iCard Rest API uses oAuth2 for authorizing the HTTP requests. For more information please refer to the docs: https://www.oauth.com. The oAuth2 Token is sent in the header of every request. The Client ID and Client Secret are available in the iCard Developer Portal OR you can get them when register.
oAuth Credentials
To generate your personal set of credentials for Sandbox, go to your iCard Account. There you can manage your already generated credentials as well as generate new ones. For Production ready application you must use https://api.openbank.icard.com/tpp/register with your valid QWAC Certificate.
Token generation
After obtaining your Client ID and Client Secret, generating an oAuth Token is standard, except you must generate unique authentication session id with valid QWAC Certificate and Client Id.
To generate a token, first send an HTTP POST request to
https://api.openbank.icard.com/generate/auth-id
- For iCard Open Bank API
https://sandbox.openbank.icard.com/generate/auth-id
- For iCard Open bank API Sandbox
POST /generate/auth-id HTTP/1.1
Host: api.openbank.icard.dev
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
client_id=xxxx1234
together with your valid QWAC certfiicate.
After successfully response will you get
{
"auth_id": "04962adf-7cdd-414c-bdea-a92215f693de"
}
You must use it when call authorize endpoint
Then choice provider: ex. iCard DW
After successfully create consent and confirm it with 2FA, you get a response like:
https://redirect.website/callback?code=xxxx1234&state=state1234
Last step is exchange “code” for client access token
POST /token HTTP/1.1 Host: api.openbank.icard.com Content-Type: application/x-www-form-urlencoded Content-Length: 229 code=code1234& \ grant_type=authorization_code& \ client_id=xxx1234& \ client_secret=xxxx1234& \ redirect_uri=https://redirect.website/callback
You will get response:
{
"token_type": "Bearer",
"expires_in": 86400,
"access_token": "eyJ0eXA[....]VmQONULTFmkksuj6lw",
"refresh_token": "def50200[....]2569a5a5978260c3c9ea5"
}