PSD2 OAuth2 Sandbox

Overview

OAuth2 API enables a third-party application to obtain secured access to La Banque Postale's APIs.
Whether you are an AISP, a CBPII or a PISP, you will need to retrieve an access token to be able to request our Sandbox endpoints.

Download Swagger

The Sandbox allows you to do a full end-to-end test before going into Production including:

• Test the integration of your application with our Oauth API
  
• Understand the User journey authentication flows
  
• Validate the exchange flows between TPP and La Banque Postale

Once Sandbox tests are validated, you can switch to the live APIs. 

Functional details

 This API relies on the OAUTH 2.0 Authorization Framework defined in RFC 6749. 

 Use Cases

 Different authorization grants can be used, depending on the TPP's role and use case to be applied. 

• Get an access token to request AISP or CBPII APIs, following the OAuth 2.0 Authorization Code Grant procedure
• Refreshing an access token to request AISP or CBPII APIs
• Get an access token to request PISP API, following the OAuth 2.0 Client Credentials Grant procedure

 La Banque Postale does not support refresh token procedure.
Access tokens issued by La Banque Postale for AISP or CBPII scope have a 90 days lifetime. After 90 days, TPP must restart a new enrolment procedure with the customer's consent (PSU).

Technical details

Endpoints: https://sandbox.labanquepostale.com

Responses returned by the SandBox API correspond to Production format.
Redirect_uri parameter has to be URL-encoded and must correspond to the one stored during the APP Register process.
When you use an expired token, you get an 401 - unauthorized error, you must restart a new enrolment procedure with the customer's consent (PSU).

Prerequisites

• An APP has been created through our Dynamic Client Registration API (client_id / client_secret)
• APP has subscribed to the targetted API Product on https://developer.labanquepostale.com
• Authorization Basic credentials is composed of your APP client_id and client_secret base 64 encoded

 Examples

•  Authorization code grant for AISP and CBPII

GET /authorize
Query string parameters:

response_type=code&client_id=abh007d2-345c-4asf-8196-fb4kiob2047b&redirect_uri=https%3A%2F%2FmyTPP-App.fr%2Fdsp2%2Fcallback&scope=aisp&state=data_for_TPP_use

• Access token request for AISP and CBPII

POST /token

Headers:

Content-Type: application/x-www-form-urlencoded
Authorization: Basic YWFjNBH3ZDItMzC4Yy00ZGJmLTgxNzYtYks3X0QxZ3Y08xZkg5alI0c0ozaEs2bkY4eUIx

Body:

grant_type=authorization_code&scope=aisp&redirect_uri=https%3A%2F%2FmyTPP-App.fr%2Fdsp2%2Fcallback&code=AAJ542fS7FQieera-PouA1tuGbRG1VaGq_YIiIJF3bOIl9sidP0HEr2zpQpAsGho6ILV2w_-Q

• Access token request for PISP

POST /token

Headers:

Content-Type: application/x-www-form-urlencoded
Authorization: Basic YWFjNBH3ZDItMzC4Yy00ZGJmLTgxNzYtYks3X0QxZ3Y08xZkg5alI0c0ozaEs2bkY4eUIx

Body:

grant_type=client_credentials&scope=pisp