- Person – physical ConnectPay User.
- Customer – entity that holds accounts. It can be either Personal, either Corporate. Person can belong to several Customers of any type.
- PSU – Payment Services User – is identified as unique Person and Customer pair.
ConnectPay APIs are secured using OAuth2.0 model, following Authorization Code Grant flow.
To access your data via API, with each request you must present valid Access Token which is associated with Person and Customer. Your data will not be accessible to other Customers.
E.g., You, as a Person X, belong to Customer A and Customer B. You have Access Token issued to Person X and Customer A. With this Token will not be able to access Customers B data.
Request should contain these parameters:
– Client ID from APP created at Developer Portal.
– to get AuthCode for exchange to Access Token, please use
– unique GUIDv4 string, to mitigate replay attacks.
– space separated list of desired scopes. PSD2 related scopes:
psd2-ais– to access Account Information Services
– to access Payment Initiation Services
Note. You can not mix PSD2 and Connect Propriety scopes – request with mixed scopes will result in error response.
– unique request identifier. WhenPerson will be redirected back to TPP, respose will have same state parameter – to map received authCode with Person’s ID in TPP system.
– Callback URL to where Person should be redirected back after authentication and authorization. Hostname in parameter will be validated against callback URL list, provided by TPP in APP configuration at Developer Portal.
Note. Your callback URL cannot contain query parameters. There are no restrictions on path composition.
curl -X GET \
'&scope=psd2-ais psd2-pis' \
ConnectPay will validate provided details and redirect User Agent to the ConnectPay Auth Web Application using http code 301 and redirect URL in
Note. Redirect must NOT be implemented in HTML iFrame element. Redirect should be in full window, so the Customer could see ConnectPay URL and could validate its certificate (by clicking HTTPS lock symbol)
Authentication and Authorization
In Auth Web App, PSU will have to authenticate using SCA (Username/Password + SMS OTP/Auth Device), select desired Customer and grant/deny his data access permissions. Permissions are managed using OAuth scopes, requested by TPP in Authorize API.
After granting/denying access PSU will be redirected back to the TPP. If at least one requested scope was granted, callback URL will contain query parameter
code with authorization Code. Use this
to mint Access Token. Redirect URL will also contain query parameters
If PSU would choose to deny all scopes (or any other error would occur on ConnectPay side), Redirect URL will not contain
code, but will contain
You can use
parameter to identify Authorize API Request and Redirect back to TPP Response pair.