0f32b73c5158b7daa07379&redirect_uri=https://www.csob.sk/psd2tpp&code_verifier=dWYjJUAoa2d2QEF8XlV6OmxdZTZeTSBgOjVkQEBMOFo Response with long-term token and refresh token (90 days access to account) HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Transfer-Encoding: chunked Content-Type: application/json Content-Encoding: gzip Expires: -1 Vary: Accept-Encoding Server-Process-ID: LA3XsYeknMmkyANNijtiPmusPRzcE3t7 Strict-Transport-Security: max-age=31536000; includeSubDomains Date: Tue, 11 Jun 2019 08:31:03 GMT { "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjExYzBhNzg1YWMyZGZiZjEzYmJiNmMyNjhmZTI0ZDY1IiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NjAyNDE4NjMsImV4cCI6MTU2MDI0MjE2MywiaXNzIjoiaHR0cHM6Ly9hcGlhdXRob3JpemF0aW9uLWFjYy5jc29iLnNrIiwiYXVkIjoiVElEQkJ0cnRINVUiLCJub25jZSI6ImFhYWEiLCJpYXQiOjE1NjAyNDE4NjMsImF0X2hhc2giOiJ5Ym5SSWgwMnZtWFZPTTh5OWMxMnJRIiwic2lkIjoiMzE1ZjMxOTM3ODUwNzhlNmI3ZWVkNGM5ZjFiODAzNzUiLCJzdWIiOiJ2b1I0YTgxaFVqaUFTYUJqTzZqbUY4Y05MU2g4RllENnNjOGMiLCJhdXRoX3RpbWUiOjE1NjAyNDE4MzksImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.hb3CSkivt-HIX-4U ntUedAnHd_Zfx5va8TgvO3QP5C9al9DaKUXz_yNxCDb573FamJWvP-DuDQEQ11DXsPB2mxNmTOAFtbgr2fIVLG -q77iTTDtbThOB7XwbEGrQim5ULybpAjHE5W2wZZvAWWZ93VZB3nqsSXjqsaxIE2gKBg4Eixa1iTmgrxujDrqf 2v-hqBUutz4yxXEM1Lj0Iuxca9j5XomZmMDhao5bvbrpYwLHaTjcFPbQo3V9oD5GILU5GVWuk2Pjxy1VMKqfbI RPfra6LFNKX8s_-aOmEcbJE0BfVWLvagO1l32BgMDl3DWTER0I5x_Z2wPmTwyaC5yUDw", "access_token": "8a6e97446d3db61107cf60d68f769ca48bc7eeb965052b11390bded4a4236x1e", "expires_in": 1200, "token_type": "Bearer", "refresh_token": "59ad5fd94b1c879356c870e2f36d1ce3ba023197d81c79e17731822fe7b9c71e" } Request for obtaining access token for payment submitting POST https://api.csob.sk/identity-server/connect/authorizationcode HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: application/x-www-form-urlencoded Content-Length: 267 Host: api.csob.sk Connection: Keep-Alive User-Agent: Apache-HttpClient/4.1.1 (java 1.5) grant_type=authorization_code&client_id=TIDgjzKuS7k&client_secret=DuQugUbbqDS99VLdGgtLb7jSWi3Keg5A&code=6ba9fe5808e2b0e7d8901f56a24dbef28a5ae76425e6e2872eb0ce228c907c36&redirect_uri=https://www.csob.sk/psd2tpp&code_verifier=ZnZGfTJZRGVjLS1cPTQ6T343RDlrfUk-XTA8NkhOLlE Response with access token for payment submitting HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Transfer-Encoding: chunked Content-Type: application/json Content-Encoding: gzip Expires: -1 Vary: Accept-Encoding Server-Process-ID: QRFzyzMYP9gL4UrSxBfmRCBqMGT7Spiy Strict-Transport-Security: max-age=31536000; includeSubDomains Date: Tue, 11 Jun 2019 09:02:46 GMT { "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjExYzBhNzg1YWMyZGZiZjEzYmJiNmMyNjhmZTI0ZDY1IiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NjAyNDM3NjYsImV4cCI6MTU2MDI0NDA2NiwiaXNzIjoiaHR0cHM6Ly9hcGlhdXRob3JpemF0aW9uLWFjYy5jc29iLnNrIiwiYXVkIjoiVElEQkJ0cnRINVUiLCJub25jZSI6ImFhYWEiLCJpYXQiOjE1NjAyNDM3NjYsImF0X2hhc2giOiJBSTByM3ZENWM2eHRfZ216NVVxMkZRIiwic2lkIjoiZTdmMDkwZDVlYmIwYmJkZTJiM2Y3Mzg2MzY5MzI1NzUiLCJzdWIiOiJMMXlNMW14RjNpMkNMSWQyTE41SVE5bE44cHdmQm5TSGo3bFUiLCJhdXRoX3RpbWUiOjE1NjAyNDM3MTQsImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.vKjMO3wrzOjJPjp47lKEL6tQ5Hj9mCrZQYVuRN9kPbiKi_TJqj9JYLoRtldLPlClvvOlzMpAIbHthDgussOpBPU84QlqtFlVmzrDywd77bjOo0BYfvjdGoKyD9zcbGvU8hj_F9HObv-3Flv7VFtl6RL8dl6Z3nBdcM7wKunKm-Lg6SSPBO2n7B3fTZSC fO91k6pDyY2GXkAjRt4Fkoir7WwIKEXODfpvzMmZIaHzx17wLFIGsZEu-TrkWBNq_B00gsQy8WInOpdDTIf3sx CM8PCxedIRQVaeUJ8iwq_sPGYX5GR1ehlNA2SFJjRxrENfAYZWLFzUm0MPxmFN2XbkgA", "access_token": "aa3a57d8f4d43aca8a5d853cd3552211f994e47645e6dc22e0325c5a6edd0ec3", "expires_in": 1200, "token_type": "Bearer" }