Token by secret API call flow

API history

This API allows to authenticate TPP to obtain short-term access token for passive operations:

  • PISP – for initiating payment order or obtaining payment order status

  • AISP – not applicable

  • PIISP – for obtaining YES/NO confirmation of disponibility of funds, when explicit consent already exists


Step 1: Get the access token with specific scopes (PISP, PIISP)

Obtaining access token is based on OAuth 2.0 Client credentials grant flow. TPP obtains this credentials during enrollmen process.

Token by secret
Version1
URL LIVE
URL SANDBOX
POST https://api.csob.sk/identity-server/connect/token
POST https://api.csob.sk/identity-server-test/connect/token

TPP calls this service to obtain short-term access token which is needed to verify the TPP in further communication. This access token is valid 20 min only and can’t be renewed. After exspiration, new short-term access token must be issued. On API Explorer web site there is a possibility to test API online (Try it) and download API definition (WADL, Open API).


Request:

Request parameters
Version1
grant_type={grant_type}&client_id={client_id}&client_secret={client_secret}&scope={scope}

Attributes structure
Optionality
Type
Description
grant_type
Mandatory
String
Value is „client_credentials“
client_id
Mandatory
String
TPP ID obtained from enrollment
client_secret
Mandatory
String
Secret obtained from enrollment
scope
Optional
String
The scope of the access request according to SBAS: PISP, PIISP. These scopes can be combined according to TPP rights.

Response:

Attributes structure
Optionality
Type
Description
access_token
Mandatory
String
Short-term access token
expires_in
Mandatory
String
Validity of access token in seconds
token_type
Mandatory
String
Value is „Bearer“

Example:

Request

POST https://api.csob.sk/identity-server/connect/token HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 120
Host: api.csob.sk
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5) 
grant_type=client_credentials&client_id=TIDgjzKuS7k&client_secret=Pr9jb8Y7Y5bnUxpNcJEhqdV3EiaxcpvK&scope=PISP PIISP


Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server-Process-ID: Ypwq7QA68y77ygYArQq8pCNJQDhmNWur
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Wed, 27 Mar 2019 14:43:28 GMT 
{
   "access_token": "b02ab0a7ae7e5f19a85e5e935b4fc0623915a3940e761998cbb46654fe62117f",
   "expires_in": 1200,
   "token_type": "Bearer"
}