Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
HTML
<h1 class="main-title-custom">oAuth process</h1>

...

iCard Rest API uses oAuth2 for authorizing the HTTP requests. For more information please refer to the docs: https://www.oauth.com. The oAuth2 Token is sent in the header of every request. The Client ID and Client Secret are available in the iCard

...

Developer Portal OR you can get them when register.

...

oAuth Credentials

To generate your personal set of credentials for Sandbox, go to your iCard Account. There you can manage your already generated credentials as well as generate new ones. For Production ready application you must use https://api.openbank.icard.com/tpp/register with your valid QWAC Certificate.

Token generation

After obtaining your Client ID and Client Secret, generating an oAuth Token is standard

...

You must use it when call authorize endpoint

https://api.openbank.icard.com/

...

authorize?response_type=code&scope=ais+cof+pis&client_id=xxxx1234state=state1234&redirect_uri=https%3A%2F%2Fredirect.website%2Fcallback

Then choice provider: ex. iCard DW

After successfully create consent and confirm it with 2FA, you get a response like:

https:/

...

/redirect.website/callback?code=xxxx1234&state=state1234

Last step is exchange “code” for client access token


POST /token HTTP/1.1
Host: api.openbank.icard.com

...

with:

Headers


Content-Type

...

: application/x-www-form-urlencoded

...

Authorization = "Basic " + base64 encoded value of concretinated Client ID and Client Secret using a semicolon for concretination.

Body


Content-Length: 229

code=code1234& \
grant_type=

...

scope = "webhooks" when using oAuth for the WebhookAPI

Token Revocation

To revoke an oAuth Token send an HTTP request to

HTTP POST request to

 with:

Headers

Content-Type = application/x-www-form-urlencoded

Authorization = "Basic " + base64 encoded value of concretinated Client ID and Client Secret using a semicolon for concretination.

Body

token = <the_token_to_revoke>

...

authorization_code& \
client_id=xxx1234& \
client_secret=xxxx1234& \
redirect_uri=https://redirect.website/callback


You will get response:


{
    "token_type": "Bearer",
    "expires_in": 86400,
    "access_token": "eyJ0eXA[....]VmQONULTFmkksuj6lw",
    "refresh_token": "def50200[....]2569a5a5978260c3c9ea5"
}