Guide to using Lloyds Banking Group APIs
In this Article
INTRODUCTION
BACKGROUND
There is currently no standardised way for ASPSPs to communicate the differences in ASPSP implementations.
This covers both:
- Differences in on-boarding and directory interactions
- Differences in capability delivered for the Read/Write APIs
The above can generate challenges to TPPs as they will not know:
- What processes to follow in order to onboard with each ASPSP
- Which API endpoints they can call
- What data elements they can receive from different ASPSPs, and for unstructured data - what format they receive it
Furthermore, TPPs have different sets of requirements for the Read/Write APIs. This is because of their business models, applications and service offerings. Therefore TPPs need the ability to identify which ASPSP implementations are suitable match to their offerings. This will ensure they can offer a good end user experience.
PURPOSE OF THIS DOCUMENT
This Implementation Variations Guide outlines the variations in Lloyds Banking Group’s Open Banking API endpoint and API response implementation. Information contained within this document aims to make the development of applications by TPPs using Read/Write APIs faster and easier.
END-TO-END API JOUNEY
This section explains how to on-board onto the Lloyds Banking Group Developer Portal and how to complete an end-to-end API journey. In this instance the example used is an Account Information API journey.
Logging on to the Develop Portal
Log into the Developer Portal by clicking the 'Log in with Open banking' button on the top right of the portal. You will need to have logon credentials for a company listed on the Open Banking Production Directory. When you log in, your user is placed into a new Developer Organization corresponding to your company (or it will add you to the organization if it already exists).
ON-BOARD USING DYNAMIC CLIENT REGISTRATION
Follow the On-Board Using Dynamic Client Registration for onboarding instructions using DCR.
OTHER USEFUL INFORMATION
-
Access our consent domains from browser :
https://authorise.lloydsbank.co.uk/ib/pb/cwa/404
https://authorise.halifax-online.co.uk/ib/pb/cwa/404
https://authorise.bankofscotland.co.uk/ib/pb/cwa/404
https://authorise.mbna.co.uk/ib/pb/cwa/404 -
Our APIs themselves all sit behind the following domains – these are over MA-TLS – so we would like you to try presenting your OB-signed client cert against these to validate the SSL handshake is working as expected (e.g. by using an appropriate openSSL command, in chrome etc.).
https://secure-api.lloydsbank.com
https://secure-api.halifax.co.uk
https://secure-api.bankofscotland.co.uk
https://secure-api.mbna.co.uk -
Our APIs themselves all sit behind the following domains – these are over MA-TLS – so you will be required to present your eIDAS QWAC client cert against these to validate the SSL handshake is working as expected (e.g. by using an appropriate openSSL command, in chrome etc.).
https://secure-api-eidas.lloydsbank.com/
https://secure-api-eidas.halifax.co.uk/
https://secure-api-eidas.bankofscotland.co.uk/
https://secure-api-eidas.mbna.co.uk/The list of supported QTSPs is available in the OBIE Transparency Calendar –
https://openbanking.atlassian.net/wiki/spaces/AD/pages/1130594843/Lloyds+Bank+PLC
-
Discovery Endpoints (OBIE) – TLS Client Auth
-
Discovery Endpoints (eIDAS) - TLS Client Auth
"token_endpoint_auth_methods_supported":["tls_client_auth"]
-
We support Refresh Tokens for fundsconfirmations, accounts, payments (only VRP) scopes.
-
Lloyds Banking Group’s Public Keys are available at the Keystore set up by Open Banking Ltd.
-
All APIs are secured with TLS Mutual Authentication where Certs are signed by Open Banking CA.We do not support JWS client assertion. (private_key_jwt), instead we support Mutual-TLS Client Authentication (tls_client_auth).
-
Nonce String Limit: When submitting an AISP or PISP request, the maximum length a nonce string can be is 100 characters. Beyond this, the consent will not be activated.As part of our implementation we support registration of an application with multiple Oauth redirect URLs. TPPs can register multiple redirect URLs when creating an application on the Developer Portal.
-
For digital signatures we will support PS256 from 13th March 2019, please see Discovery Endpoints for more information. The digital signatures generated by LBG will only use PS256.
TESTING THE ACCOUNT INFORMATION APIS
-
Set up Client Credentials Token
In this step you (the AISP) obtain an Access Token using a Client Credentials Grant Type. When an Access Token expires, you will need to re-request for another Access Token.
For Authentication method - tls_client_auth:
curl -k -X POST \
--key ./private-cert.key \
--cert ./public-cert.pem \
--cacert ./ca-cert.pem \
--url {secure-domain}/ prod01/lbg/lyds/mtls-token-api/v1.1/token\
--header 'accept: application/json' \
--header 'cache-control: no-cache' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&client_id=c1d81a9a-609a-47be-9363-8fa038b987da& scope=accounts'
URL
Parameter Example Value Description secure-domain OBWAC:
https://secure-api.lloydsbank.com
OBWAC or QWAC:
Please refer to the Other Useful Information section for all brand specific domains
Certs
Parameter Example Value Description CACert Combination of Root & Intermediate
Must provide in the request if the QWAC transport certs are being used. However, this is optional for the OBWAC, OB Transport.
Data
Parameter Example Value Description grant_type client_credentials The grant type being requested client_id c1d81a9a-609a-47be-9363- 8fa038b987da The Client ID of your application registered in the developer portal scope accounts The scope being requested -
Invoke the Account Request API
Using the Access Token obtained in the step 1, invoke the Accounts API.
curl -k -v --request POST \
--key ./private-cert.key \
--cert ./public-cert.pem \
--cacert ./root-ca.pem \
--compressed \
--url {secure-domain}/prod01/lbg/lyds/open-banking/v3.1/aisp/account-access-consents \
--header 'authorization: Bearer AAIkMDM5NDJmZTUtOGNiMi00NzVmLWIwMTItNDgyZjM0ZTExYzI5ujAPRjg9HCsXYdEx15e-1h8ZdUQvTtI2Q3lkxQl3tv3n1zVlTnK0jbC1xzhnx6XRH7KBbLCr8qzYUBN0pGDSjdKGgYfFw5om5YF zRrq7j4I8_b6KSlgZ1F4Cs7SvpLLJmHSKL0tGPIA0VSsaAyHilg' \
--header 'content-type: application/json; charset=UTF-8' \
--header 'x-fapi-customer-ip-address: REPLACE_THIS_VALUE' \
--header 'x-fapi-customer-last-logged-time: REPLACE_THIS_VALUE' \
--header 'x-fapi-financial-id: REPLACE_THIS_VALUE' \
--header 'x-fapi-interaction-id: REPLACE_THIS_VALUE' \
--header 'x-jws-signature: REPLACE_THIS_VALUE' \
--data '{"Data":{"Permissions":["ReadBeneficiariesBasic"],"ExpirationDateTime":"2018-08-28T15:39:19.515Z","TransactionFromDateTime":"2016-04-02T11:59:32.044Z","TransactionToDateTime":"2017-07-16T17:59:09.521Z"},"Risk":{}}'
URL
Parameter Example Value Description secure-domain Example Value:
OB Transport, OBWAC:
https://secure-api.lloydsbank.com/
OBWAC, QWAC:
Please refer to the Other Useful Information section for all brand specific domains
Headers
Parameter Example Value Description authorization Bearer
AAIkMDM5NDJmZTUtOGNiMi00NzVmL WIwMTItNDgyZjM0ZTE........The access token obtained in step 1
Certs
Parameter Example Value Description CACert Combination of Root & Intermediate Must provide in the request if the QWAC transport certs are being used. However this is optional for the OBWAC, OB Transport. Body
Parameter Example Value Description Data {"Data":{"Permissions":["ReadBeneficiarie sBasic"],"ExpirationDateTime":"2010-08- 28T15:39:19.515Z","TransactionFromDat eTime":"2016-04- 02T11:59:32.044Z","TransactionToDateTi me":"2017-07- 16T17:59:09.521Z"},"Risk":{}}
The permissions being requested
Please refer here for a full list of the allowed permissions.
Take note of the AccountRequestID in the response data. This is required in the next step.
-
Authorize Consent
In this step, you create the authorization request (using a signed JWT request containing the AccountRequestId as a claim) for the customer to consent to the account request directly with the ASPSP. Hybrid Flow support is optional in the OB Security Profile.
Using a web browser, invoke the URL below to emulate the customer giving consent (changing the values as required).
Please note for App to App the same consent authorisation endpoints are used. Please refer to section 7 for a full list of Consent Authorisation URLs and Section 9 for an overview of App to App.
URL
Parameter Example Value Description response_type code id_token The OAuth flow type being used client_id c1d81a9a-609a-47be-9363-8fa038b987da The Client ID of your application registered in the developer portal State 12345 The state as specified by the TPP scope openid accounts The scope being requested redirect_uri The redirect URL of the application registered in the developer portal. This must match the redirect URL from your software statement on the Open Banking Directory. nonce 4987594875485-j The nonce as specified by the TPP request eyJhbGciOiJSUzI1NiIsImtpZCI6Ikd4bElpd 2lhblZxc0R1dXNoZ2pFME9UVXhPVGsif Q.eyJpc3MiOiJodHRwczovL2FwaS5hbHB oYWJhbmsuY29tIiwiYXVkIjoiczZCaGRSa 3F0MyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlI GlkX3Rva2VuIiwiY2xpZW50X2lkIjoiczZCa GRSa3F0MyIsInJlZGlyZWN0X3VyaSI6Im h0dHBzOi8vYXBpLm15dHBwLmNvbS9jYi IsInNjb3BlIjoib3BlbmlkIHBheW1lbnRzIGFj Y291bnRzIiwic3RhdGUiOiJhZjBpZmpzbG RraiIsIm5vbmNlIjoibi0wUzZfV3pBMk1qIiw ibWF4X2FnZSI6ODY0MDAsImNsYWltcyI 6eyJ1c2VyaW5mbyI6eyJvcGVuYmFua2lu Z19pbnRlbnRfaWQiOnsidmFsdWUiOiJ1c m46YWxwaGFiYW5rOmludGVudDo4OD M3OSIsImVzc2VudGlhbCI6dHJ1ZX19LC JpZF90b2tlbiI6eyJvcGVuYmFua2luZ19pb nRlbnRfaWQiOnsidmFsdWUiOiJ1cm46Y WxwaGFiYW5rOmludGVudDo4ODM3OSI sImVzc2VudGlhbCI6dHJ1ZX0sImFjciI6ey Jlc3NlbnRpYWwiOnRydWUsInZhbHVlcyI 6WyJ1cm46b3BlbmJhbmtpbmc6cHNkMjp zY2EiLCJ1cm46b3BlbmJhbmtpbmc6cHN kMjpjYSJdfX19fQ.ehVeTgyYW7w9Gbbwp 53h5JyghKc_KV3XU8vSkioJEiTRHj4dUmvjlleLb 7GcohKBI7wHULjQjRTam1Zds_WAtiH2b k86YNQalzf9mt3SVzpIdtCaJdGiMYkD7e Pf2mKDDluSH_HWgiLzy-B5diH5JKtwHVMmxoaLbG4lzoCdo
This is an OIDC request object containing a claim identifying the accounts that needs to be authorized. To modify it to support your test scenario use the debugger at https://jwt.io
Follow the UI flow and at the end of the flow take note of the authorization code and id token appended to the URL (e.g. https://example.com/redirect?code=xxxxxxxxxxxxx&id_token=xxxxxxxxxx).
-
Validate the c_hash and the s_hash of the ID Token
At this point, you will now introspect the ID Token and use it as a detached signature to check:
-
The hash of the Authorization Code to prove it hasn't been tampered with during redirect (comparing the hash value against the c_hash attribute in ID Token)
-
The hash of the state to prove it hasn't been tampered with during redirect (comparing the state hash value against the s_hash attribute in the ID Token)
Also validate the signatures using the Lloyds Banking Group public key obtained from the OBIE.
-
-
Get the Access Token required to access the Account
Following the OAuth2.0 protocol, you now exchange the access code for the access token required for step 6.
For Authentication methods – tls_client_auth:
curl -k -v \
--key ./22uobbpbcf1ztrsvxfoaj4.key \
--cert ./22uobbpbcf1ztrsvxfoaj4_open_banking_test_issuing_ca_.pem \
--compressed \
-X POST \
-d 'client_id=c1d81a9a-609a-47be-9363-
8fa038b987da&grant_type=authorization_code&redirect_uri=https://example.com/redirect&cod e=gktvoeyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBMV81Iiwia2lkIjoicTQtMjAxNy1tMi 1ib3MifQ.cB1t7tqgnQ_5Mu0XH2yR3oPfF_8HgrHi7uVSZY67Z77Qu-8K9c_6FVASDyoa-9O0Yi5f XqKMua_FrGveJ1Jur715HNqVaVPrR9v1M3akH8J92Af7nxED1R3647jKeftBkvy89h58 98Aexa6q1nMAsFL9N0W-
5239ztqzNY00Qys4EfqEdKyyUZYvTRcgg0Z8Snw9c4_J48twgHY4DLl5DvGjekPPlLCEe-YebWgIUcb21z8JCudJKFnvQoZNryiT0oYbBeuu_7IVAUzJPvG5KiicnczWssgGX2WRTAj2-i6OGVcOcRpjcdE0RNKLwbBC2q9-HiD9_plMr5VjrkFn9A.9JwONmpP8iZKJh4sXdOskw.3cr4SulCTjU0tSzMrvp3K4zfbJ6t4bXkaq6v 9V-qvnnkGg7Pm8Vwfi906kALBpL3m5FKh19XV1mL7miQonlgRXbeHehkmG7IU-dXmq-suJnb-y4WCSFkHhZDYh2wsxDVY_l9BRZOyknSPjqdorlnwOnZRU0PALwPWhBB3BQFrRxaNLIAETv qjMMmTZssadVt9lZ10DFbfIsGIE78B8pkg-hoHdmFpXVCadnq8JgKi8knwKmUJ6bZqyfZbyR2isXvlAc5Bx1C5VK7png2fw0nPTUBt7H9euU 2gy-UsKo6OInJeDwHpxkQDFM8GFZyMOXyjEae6Zozj4pXAyHAmdKfFwy1Kbv2jyUXq4FCeQHph I 4wKvhgSNOVvA_asOExj8DlGPaIgzphMKseXmKTzWMpv3gRsmIGdZvH7lMhGsq7EZnlheYW UK3f MymJCQXu7jzEBP7DsJfNsCG6S9yG8Aih72_mrAvXjXEU_pqqbL6d8gWJJ4mnwIln-VxBxyO0M759VNgTw4tP93rNAjiPmJGwHQrtBxmg5lR-ET2oxTF_LyZWYFyVmIOiEPwabfvTrZxpcdwTRJK_mXfYGeWABxEZZXlZE7pWHoxusxRdnyl en4s35MHcZjWjCa8DddglkngYAF8l6otGyeuRZqHN6cu32uH5zHx9Z7E_rZmXT3h_uu9QK-
lfhIIaCr8OWMOrDOL.0HPU-Bu1wR8RYCq-5QV0tQ' \
{secure-domain}/prod01/lbg/lyds/mtls-token-api/v1.1/token \
URL
Parameter Example Value Description secure-domain OBWAC:
https://secure-api.lloydsbank.com/
OBWAC, QWAC:
Please refer to the Other Useful Information section for all brand specific domains
Certs
Parameter Example Value Description CACert Combination of Root & Intermediate Must provide in the request if the QWAC transport certs are being used. However, this is optional for the OBWAC, OB Transport. Body
Parameter Example Value Description client_id c1d81a9a-609a-47be-9363-8fa038b987da Client ID of your application registered in the developer portal grant_type Example Value:
authorisation_code
Description:
The grant type being requested
redirect_uri The redirect URL which must match that of the application registered in the developer portal code gktvoeyJlbmMiOiJBMTI4Q0JDLUhTMjU2I iwiYWxnIjoiUlNBMV81Iiwia2lkIjoicTQtMjA xNy1tMi1ib3MifQ.cB1t7tqgnQ_5Mu0XH2y R3oPfF_8HgrHi7uVSZY67Z77Qu8K9c_6FVASDyoa9O0Yi5fXqKMua_FrGveJ1Jur715HNqVaV PrR9v1M3akH8J92Af7nxED1R3647jKeftB kvy89h5898Aexa6q1nMAsFL9N0W5239ztqzNY00Qys4EfqEdKyyUZYvTRcgg 0Z8Snw9c4_J48twgHY4DLl5DvGjekPPlL CEeYebWgIUcb21z8JCudJKFnvQoZNryiT0oY bBeuu_7IVAUzJPvG5KiicnczWssgGX2W RTAj2- i6OGVcOcRpjcdE0RNKLwbBC2q9- HiD9_plMr5VjrkFn9A.9JwONmpP8iZKJh4 sXdOskw.3cr4SulCTjU0tSzMrvp3K4zfbJ6t 4bXkaq6v9VqvnnkGg7Pm8Vwfi906kALBpL3m5FKh19 XV1mL7miQonlgRXbeHehkmG7IU-dXmqsuJnby4WCSFkHhZDYh2wsxDVY_l9BRZOykn SPjqdorlnwOnZRU0PALwPWhBB3BQFrR xaNLIAETvqjMMmTZssadVt9lZ10DFbfIsG IE78B8pkghoHdmFpXVCadnq8JgKi8knwKmUJ6bZq yfZbyR2isXvlAc5Bx1C5VK7png2fw0nPTU Bt7H9euU2gyUsKo6OInJeDwHpxkQDFM8GFZyMOXyj Eae6Zozj4pXAyHAmdKfFwy1Kbv2jyUXq4 FCeQHphII4wKvhgSNOVvA_asOExj8DlG PaIgzphMKseXmKTzWMpv3gRsmIGdZv H7lMhGsq7EZnlheYWUK3fMymJCQXu7j zEBP7DsJfNsCG6S9yG8Aih72_mrAvXjX EU_pqqbL6d8gWJJ4mnwIlnVxBxyO0M759VNgTw4tP93rNAjiPmJGw HQrtBxmg5lRET2oxTF_LyZWYFyVmIOiEPwabfvTrZxp cdwTRJK_mXfYGeWABxEZZXlZE7pWHo xusxRdnylen4s35MHcZjWjCa8DddglkngY AF8l6otGyeuRZqHN6cu32uH5zHx9Z7E_r ZmXT3h_uu9QKlfhIIaCr8OWMOrDOL.0HPUBu1wR8RYCq-5QV0tQ
The authorisation code retrieved in step 3
Take note of the access token and ID Token in the response data.
-
Validate the at_hash of the ID Token
At this point, you will now introspect the ID Token and use it as a detached signature to check:
-
The hash of the access token to prove it hasn't been tampered with during redirect (comparing the hash value against the at_hash attribute in ID Token)
Also validate the signature of the ID Token using the Lloyds Banking Group public key obtained from the OBIE.
-
-
Get Accounts
You can use the Access Token to retrieve Accounts (bulk or specific). The following examples are from the Account and Transaction API Specification.
Where the initial Access Token expires, you must obtain a new Access Token.
curl --request GET \
--key ./private-cert.key \
--cert ./public-cert.pem \
--carcert ./root-ca.pem \
--compressed \
--url {secure-domain}/prod01/lbg/lyds/open-banking/v3.1/aisp/accounts \
--header 'accept: application/json; charset=UTF-8' \
--header 'authorization: Bearer gktvoeyJhbGciOiJSUzI1NiIsImtpZCI6InE0LTIwMTctbTEtYm9zIn0.eyJpc3MiOiJsbG95ZHMiLCJ wcml2YXRlIjoiQUFJa01ETTVOREptWlRVdE9HTmlNaTAwTnpWbUxXSXdNVEl0TkRneVpqTT BaVEV4WXpJNXFhRWU5Z0RCQnAwbjBRQU9xRXo4Ti16UTYwbUhPOFZHU1BQTGhkajdzY jFMYV9wX05mYmJkSnQySHRZc0QyakRXMHdYaS13ZVhZV2s5aHhPSWZrb0d3dE9OamZo SU56RFMtYWFxLVlhaW1OWmFQbDMtd1MzUFdva0I0OG5WZW4wMF81NGczeU1zMEhlMk VhdUVhcEZlX3hTeEFRVGt2Q2NHWnhyRmRaWDVHRm9FUEh3UEFjUnptSWhpZ3NZczNiRn RsWkVmR0V3dURTU1V0SWpRQVAzU1ZNNmJxd1ZJQThab3hwazVvRnptWEJLMUl1dHppS 0pMX0IwN0ZhYldHOE5qaWtUWHREcXFudDNLbVVhNjVac2dGT3BZT2VUQUFXTkdmdnBK MDhZRnV2MnhvOVRjcmRlejYxdjZCSFBaZkdpLW9tMF9BUjk5NnZRSDJqOTZONE5XM0lNM 0VIWGpVZG9lMWpoU0ZpcTc4eGhxWXU5MENicHhnSDJ4eng1Y2h6QlN1WHJNalY2VnVSZ2 ZMMUZoRXNZRjlTY1FKQlRuNmlIVjhLODZDQ0RtZGJuZjFGQjVybTNQWkZFdFZid0RCYmhB dmhQeXI4bkp6ei1lZkJnVzBrcWNnIn0.dmev3qQ4I14Vgps9Z7rjAJn31Zsepw8m15GWCqeSHL OvlGvbi2RS_uUdDpKAQg3aUpSvJUbffLP0RfG4RVLlYVI2vPlSKzO9L1eHZj7QM_S7p03g1cX CFowZye8IgWolBsVNd4MOIq9rQWHW3ywrS8Fx9S9tum7wIvn8tqIluQqLRa5c-oKthWW5uz66M8IHfrigeMCOYWsboG5uF0aKni20C1sLHGFWMDZU1M3n25bV0AZh7INvDoB 7EloIgr8IQiOZj0BSPKNtIDMGTXlixM8uVlW6eUJS3Z9dgvO7' \
--header 'x-fapi-customer-ip-address: REPLACE_THIS_VALUE' \
--header 'x-fapi-customer-last-logged-time: REPLACE_THIS_VALUE' \
--header 'x-fapi-financial-id: REPLACE_THIS_VALUE' \
--header 'x-fapi-interaction-id: REPLACE_THIS_VALUE'
URL
Parameter Example Value Description secure-domain OBWAC:
https://secure-api.lloydsbank.com
OBWAC, QWAC:
Please refer to the Other Useful Information section for all brand specific domains
Certs
Parameter Example Value Description CACert Combination of Root & Intermediate Must provide in the request if the QWAC transport certs are being used. However, this is optional for the OBWAC, OB Transport. Headers
Parameter Example Value Description authorization Bearer
gktvoeyJhbGciOiJSUzI1NiIsImtpZCI6InE0 LTIwMTctbTEtYm9zIn0.eyJpc3MiOiJsbG9 5ZHMiLCJwcml2YXRlIjoiQUFJa01ETTVO REptWlRVdE9HTmlNaTAwTnpWbUxXSX dNVEl0TkRneVpqTTBaVEV4WXpJNXFh RWU5Z0RCQnAwbjBRQU9xRXo4Ti16UT YwbUhPOFZHU1BQTGhkajdzYjFMYV9w X05mYmJkSnQySHRZc0QyakRXMHdYa S13ZVhZV2s5aHhPSWZrb0d3dE9OamZ oSU56RFMtYWFxLVlhaW1OWmFQbDMt d1MzUFdva0I0OG5WZW4wMF81NGcze U1zMEhlMkVhdUVhcEZlX3hTeEFRVGt2 Q2NHWnhyRmRaWDVHRm9FUEh3UEFj UnptSWhpZ3NZczNiRnRsWkVmR0V3dU RTU1V0SWpRQVAzU1ZNNmJxd1ZJQTh ab3hwazVvRnptWEJLMUl1dHppS0pMX0I wN0ZhYldHOE5qaWtUWHREcXFudDNL bVVhNjVac2dGT3BZT2VUQUFXTkdmdn BKMDhZRnV2MnhvOVRjcmRlejYxdjZCS FBaZkdpLW9tMF9BUjk5NnZRSDJqOTZ ONE5XM0lNM0VIWGpVZG9lMWpoU0Zp cTc4eGhxWXU5MENicHhnSDJ4eng1Y2h 6QlN1WHJNalY2VnVSZ2ZMMUZoRXNZ RjlTY1FKQlRuNmlIVjhLODZDQ0RtZGJuZ jFGQjVybTNQWkZFdFZid0RCYmhBdmh QeXI4bkp6ei1lZkJnVzBrcWNnIn0.dmev3q Q4I14Vgps9Z7rjAJn31Zsepw8m15GWCq eSHLOvlGvbi2RS_uUdDpKAQg3aUpSvJ UbffLP0RfG4RVLlYVI2vPlSKzO9L1eHZj7 QM_S7p03g1cXCFowZye8IgWolBsVNd4 MOIq9rQWHW3ywrS8Fx9S9tum7wIvn8tq IluQqLRa5coKthWW5uz66M8IHfrigeMCOYWsboG5u F0aKni20C1sLHGFWMDZU1M3n25bV0A Zh7INvDoB7EloIgr8IQiOZj0BSPKNtIDMG TXlixM8uVlW6eUJS3Z9dgvO7- LxJrphDeg26ZrYQyMFDxVXjA8VmP2KB 0lnDggbvLwrHkwThe token obtained in step 5
REFRESH TOKEN
When the TPP makes the token call to exchange the Access code for Access token using Authorization Code Grant Type, they get back a Refresh Token in addition to the Access Token. This Refresh Token is valid for 365 days and Access Token itself is valid for 90 days . TPPs will need to ensure that they make the token call with Refresh Token Grant Type to exchange the Refresh Token to get a new Access token and Refresh token before the existing Refresh Token expires to avoid customer having to complete a re-authentication journey. Refresh tokens are one time use tokens and each time the TPP uses it, they will receive a new set of Access and Refresh tokens.
Refresh Token is only available for consumers of Accounts and Transactions, Confirmation of Funds, and Variable Recurring Payment APIs.
curl -k -X POST \
--key ./private-cert.key \
--cert ./public-cert.pem \
--cacert ./ca-cert.pem \
--url {secure-domain}/prod01/lbg/lyds/mtls-token-api/v1.1/token \
--header 'accept: application/json' \
--header 'cache-control: no-cache' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=refresh_token&client_id=c1d81a9a-609a-47be-9363-8fa038b987da&refresh_token=AAImRuf QlWgaSyEiT6aw-0MhiivaI5daPew3iL9ulWrYkcHVZ-ZutghJ86mRdxLL6NuKKswePJwGWYqXR21TtqETu-v0Xeov1iqJrHiqYFP65pwh6FUbIdTG3nLJ5MKAzmCda6ZfCBW6gYo0eGKBd-qBC9CU35WV8zLLWtSXk83IGuvYtJemxUyh1P_vpNGEQXzMfCr7K4jiJmqyuETT-FyLRPv495gvPAszcyDfHCciYvaQTgfiCcmvI_WOa6kImepD87Bcep1DHbV8dm6wcPSXxkbmT kw2UsNgpWhkNAGKjzvkgt7LW2akF0IizRLFtpyV-CbgiTw2yBeBR_kRMHTT6vR7yzZgLzWAgWHIqOSxPEbaAHW6uIeZgcfSb4CkURs251sxeQtn udJRFywd-0PQxNHweVBu9mDmlogGCF_PvmMb71OwyAGBBlm7oTGd4afIS_h0-i5_ByNtnBhu_d4sn0U2cN'
URL
Parameter | Example Value | Description |
---|---|---|
secure-domain |
Example Value: OB Transport, OBWAC: https://secure-api.lloydsbank.com OBWAC, QWAC: |
Please refer to the Other Useful Information section for all brand specific domains |
Certs
Parameter | Example Value | Description |
---|---|---|
CACert |
Combination of Root & Intermediate |
Must provide in the request if the QWAC transport certs are being used. However this is optional for the OBWAC, OB Transport. |
Data
Parameter | Example Value | Description |
---|---|---|
grant_type | refresh_token | The grant type being requested |
client_id | c1d81a9a-609a-47be-9363-8fa038b987da | The Client ID of your application registered in the developer portal |
refresh_token | AAImRufQlWgaSyEiT6aw0MhiivaI5daPew3iL9ulWrYkcH VZZutghJ86mRdxLL6NuKKsweP JwGWYqXR21TtqETuv0Xeov1iqJrHiqYFP65pwh6FU bIdTG3nLJ5MKAzmCda6ZfCB W6gYo0eGKBdqBC9CU35WV8zLLWtSXk83I GuvYtJemxUyh1P_vpNGEQXz MfCr7K4jiJmqyuETTFyLRPv495gvPAszcyDfHCciY vaQTgfiCcmvI_WOa6kImepD8 7Bcep1DHbV8dm6wcPSXxkb mTkw2UsNgpWhkNAGKjzvkgt 7LW2akF0IizRLFtpyVCbgiTw2yBeBR_kRMHTT6vR 7yzZgLzWAgWHIqOSxPEbaA HW6uIeZgcfSb4CkURs251sxe QtnudJRFywd0PQxNHweVBu9mDmlogGCF _PvmMb71OwyAGBBlm7oTG d4afIS_h0- i5_ByNtnBhu_d4sn0U2cN' | Refresh token received with the previous Access token |
CUSTOMER CONSENT
Consent Authorise Endpoints
The below table describes all the Authorisation endpoints required to initiate the customer consent process. Consent authorisation endpoints are segment and brand specific e.g. https://authorise-api.lloydsbank.co.uk/prod01/lbg/lyds/personal/mtls-token-api/v1.1/authorize is for the Lloyds brand and the Retail segment
Customer Consent Variations
There are several important implementation variations relating to our customer consent process that TPPs should be aware of. These are detailed in the table below:
Exception | Description |
---|---|
Re-authorisation of consent |
Article 10A exemptions will apply; this means for an active consent no further SCA is required for balance and transaction requests. LBG will apply SCA if requested by the AISP for the purpose of responding with transaction data sets beyond 90 days and/or other AIS endpoints (other than balance), or where objective reasons allow LBG to ‘step-up’ such as fraud management. When an access token, which has a validity of 90 days, expires, then the TPP can request for a new access token by using a refresh token that is issued along with the access token when a consent is authorised. The customer will not be required to do a reauthentication for the TPP to get a new access token. However, if the refresh token, which has a validity of 365 days, is also expired, then the TPP will need to initiate a reauthentication to get a fresh set of access and refresh tokens. Please note: When an account is closed, it can take up to 24hrs for the account holding record to b e fully updated to all of our systems. During this period of synchronisation, it is technically possible for a customer to initiate a re-authentication, however given the actual account is closed we will not share balance or transaction data, nor would it be possible to execute a payment. |
Customer journey timeouts | The timeout period for a customer undertaking an AISP, a PISP or a CoF journey is 20 minutes from the start of session, however the timeout also happens in case of 10 minutes of inactivity during this 20 minutes period. At the point of the timeout, the user will be redirected to the bank’s public site. |
Abandoned customer journeys | If during an AISP, a PISP or a CoF journey, a customer closes the browser by mistake, the customer will have to start the journey afresh with the TPP. |
Suspended customer consents | We are able to suspend and reactivate customer consents to TPPs, on a customer's behalf. |
Redirect Errors
As per the OBL requirement for V4.0, whenever an error occurs when a PSU is redirected to ASPSP to complete authentication and there is an error, ASPSP will return error_description in the ISO code format along with the error in the redirect URL. This is an optional requirement from OBL.
Example of Current redirect url
Redirect_URI#state=stateFromRequest&error={{}}
Redirect_URI#state=stateFromRequest&error=access_denied
Example of Redirect url going forward
Redirect_URI#state=stateFromRequest&error={{}}&error_description={{}}
Redirect_URI#state=stateFromRequest&error=access_denied&error_description=U033
As defined in OBL requirement ISO code - U033 = Authorisation failed
APP TO APP
The following section contains useful information for TPPs who wish to initiate App to App re-direction for Lloyds Banking Group Mobile apps.
OVERVIEW
App to App enables TPPs to the initiate the Authorisation and Consent journey via the Lloyds Banking Group Personal and Business Banking mobile applications. This allows the TPP to redirect a user from the TPP application (in a mobile web browser or mobile app) to the Lloyds Banking Group mobile application installed on the user’s device and deep link the user into the Lloyds Banking Group mobile application login screen. The user is then authenticated on their Lloyds Banking Group mobile application using the same credentials/methods as normally used when the user logs into their account using the application (e.g. biometric). In the scenarios where the user does not have the Lloyds Banking Group mobile application installed, they will be redirected to the Lloyds Banking Group browser journey as normal. In the scenarios where the user does not have the Lloyds Banking Group mobile application installed, they will be redirected to the Lloyds Banking Group browser journey as normal.
APP TO APP IMPLEMENTATION
There is no additional changes required by the TPP to implement App to App. The consent authorisation endpoints listed in Section 7 will automatically re-direct customers to the relevant Lloyds Banking Group mobile app. If TPPs support a desktop journey only then the authorisation endpoints in Section 7 will continue to re-direct customers to the Lloyds Banking Group desktop consent authorisation journey.
App to App Variations
Notable implementation variations relating to App to App and Browser to App.
Commercial Journeys | App to App functionality is not supported for Lloyds Bank and Bank of Scotland Commercial customers. |
Android Users | When non-Chrome browsers (like Samsung browser or Firefox browser) are used to perform the journey and/or are default browsers in the phone, they don’t let the universal link open the native application, even if the native application is already installed. They force the user to stay in the browser journey. To enable the journey to continue in the native app, “Open links in native app” setting must be enabled in these browsers or Chrome browser, which always works with universal links, should be used. |
ACCOUNT AND TRANSACTION SERVICES
This section provides an overview of how to use our Account and transaction Services APIs. It is intended to help AISPs integrate applications and services with our APIs and details scope and any variations from Open Banking API specifications.
This detail should be read in conjunction with Open Banking Specifications and our API Products:
- Account and Transaction API Specification can be found here: v3.10 and v4.0
- API Products can be found here : here
Account and Transaction Scope
The below table details the Account and Transaction Services that are supported by Lloyds Banking Group across our Channels and Products.
These are available to use to request Account and Transaction from Current and Savings accounts on our core brands Lloyds Bank, Bank of Scotland, Halifax (Retail only). In addition, we also support our core brands and MBNA brand for Retail Credit Cards.
Account and Transaction Endpoints | Retail | Business | Commercial | ||||||
---|---|---|---|---|---|---|---|---|---|
Current Account | Savings Account | Credit Cards | Current Account | Savings Account | Credit Cards | Current Account(Sterling) | Current Account(Non-Sterling) | ||
Account Access Consent | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
Accounts | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
Balances | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
Transactions | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
Beneficiaries(Domestic) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
Beneficiaries(International) | ✓ | ✓ | ✓ | ✓ | |||||
Direct Debit | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
Standing Order | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
Products | ✓ | ✓ | ✓ | ✓ | |||||
Offers | ✓ | ✓ | |||||||
Parties | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
Schedule Payments | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
Statements | ✓ | ✓ | ✓ | ✓ |
Account Access Consent Variations
In addition to all mandatory fields defined in Account and Transaction API specifications, the following optional fields have also been implemented.
Name | Current Accounts | Saving Accounts | Credit Cards Accounts |
---|---|---|---|
OBReadConsesntResponse1.Data | ✓ | ✓ | ✓ |
ConsentId | ✓ | ✓ | ✓ |
Account Request Id | ✓ | ✓ | |
Status | ✓ | ✓ | ✓ |
CreationDateTime | ✓ | ✓ | ✓ |
StatusUpdateDateTime | ✓ | ✓ | ✓ |
Permissions | ✓ | ✓ | ✓ |
ExpirationDateTime | ✓ | ✓ | ✓ |
TransactionFromDateTime | ✓ | ✓ | ✓ |
TransactionToDateTime | ✓ | ✓ | ✓ |
ACCOUNTS VARIATIONS
In addition to all mandatory fields defined in Account and Transaction API specifications, the following optional fields have also been implemented.
Name | Current Accounts | Saving Accounts | Credit Cards |
---|---|---|---|
Data.Account | ✓ | ✓ | ✓ |
AccountId | ✓ | ✓ | ✓ |
Currency | ✓ | ✓ | |
AccountCategory | ✓ | ✓ | ✓ |
AccountTypeCode | ✓ | ✓ | ✓ |
Maturity Date | ✓ | ||
NickName | ✓ | ✓ | |
Opening Date | ✓ | ✓ | ✓ |
SwitchStatus | ✓ | ||
Data.Account.Account | ✓ | ✓ | ✓ |
SchemeName | ✓ | ✓ | ✓ |
Identification | ✓ | ✓ | ✓ |
Name | ✓ | ✓ | ✓ |
There are several important implementation variations that AISPs should be aware of. These are detailed in the table below.
Endpoints | Description |
---|---|
GET /accounts GET /accounts/{AccountId} |
Field name “SwitchStatus” Field will be returned and populated with the value UK.CASS.SwitchCompleted only when an account has been switched out to a different bank. Applicable for retail and business current accounts. |
GET /accounts GET /accounts/{AccountId} |
Field name “Name” The account name displayed for different customer segments are given below
|
BALANCES VARIATIONS
In addition to all mandatory fields defined in Account and Transaction API specifications, the following optional fields have also been implemented.
Name | Current Accounts | Saving Accounts | Credit Cards |
---|---|---|---|
Data.Account | ✓ | ✓ | ✓ |
AccountId | ✓ | ✓ | ✓ |
CreditDebitIndicator | ✓ | ✓ | ✓ |
DateTime | ✓ | ✓ | ✓ |
Type | ✓ | ✓ | ✓ |
Data.Balance.Amount | ✓ | ✓ | ✓ |
Amount | ✓ | ✓ | ✓ |
Currency | ✓ | ✓ | ✓ |
Data.Balance.CreditLine | ✓ | ✓ | ✓ |
Included | ✓ | ✓ | ✓ |
Type | ✓ | ✓ | ✓ |
Data.Balance.CreditLine.Amount | ✓ | ✓ | ✓ |
Amount | ✓ | ✓ | ✓ |
Currency | ✓ | ✓ | ✓ |
There are several important implementation variations that AISPs should be aware of. These are detailed in the table below.
Endpoints | Description |
---|---|
GET /accounts/{AccountId}/balances |
High Cost of Credit: Field name “Type” Due to High Cost of Credit (HCC) regulatory requirements the ‘Available’ balance (balance including pending transactions) returned by the /balance endpoint will no longer include the pre-agreed credit (overdraft) the account may have. The ‘Available’ balance shown to the customer in the PISP consent journeys will also change in line with these requirements. In addition, to align with our online channels we will be removing the ‘Credit’ and ‘Available’ optional fields from the Credit line sub section of the /balance endpoint. These changes will only apply to PCAs and BCAs |
GET /accounts/{AccountId}/balances |
Field name “Amount” The credit line amount returned for commercial customers who are registered for LBG CBO (Commercial Banking Online) channel are of advisory value only as it may not reflect the complex overdraft and credit facilities available to these customers. |
TRANSACTIONS\ VARIATIONS
In addition to all mandatory fields defined in Account and Transaction API specifications, the following optional fields have also been implemented.
Name | Current Accounts | Saving Accounts | Credit Cards |
---|---|---|---|
Data.Transaction | ✓ | ✓ | ✓ |
AccountId | ✓ | ✓ | ✓ |
TransactionReference | ✓ | ✓ | ✓ |
Amount | ✓ | ✓ | ✓ |
Currency | ✓ | ✓ | ✓ |
CreditDebitIndicator | ✓ | ✓ | ✓ |
Status | ✓ | ✓ | ✓ |
BookingDateTime | ✓ | ✓ | ✓ |
ValueDateTime | ✓ | ✓ | ✓ |
TransactionInformation | ✓ | ✓ | ✓ |
AddressLine | ✓ | ✓ | |
Data.Transaction.Amount | ✓ | ✓ | ✓ |
Amount | ✓ | ✓ | ✓ |
Currency | ✓ | ✓ | ✓ |
Data.Transaction.BankTransactionCode | ✓ | ✓ | |
Code | ✓ | ✓ | |
SubCode | ✓ | ✓ | |
Data.Transaction. ProprietaryBank TransactionCode | ✓ | ✓ | ✓ |
Code | ✓ | ✓ | ✓ |
Issuer | ✓ | ✓ | ✓ |
Data.Transaction. Balance | ✓ | ✓ | |
Amount | ✓ | ✓ | |
Currency | ✓ | ✓ | |
CreditDebitIndicator | ✓ | ✓ | |
Type | ✓ | ✓ | |
Data.Transaction. MerchantDetails | ✓ | ✓ | |
MerchantName | ✓ | ✓ | |
MerchantCategoryCode | ✓ | ✓ | |
Data.Transaction. CardInstruments | ✓ | ||
CardSchemeName | ✓ | ||
Authorisation Type | ✓ |
There are several important implementation variations that AISPs should be aware of. These are detailed in the table below.
Endpoints | Description |
---|---|
/account/{AccountID}/Transactions |
Transactions exception For the following transaction there will be two records provided to TPP:
A "pending" record - for this record LBG will apply the "Value Date" to the "Booking Date" field. A "booked" record - for this record LBG will apply the "Booking Date" to the "Value Date" field. |
/account/{AccountID}/Transactions |
Partial Transactions No partial transaction data will be provided to TPPs. Instead, the TPP will be sent a 400 response. |
/account/{AccountID}/Transactions |
Transaction reference "TransactionReference" will only be provided for posted transactions that have Transaction Code "FPO". |
/account/{AccountID}/Transactions |
Transaction date and Time Though we comply to the full ISO date time formats, Transaction “from” and “To” booking dates with time segment set can be subject to date roll which could affect the set of transactions served |
/account/{AccountID}/Transactions |
Credit card Transactions Credit cards only Transactions are returned in a reversed chronological order. However, if the statement is created with payments pending, they will be posted in the following statement period and may appear out of sequence Business Credit card In addition to credit cards, for business credit card posted transaction, which are posted will be displayed starting with Primary card transactions followed by Subsidiary cards transactions and transactions within Primary card and subsidiary card will be displayed in reverse chronological order. |
/accounts/{AccountId}/Transactions |
Merchant category code The merchant category code for balance transfer and money transfer will not be returned to the TPP as these are used only for internal processing. |
BENEFICIARIES VARIATIONS
In addition to all mandatory fields defined in Account and Transaction API specifications, the following optional fieldshave also been implemented.
Name | Current Available |
---|---|
Data.Beneficiary | ✓ |
AccountId | ✓ |
BeneficiaryId | ✓ |
Reference | ✓ |
Data.Beneficiary.SupplementaryData | ✓ |
Data.Beneficiary.CreditorAccount | ✓ |
SchemeName | ✓ |
Identification | ✓ |
Name | ✓ |
Data.Beneficiary.CreditorAgent | ✓ |
SchemeName | ✓ |
Identification | ✓ |
Name | ✓ |
Data.Beneficiary.CreditorAgent.PostalAddress | ✓ |
Country | ✓ |
AddressLine | ✓ |
Data.Beneficiary.SupplementaryData | ✓ |
There are several important implementation variations that AISPs should be aware of. These are detailed in the table below.
Endpoints | Description |
---|---|
/accounts/{AccountId}/beneficiaries |
Display order for beneficiaries Beneficiaries are returned in the following order
Domestic beneficiaries will be displayed in one page. When the last domestic beneficiary is displayed or where no domestic beneficiaries are available, selection of the next link will display international beneficiaries where available. When the last international beneficiary is displayed or where no international beneficiaries are available, selection of the next link will display BACS beneficiaries where available. Once the last record is displayed or where no record is available, the next link will not be presented The beneficiaries endpoint response may include the same beneficiary listed under both domestic and BACS beneficiaries for a given Account ID. |
/accounts/{AccountId}/beneficiaries |
Beneficiary postal address This will contain the Beneficiary Address for the International Beneficiaries |
/accounts/{AccountId}/beneficiaries |
Field name “Name” Name of the account, as assigned by the account servicing institution, in agreement with the account owner to provide an additional means of identification of the account. Usage: The account name is different from the account owner name. The account name is used in certain user communities to provide a means of identifying the account, in addition to the account owner's identity and the account number. |
/accounts/{AccountId}/beneficiaries |
Field name "SchemeName” Name of the identification scheme, in a coded form as published in an external list |
/accounts/{AccountId}/beneficiaries |
Beneficiary This includes Domestic, BACS and International beneficiaries for Commercial accounts. All beneficiaries returned in this endpoint are “trusted” beneficiaries. |
DIRECT DEBITS VARIATIONS
In addition to all mandatory fields defined in Account and Transaction API specifications, the following optional fieldshave also been implemented.
Name | Current Available |
---|---|
Data.DirectDebit | ✓ |
AccountId | ✓ |
DirectDebitStatusCode | ✓ |
Name | ✓ |
PreviousPaymentDateTime | ✓ |
Data.DirectDebit.MandateRelatedInformation | ✓ |
MandateIdentification | ✓ |
Data.DirectDebit.MandateRelatedInformation.Frequency | ✓ |
Type | ✓ |
Data.DirectDebit.PreviousPaymentAmount | ✓ |
Amount | ✓ |
Currency | ✓ |
There are several important implementation variations that AISPs should be aware of. These are detailed in the table below.
Endpoints | Description |
---|---|
GET/accounts/{Accountid}/direct- debits |
Commercial CBO Maximum of 500 direct debit for commercial (CBO) customers per account are returned. For more information about Direct Debits not shown please visit our Support Centre. |
STANDING ORDERS VARIATIONS
In addition to all mandatory fields defined in Account and Transaction API specifications, the following optional fieldshave also been implemented.
Name | Current Available |
---|---|
Data.StandingOrder | ✓ |
AccountId | ✓ |
NextPaymentDateTime | ✓ |
StandingOrderStatusCode | ✓ |
Data.StandingOrder.CreditorAccount | ✓ |
SchemeName | ✓ |
Identification | ✓ |
Name | ✓ |
Data.StandingOrder.CreditorAgent | ✓ |
SchemeName | ✓ |
Identification | ✓ |
Name | ✓ |
Data.StandingOrder.FinalPaymentAmount | ✓ |
Amount | ✓ |
Currency | ✓ |
Data.StandingOrder.FirstPaymentAmount | ✓ |
Amount | ✓ |
Currency | ✓ |
Data.StandingOrder.MandateRelatedInformation.Frequency | ✓ |
Type | ✓ |
Data.StandingOrder.NextPaymentAmount | ✓ |
Amount | ✓ |
Currency | ✓ |
Data.StandingOrder.RemittanceInformation | ✓ |
There are several important implementation variations that AISPs should be aware of. These are detailed in the table below.
Endpoints | Description |
---|---|
GET /accounts/{AccountId}/standing-orders |
Commercial CBO Maximum of 500 standing orders for commercial (CBO) customers per account. For more information about Standing Orders not shown please visit our Support Centre. |
PRODUCTS VARIATIONS
In addition to all mandatory fields defined in Account and Transaction API specifications, the following optional fieldshave also been implemented.
Name | Current Available |
---|---|
Data.Product | ✓ |
ProductId | ✓ |
ProductName | ✓ |
SecondaryProductId | ✓ |
Data.Product.PCA.ProductDetails | ✓ |
ProductDetails | ✓ |
CreditInterest | ✓ |
Overdraft | ✓ |
CreditInterest.TierBandSet | ✓ |
TierValueMax | ✓ |
OtherFeesCharges | ✓ |
Data.Product.BCA.ProductDetails | ✓ |
CreditInterest | ✓ |
Overdraft | ✓ |
OtherFeesCharges | ✓ |
Data.Product.OtherProducts Type | ✓ |
OtherProductType | ✓ |
Name | ✓ |
Description | ✓ |
MaturityDate | ✓ |
Data.Product.BCA.CreditInterest | ✓ |
Calculation Method | ✓ |
Destination | ✓ |
TierValueMaximum | ✓ |
DepositInterestAppliedCoverage | ✓ |
BankInterestRateType | ✓ |
BankInterestRate (O) | ✓ |
There are several important implementation variations that AISPs should be aware of. These are detailed in the table below.
Endpoints | Description |
---|---|
/account/{AccountID}/Product OBReadProduct2/Data/Product/PCA |
Supplementary product information Supplementary product information and links to Terms and Conditions are provided in ‘Notes’ field. This contains important details about conditions that apply to accounts, and about thresholds for credit interest This data should be published alongside product details to ensure that products are presented clearly and do not mislead customers |
/account/{AccountID}/Product OBReadProduct2/Data/Product/PCA |
Segment field Optional “Segment” field is provided for PCA only to help provide account comparison. |
/account/{AccountID}/Product OBReadProduct2/Data/Product/PCA |
Overdraft Details of overdrafts will only be published if the customer currently uses the overdraft facility available on their account Details about overdraft rates, fees & charges. Provided where applicable. |
/account/{AccountID}/Product OBReadProduct2/Data/Product/PCA |
CreditInterest Details about the interest that may be payable to the PCA, BCA account holders. Provided where applicable. |
/account/{AccountID}/Product OBReadProduct2/Data/Product/PCA |
TierBandMethod The methodology of how overdraft is charged. It can be
|
/account/{AccountID}/Product OBReadProduct2/Data/Product/PCA |
Field name “TierValueMin” Minimum value of Overdraft Tier/Band |
/account/{AccountID}/Product OBReadProduct2/Data/Product/PCA |
Field name “TierValueMax” Maximum value of Overdraft Tier/Band |
/account/{AccountID}/Product OBReadProduct2/Data/Product/PCA |
Field name “EAR” EAR means Effective Annual Rate and/or Equivalent Annual Rate (frequently used interchangeably), being the actual annual interest rate of an Overdraft. |
/account/{AccountID}/Product OBReadProduct2/Data/Product/PCA |
OtherFeesCharges Contains details of fees and charges which are not associated with either borrowing or features/benefits. Provided where applicable. |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
OtherProductType Other Product type will contain only Savings accounts. The values returned will be either Personal Savings Account or Business Savings Account. |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
TierBandMethod The methodology of how credit interest is paid/applied.
|
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
Field name “Name” Long name associated with the product |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
Field name “Description” Description of the Product associated with the account |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
Field name “MaturityDate” Maturity date for the account |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
Field name “Calculation Method” Methods of calculating interest. |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
Field name “Destination” Describes whether accrued interest is payable only to the PSA/BSA or to another bank account. |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
Field name “TierValueMinimum” Minimum deposit value for which the credit interest tier applies. |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
Field name “TierValueMaximum” Maximum deposit value for which the credit interest tier applies. |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
Field name “Applicationfrequency” How often interest is applied to the PSA/BSA for this tier/band i.e. how often the financial institution pays accumulated interest to the customer's PSA/BSA |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
Field name “DepositInterestAppliedCoverage” Amount on which interest is applied |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
Field name “FixedVariableInterestRateType” Type of interest rate i.e. variable |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
Field name “AER” The annual equivalent rate (AER) is interest that is calculated under the assumption that any interest paid is combined with the original balance and the next interest payment will be based on the higher account balance. Overall, this means that interest can be compounded several times in a year depending on the number of times that interest payments are made. |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
Field name “BankInterestRateType” Interest rate types, other than AER, which financial institutions may use to describe the annual interest rate payable to the PSA/BSA |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
Field name “BankInterestRate (O)” Bank Interest for the PSA/BSA product |
/account/{AccountID}/Product OBReadProduct2/Data/Product/BCA |
Field name “Overdraft arrangements” Lloyds Banking Group have provided supplementary product information in the ‘Notes’ field. This contains important details about conditions that apply to accounts. This data should be published alongside product details to ensure that products are presented clearly and do not mislead customers. Please find below the breakdown of the information provided and the section to which it applies: “Please be aware: The information provided reflects a normal Credit Interest arrangement.” - Applies to: ‘CreditInterest’ array. “Overdraft arrangement fees may apply.” - Applies to: ‘Overdraft’ array. Due to technical constraints, Lloyds Banking Group are unable to provide account-specific data in relation to Overdraft arrangement fees. “The first time you go overdrawn, without an agreed overdraft facility, or exceed your agreed limit with us by £50 or more, you may be charged an Unauthorised Borrowing Fee (UBF) of £15. After that, the UBF is applied every time you increase your unauthorised borrowing by £50 or more from the previous day’s closing balance, unless a higher limit is agreed with us or until the account is within its existing limit or in credit.” - Applies to: ‘Overdraft’ array. The above describes additional detail with regards to the application of the “UnauthorisedBorrowing” fee. “The Account Monthly Fee provided is the standard value associated with this product.” - Applies to: ‘OtherFeesCharges’ array. - The above relates to the value provided as the “ServiceCAccountFeeMonthly” fee. |
OFFERS VARIATIONS
In addition to all mandatory fields defined in Account and Transaction API specifications, the following optional fieldshave also been implemented.
Name | Current Available |
---|---|
Data.Offers | |
OfferId | ✓ |
OfferType | ✓ |
Description | ✓ |
StartDateTime | ✓ |
EndDateTime | ✓ |
Rate | ✓ |
Term | ✓ |
PARTIES VARIATIONS
In addition to all mandatory fields defined in Account and Transaction API specifications, the following optional fieldshave also been implemented.
Name | Current Available |
---|---|
Data.Party | ✓ |
PartyType | ✓ |
Full Legal Name | ✓ |
Legal Structure | ✓ |
SCHEDULED PAYMENTS VARIATIONS
In addition to all mandatory fields defined in Account and Transaction API specifications, the following optional fieldshave also been implemented.
Name | Current Available |
---|---|
Data.ScheduledPayment | |
ScheduledPaymentId | ✓ |
Reference | ✓ |
DebtorReference | ✓ |
Data.ScheduledPayment.CreditorAccount | ✓ |
Name | ✓ |
There are several important implementation variations that AISPs should be aware of. These are detailed in the table below.
Endpoints | Description |
---|---|
/accounts/{AccountId}/scheduled payments |
BACS schedule payments BACS Scheduled Payments will be available for Lloyds Bank and Bank of Scotland business accounts only. |
STATEMENTS VARIATIONS
In addition to all mandatory fields defined in Account and Transaction API specifications, the following optional fieldshave also been implemented.
Name | Current Available |
---|---|
Data.Statement | ✓ |
StatementId | ✓ |
StatementDescription | ✓ |
{StatementID}/File | ✓ |
There are several important implementation variations that AISPs should be aware of. These are detailed in the table below.
Endpoints | Description |
---|---|
/accounts/{AccountId}/statements /accounts/{AccountId}/statements/{StatementId}/file |
In scope statements Endpoints Lloyds Banking Group has implemented these two endpoints for statements |
/accounts/{AccountId}/statements |
Business Credit Card CSV file is available only for the Business Credit Cards and for last 6 months. |
PROPRIETARY BANK TRANSACTION CODES
Lloyds Banking Group supports the following Proprietary Bank Transaction Codes:
ERROR SCENARIOS
Scenario | ASPSP Response v4.0 | ASPSP Response v3.1.x | Expected TPP Action |
---|---|---|---|
Scenarios applicable to all AIS endpoints |
|||
TPP Create a consent in Newer version and use it on previous version (If the consent is created in 4.0 and TPP calls 3.1.x resource) |
Http Status: 403 |
NA |
Consent created in Newer version and accessed on Older version |
TPP attempts to access a resource for which the access has been revoked at the ASPSP. (Sub-scenario: Access token not revoked; consent has been changed to Rejected/Expired by ASPSP.) |
Http Status: 403 |
Http Status: 401 Code: 401 Unauthorized Message: Unauthorised ErrorCode: Message: Error Type: AuthoriseConsent |
Create a new consent using a POST operation. Take the PSU through an authentication journey |
TPP attempts to access a resource using an access token that has expired. (Sub-scenario: The underlying consent has expired.) |
Http Status: 403 Errors: Message: |
Http Status: 403 Code: 403 Forbidden Message: Reauthenticate Errors: Message: |
Create a new consent using a POST operation. Take the PSU through an authentication journey |
TPP attempts to access a resource using an access token outside of the SCA period. The underlying consent has not expired Typically this applies to AIS resources that do not benefit from RTS Article 10. |
Http Status: 403 Errors: Message: |
Http Status: 403 Code: 403 Forbidden Message: Forbidden ErrorCode: UK.OBIE.Reauthenticate Message: Reauthentication required to process the request |
Take the user through a re-authentication journey using the existing consent. |
TPP attempts to access a resource related to an account that is closed. This also applies in situations where the account holder that has wound up, is under receivership, is deceased or if the account has been switched over to another bank. |
Http Status: 400 Errors: Message: UK.OBIE.Resource.NotFound -Forbidden - Account closed or suspended |
Error message returned in redirect URL: One or more accounts are closed or suspended. Please re-consent for eligible accounts Error Type: AuthoriseConsent |
Do not attempt to request information for this account again. Take the user through a re-consent journey to remove this account from the consent. |
TPP attempts to re-auth a consent where one or more account has got closed. This also applies in situations where the account holder that has wound up, is under receivership, is deceased or if the account has been switched over to another bank. |
Error message returned in redirect URL: One or more accounts are closed or suspended. Please re-consent for eligible accounts Error Type: AuthoriseConsent |
Http Status: 403 Code: 403 Forbidden Message: Forbidden Errors: Message: Forbidden - Account closed or suspended |
Do not attempt to re-auth this consent again. Take the user through a re-consent journey to remove the closed account(s) from the consent. |
TPP attempts to access an endpoint for which permission had not been provided when the consent was created. |
Http Status: 403 Errors: Message: |
HTTP Status - 403 Code: 403 Forbidden Message: Forbidden Errors: Message: Permission not provided Error Type: AuthoriseConsent |
Do not attempt to request information for this endpoint again. Take the user through a re-consent journey to add the permission if required. |
TPP attempts to access an endpoint with an incorrect AccountID. |
Http Status: 400 Errors: Message: |
Http Status: 400 Code: 400 BadRequest Message: Invalid request parameters Errors: Message: AccountId not valid Error Type: AuthoriseConsent |
Do not attempt to request information for this accountID again. Try again with a valid AccountID. |
Endpoint specific scenarios |
|||
/account-access-consents TPP attempts to pass invalid or no permissions in request body. |
Http Status: 400 Errors: Message: Permissions is not in a valid format |
Http Status: 400 Code: 400 BadRequest Message: Invalid request parameters Errors: Message: Permissions is not in a valid format |
Refer to OBIE specs. Take the PSU through the consent journey with valid permissions. |
/account-access-consents TPP sends the request with one of the following date related issues:
|
Http Status: 400 Errors: Message: UK.OBIE.Field.InvalidDate- fromBookingDateTime is not in a valid format |
Http Status: 400 Code: 400 BadRequest Message: Invalid request parameters Errors: Message: fromBookingDateTime is not in a valid format |
Take the PSU through the consent journey with a valid dates. |
/transactions TPP requests for transactions with one of the following date related issues:
|
Http Status: 400 Errors: Message: |
Http Status: 400 Code: 400 InvalidDateRange Message: Invalid request parameters Errors: Message: fromBookingDateTime and toBookingDateTime date range is not valid. Please refer to the OBIE specs and Implementation Guide |
Send the request with valid dates. |
/transactions TPP requests for transactions outside the consented date range. |
Http Status: 400 Errors: Message: UK.OBIE.Field.InvalidDate-Transaction sharing consent not given for specified date range |
Http Status: 403 Code: 403 Forbidden Message: Forbidden ErrorCode: UK.OBIE.Field.InvalidDate Message: Transaction sharing consent not given for specified date range |
Do not attempt to request information for this date range again. Request for transactions within the consented date range Take the user through a re-auth journey to extend or modify the date range. |
/balances Commercial scenario: TPP attempts to access balances for a commercial PSU who has created the consent but does not have sufficient entitlement (as a part of his/her role) to access the information. |
Http Status: 400 Errors: Message: UK.OBIE.Field.Unexpected-User role does not have sufficient entitlements |
Http Status: 403 Code: 403 Forbidden Message: Insufficient entitlements UK.OBIE.Field.Unexpected Message: User role does not have sufficient entitlements |
Inform the PSU that they don’t have sufficient entitlement to access the information. Take the PSU through a re-consent journey after the PSU confirms that sufficient entitlements have been given to them. |
Generic service unavailable error scenario |
|||
ASPSP downstream services or server is down. |
Http Status: 500 Errors: Message: UK.OBIE.UnexpectedError - Due to a technical problem, the request cannot be completed at this moment |
Http Status: 500 Code: 500 UnexpectedError Message: Unexpected error Errors: Message: Due to a technical problem, the request cannot be completed |
Try again after some time. |
CONFIRMATION OF FUNDS SERVICES
This section provides an overview of how to use our Confirmation of Funds APIs. It is intended to help CBPII integrate applications and services with our APIs and details scope and any variations from Open Banking API specifications.
This detail should be read in conjunction with Open Banking Specifications and our API Products:
Confirmation of Funds Scope
The below table details the confirmation of funds Services that are supported by Lloyds Banking Group across our Channels and Products.
These are available to use to request Confirmation of funds on our core brands Lloyds Bank, Bank of Scotland, Halifax (Retail only). In addition, we also support our core brands and MBNA brand for Retail Credit Cards.
COF | Retail | Business | Commercial | |||||
---|---|---|---|---|---|---|---|---|
Current Account | Savings Account | Credit Cards | Current Account | Savings Account | Credit Cards | Sterling | Non-Sterling | |
Funds confirmation consent | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Funds confirmation | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Confirmation of Funds Consent Re-authentication
The consents created in latest version of V4.xx will be eligible for re-authentication as outlined in the Open Banking Specifications v4.0.
ERROR SCENARIOS
Scenario | Expected ASPSP Response V4.x.x | Expected ASPSP Response V3.x.x | Expected TPP Action |
---|---|---|---|
Scenarios applicable to CoF endpoints | |||
TPP attempts to access a resource using an access token that has expired. (Sub-scenario: The underlying consent has not expired.) |
HTTP Status: 403 Errors: Message: Error Type: Reauthenticate |
Http Status: 401 Error Code: Token expired Error Type: Reauthenticate |
If the TPP has a valid refresh token, use the refresh token to get a new access token. If the refresh token has expired as well, take the user through a re-auth |
TPP attempts to access a resource using an access token that has expired. (Sub-scenario: The underlying consent has expired.) |
Http Status: 403 Error Type: AuthoriseConsent |
Http Status: 403 Error Code: UK.OBIE.Resource.InvalidConsentStatus Error Type: AuthoriseConsent |
Create a new consent using a POST operation. Take the PSU through an authentication journey. |
TPP attempts to access a resource related to an account that is closed. This also applies in situations where the account holder that has wound up, is under receivership, is deceased or if the account has been switched over to another bank. |
HTTP Status: 400 Errors: Message: Error Type: AccountPermanentlyUnavailable |
Http Status: 403 Error Code: UK.OBIE.Resource.NotFound Error Type: AccountPermanentlyUnavailable |
Do not attempt to request information for this account again.. Take the user through a re-consent journey to remove this account from the consent. |
TPP attempts to re-auth a consent where one or more account has got closed. This also applies in situations where the account holder that has wound up, is under receivership, is deceased or if the account has been switched over to another bank. |
Error message returned in redirect URL: One or more accounts are closed or s uspended. Please re-consent for eligible accounts Error Type: AuthoriseConsent |
Error message returned in redirect URL: One or more accounts are closed or s uspended. Please re-consent for eligible accounts Error Type: AuthoriseConsent |
Do not attempt to re-auth this consent again Take the user through a re-consent journey to remove the closed account(s) from the consent. |
/funds-confirmation-consents TPP sends a past date in ExpirationDateTime field or the date format is incorrect. |
HTTP Status: 400 Errors: Message: Error Type: AuthoriseConsent |
Http Status: 400 Error Code: UK.OBIE.Field.InvalidDate Error Type: AuthoriseConsent |
Take the PSU through the consent journey with a valid future ExpirationDateTime. |
/funds-confirmation-consents TPP sends an invalid value in the consents creation request in one of the following fields (i.e. validation fails):
|
HTTP Status: 400 Errors: Message: Error Type: AccountConsent |
Http Status: 400 Error Code: UK.OBIE.Field.Invalid Error Type: AuthoriseConsent |
Try again with a valid value as per OBIE specs |
/funds-confirmation TPP attempts to access the endpoint with an incorrect ConsentId |
HTTP Status: 400 Errors: Message: Error Type: RequestWithValidDetails |
Http Status: 403 Error Code: UK.OBIE.Resource.ConsentMismatch ErrorType: RequestWithValidDetails |
Do not attempt to request information for this ConsentID again. Try again with a valid ConsentId. |
/funds-confirmation TPP attempts to access the endpoint with an invalid value in one of the following fields (i.e. validation fails):
|
HTTP Status: 400 Errors: Message: Error Type: RequestWithValidDetails |
Http Status: 400 Error Code: UK.OBIE.Field.Invalid ErrorType: RequestWithValidDetails |
Try again with a valid value in the request payload. |
Generic service unavailable error scenario | |||
ASPSP downstream services or server is down. |
HTTP Status: 500 Errors: Message: Error Type: RetryLater |
Http Status: 500 Error Code:UK.OBIE.UnexpectedError ErrorType: RetryLater |
Try again after some time. |
STATUS REASON AND REDIRECT ERRORS
As part of the v4.0 API specification update, the StatusReason object will include StatusReasonCode and StatusReasonDescription when consent statuses are updated, as specified in the Open Banking Specifications v4.0.
Additionally, the Redirect URL will return error_description along with a relevant reason code, which may match the StatusReasonCode, when the consent status is provided.
PAYMENT INITIATION SERVICES
This section provides an overview of how to use our Payment Initiation Services APIs. It is intended to help PISPs integrate applications and services with our APIs and details scope and any variations from Open Banking API specifications.
This detail should be read in conjunction with Open Banking Specifications and our API Products:
-
Payment Initiation API Specification can be found here: v3.10 and v4.0
-
Variable Recurring Payments API Specification can be found here: v3.10 and v4.0
-
API Products can be found here.
Payments Scope
The below table details the Payment Initiation Services that are supported by Lloyds Banking Group for each Payment Type across our Channels and Products.
These are available to use to make payments from Current and Savings accounts on our core brands Lloyds Bank, Bank of Scotland, Halifax (Retail only). In addition, we also support our core brands and MBNA brand to make payments from Retail Credit Cards.
Payment Type | Retail | Business | Commercial | |||
---|---|---|---|---|---|---|
Current Account | Savings Account | Credit Cards | Current Account | Savings Account | Current Account | |
Domestic Payment (FPS) | ✓ | ✓ | ✓ | ✓ | ✓ | |
Domestic Payment (BACS) | ✓ | |||||
Domestic Payment (CHAPS) | ✓ | |||||
Domestic Payment (Balance Transfer / Money Transfer) | ✓ | |||||
Domestic Scheduled Payments | ✓ | ✓ | ✓ | ✓ | ✓ | |
Domestic Standing Orders | ✓ | ✓ | ✓ | ✓ | ||
International Payments | ✓ | ✓ | ✓ | |||
File Payments | ✓ | |||||
Variable Recurring Payments | ✓ | ✓ |
Status Reason and Redirect Errors
As part of the v4.0 API specification uplift, StatusReasonCode and StatusReasonDescription will be returned in the StatusReason object when both consent statuses and payment statuses are updated as outlined in the Open Banking Specifications v4.0.
In the Redirect URL, error_description will also be returned with an appropriate reason code, that may be the same as provided in the StatusReasonCode, when the consent status is returned.
This is an optional requirement and will be available on Domestic Single Immediate Payments and Variable Recurring Payments. Other payment journeys will be updated as fast followers.
DOMESTIC PAYMENTS VARIATIONS
There are several important variations relating to Payment Initiation APIs that PISPs should be aware of for our Domestic Payment endpoints – Immediate, Scheduled and Standing Orders. These are detailed in the table below. The variations apply to both the API Profile versions, v3.1.x and v4.0
Endpoints | Description | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
/domestic-payment-consents /domestic-scheduled-payment-consents /domestic-standing-order-consents |
Payment Schemes supported for Domestic journeys. Schemes supported across all domestic journeys are:
For Domestic Payment – Balance Transfer and Money Transfer must use UK.OBIE.PAN. UK.OBIE.Paym is not supported, in line with Pay.UK removing the service in March 2023. For API Profile v4.0, UK.OBIE.Wallet is not supported Note: APIs will support UK IBANs or UK BBANs only. |
||||||||||||||||
/domestic-payment-consents /domestic-scheduled-payment-consents /domestic-standing-order-consents |
Payment/Instructed Amount Field Validations. Negative payment amounts are not allowed in any of the Lloyds Banking Group payment requests. Amounts are restricted to 2 decimal places. Requests sent where the amount exceeds 2 decimal places will result in error response For Balance Transfers and Money Transfers the minimum payment amount is £100 |
||||||||||||||||
/domestic-payment-consents /domestic-scheduled-payment-consents /domestic-standing-order-consents |
Payment Risk Categorisation must be provided in OBRisk. For PISP initiated payments to be processed the payment must be categorised. Payment Context Code field in OBRisk is mandatory. For API Profile v4.0, deprecated enumeration values are not supported. If sent, will result in an error response There are some payment categories that will not be supported for Payment Type, Channel or Products.
|
||||||||||||||||
/domestic-payment-consents /domestic-scheduled-payment-consents /domestic-standing-order-consents |
SCA Exemption requests from PISPs is not supported. PISPs cannot use SCA Support Data block to request SCA Exemption as this is not supported. If consent request is received, this will not be processed and will result in an error response. |
||||||||||||||||
/domestic-payment-consents /domestic-scheduled-payment-consents /domestic-standing-order-consents |
Multi Party Authorisation - Support for > ‘1 to sign’ payments Some Business customers have set up Multi Party authorisation for > ‘1 to sign’ payments using Online Payment Control (OPC). PISPs should include OBAuthorisation1 data block in consent requests for these customers. Completion Date Time functionality is not supported For payments that require Multi Party authorisation, additional approvals occur in our direct channel before the payments are processed, due to which the terminal payment status may not be available. |
||||||||||||||||
/domestic-payment-consents /domestic-scheduled-payment-consents /domestic-standing-order-consents |
Risk – Delivery Address Country Code and Town Name are required if Risk Delivery Address details are provided |
||||||||||||||||
/domestic-payment-consents |
Balance Transfers – Mandatory Requirements Local Instrument: Is a mandatory field and must be provided as UK.OBIE.BALANCETRANSFER Creditor Account:
Debtor Account: must be pre-populated in the consent request with details as:
For API Profile v3.1.x RemittanceInformation: must be sent with Offer code/ID in the Reference field For API Profile v4.0 RemittanceInformation: must be sent with Offer code/ID in the CreditorReferenceInformation-Reference field |
||||||||||||||||
/domestic-payment-consents |
Money Transfers – Mandatory Requirements Local Instrument: Is a mandatory field and must be provided as UK.OBIE.MoneyTransfer Creditor Account:
Debtor Account: must be pre-populated in the consent request with details as:
For API Profile v3.1.x RemittanceInformation: must be sent with Offer code/ID in the Reference field For API Profile v4.0 RemittanceInformation: must be sent with Offer code/ID in the CreditorReferenceInformation-Reference field |
||||||||||||||||
/domestic-payment-consents /domestic-scheduled-payment-consents |
Commercial Customers – Local Instrument Types supported. The following local instrument types are acceptable for Commercial Customers: Commercial Customers:
If the local instrument does not contain one of these values the consent request will be rejected. |
||||||||||||||||
/domestic-payment-consents |
Commercial Customers – Local Instrument Types supported The following local instrument types are acceptable for Commercial Customers:
If the local instrument does not contain one of these values the consent request will be rejected |
||||||||||||||||
/domestic-payment-consents /domestic-scheduled-payment-consents |
Commercial Customers - Debit Account Reference Commercial channel (CBO) customers can specify a debit account reference utilising Supplementary Data. The reference can be a maximum of 18 characters in length. |
||||||||||||||||
/funds-confirmation |
Commercial Customer – Funds Confirmation Response Due to the use of complex credit facilities and the manual payment referrals process, the confirmation of funds service will provide an explanatory message for Commercial (CBO) customers. This will be provided in Supplementary data. |
||||||||||||||||
/domestic-scheduled-payment-consents |
Scheduled Payment Execution Date Rules. Earliest “Payment Instructed” day is next working day for Scheduled Payments. Requested Execution Date cannot be the same date as consent request. The payment can be requested to be executed from the next working day and up to 31 days in the future. Any Execution Date provided outside of this time frame would result in an error response. |
||||||||||||||||
/domestic-standing-order-consents |
Variable Amounts not supported for Standing Orders Variable amount values are not supported for first and subsequent payments and will result in an error response if received in the request. |
||||||||||||||||
/domestic-standing-order-consents |
Timezone in FirstPaymentDateTime field Time zone for FirstPaymentDateTime field would be defaulted to system timezone in case it is not sent in the request. |
||||||||||||||||
/domestic-standing-order-consents |
Standing Order Execution Date Rules. Earliest First Payment Date is next working day for Standing Orders. It cannot be the same date as consent request. |
||||||||||||||||
/domestic-standing-order-consents |
“Number of Payments” recurrence is not supported. For API Profile v3.1.x, "Number of Payments" feature is not supported. In API Profile v3.1.x and v4.0, "FinalPaymentDateTime" field should be provided in the request, otherwise the standing order will be open ended until customer takes action to cancel. |
||||||||||||||||
/domestic-standing-order-consents |
Supported Standing Order Frequencies For API Profile v3.1.x and v4.0 Only the following frequencies are supported by Lloyds Banking Group Domestic Standing orders:
Note: First Payment date and Final Payment date must have the same day value excluding Weekly and Four Weekly. Example: Frequency: Monthly First Payment date: (26/02/2019) Final Payment date: (26/03/2019) Exception is in place for month end i.e. 31/01/2019 with the next payment date 28/02/2019. This would be an acceptable date. |
||||||||||||||||
/domestic-standing-order-consents |
Standing Order Frequencies For all the Consent and Payment enquiry requests in API v4.0 for Consents and Payments created in v3.1.10, original frequency values sent in v3.1.10 Consent or Payment request will be mapped to Frequency.Type field in v4.0 Response. |
||||||||||||||||
/domestic-standing-order-consents |
For v4.0, First Payment Date Time field is mandatory. |
||||||||||||||||
/domestic-payments /domestic-scheduled-payments /domestic-standing-orders |
Time between Consent Authorisation and Payment Submission There is a maximum time limit of 45 minutes for PISPs to complete payment submission following a successful authorisation of consent request. Note: Where a first-time submission is recorded within the time limit mentioned above, any subsequent (idempotent) requests will return the status of the payment. |
||||||||||||||||
/domestic-payments /domestic-scheduled-payments /domestic-standing-orders |
Payment Message Details. Data will get truncated where API fields contain more characters than supported by the FPS scheme (ISO8583) format. This would result in the beneficiary bank receiving truncated information. PISPs should be aware and may wish to cater for this in their front-end validation. |
||||||||||||||||
/domestic-payments |
Payment Status – Enquiry Window. PISPs can make enquiry call to find out the final outcome of payment. If the payment status has not reached a terminal payment status within 3 days (72 hours) then PISPs will need to raise a query with the Lloyds Banking Group. Do not continue to poll the endpoint to query the payment status as this will result in error responses. |
||||||||||||||||
/domestic-payments |
Commercial Customers - Domestic Payment Cut-Off times BACS – Payments received after 17:00 will be rejected. CHAPS – Payments received after 17:25 will be rejected. FPS – Payments received after 23:55 will be processed the next day. IAT – Transfers received after 23:45 will be rejected. |
||||||||||||||||
/domestic-payments /domestic-scheduled-payments |
Commercial Customers – CHAPS Payments To support enhanced data requirements for CHAPS payments, the optional fields – PaymentCategory, Debtor/LEI and Creditor/LEI have been introduced in the Supplementary Data block of the request. Enums acceptable for PaymentCategory field are ‘Property’ and ‘FItoFI’.
Refer section CHAPS Payment Purpose Codes list for valid enum mapped to each payment category. |
||||||||||||||||
/payment-details |
Endpoints not supported. Following optional/conditional endpoints in the API specification are not supported:
|
||||||||||||||||
All Endpoints |
Characters Sets for Domestic Journeys String fields are restricted to specific character sets and special characters are not allowed. Any special characters sent in the request may not be propagated to onward payment records and may result in an error response. |
||||||||||||||||
All Endpoints |
JWS Base64 Encoding JWS must be created with Base64 encoding. Failure to use the correct encoding in the creation of the JWS would result in an error response. |
CHAPS – Payment Purpose Codes List
The table below lists the CHAPS Payment Purpose Codes and their validity (Y/N) across the payment categories, where ‘Y’ indicates the valid acceptable enum for the respective category.
CODE | REGFIFI | PROPERTY | OTHER |
---|---|---|---|
BKFE | Y | N | N |
BKIP | Y | N | N |
BKPP | Y | N | N |
CBLK | Y | N | N |
INTC | Y | N | Y |
INTP | Y | N | Y |
DEPT | Y | N | Y |
ACCT | Y | N | N |
CASH | Y | N | N |
COLL | Y | N | N |
CSDB | Y | N | N |
LIMA | Y | N | N |
NETT | Y | N | N |
EXTD | Y | N | N |
OTCD | Y | N | N |
REPO | Y | N | N |
SBSC | Y | N | N |
SLEB | Y | N | N |
AGRT | Y | N | Y |
AREN | Y | N | Y |
BEXP | Y | N | Y |
BOCE | Y | N | Y |
COMC | Y | N | Y |
CPYR | Y | N | Y |
LICF | Y | N | Y |
SERV | Y | N | Y |
SUPP | Y | N | Y |
TRAD | Y | N | Y |
SUBS | Y | N | Y |
GDSV | Y | N | Y |
GSCB | Y | N | Y |
ROYA | Y | N | Y |
COMT | Y | N | Y |
CHAR | Y | N | Y |
ECPR | Y | N | Y |
EPAY | Y | N | Y |
COMP | Y | N | Y |
DBTC | Y | N | Y |
CLPR | Y | N | Y |
INTE | Y | N | Y |
LOAN | Y | N | Y |
LOAR | Y | N | Y |
RELG | Y | N | Y |
TRFD | Y | N | Y |
PENO | Y | N | Y |
INPC | Y | N | Y |
INPR | Y | N | Y |
INSC | Y | N | Y |
INSU | Y | N | Y |
LBRI | Y | N | Y |
LIFI | Y | N | Y |
PPTI | Y | N | Y |
HLRP | Y | Y | N |
HLST | Y | Y | N |
PLDS | Y | Y | N |
PDEP | Y | Y | N |
PCOM | Y | Y | N |
PLRF | Y | Y | N |
FORW | Y | N | Y |
FXNT | Y | N | Y |
IVPT | Y | N | Y |
REBT | Y | N | Y |
REFU | Y | N | Y |
CDBL | Y | N | Y |
CPKC | Y | N | Y |
EDUC | Y | N | Y |
FEES | Y | N | Y |
GAMB | Y | N | Y |
LOTT | Y | N | Y |
GIFT | Y | N | Y |
INSM | Y | N | Y |
REOD | Y | N | Y |
FAND | Y | N | Y |
GOVT | Y | N | Y |
TCSC | Y | N | Y |
BLDM | Y | Y | N |
RENT | Y | Y | N |
BNET | Y | N | N |
CORT | Y | N | N |
CMDT | Y | N | Y |
DERI | Y | N | Y |
DIVD | Y | N | Y |
FREX | Y | N | Y |
HEDG | Y | N | Y |
INVS | Y | N | Y |
SAVG | Y | N | Y |
SECU | Y | N | Y |
TREA | Y | N | N |
FNET | Y | N | N |
FUTR | Y | N | N |
HLTI | Y | N | Y |
DNTS | Y | N | Y |
LTCF | Y | N | Y |
MDCS | Y | N | Y |
VIEW | Y | N | Y |
SWFP | Y | N | N |
SWPP | Y | N | N |
SWRS | Y | N | N |
SWUF | Y | N | N |
BECH | Y | N | Y |
BENE | Y | N | Y |
SSBE | Y | N | Y |
PEFC | Y | N | Y |
PENS | Y | N | Y |
ADCS | Y | N | Y |
ALMY | Y | N | Y |
BONU | Y | N | Y |
COMM | Y | N | Y |
HREC | Y | N | Y |
SALA | Y | N | Y |
LREB | Y | N | N |
LREV | Y | N | N |
ESTX | Y | N | Y |
HSTX | Y | N | Y |
INTX | Y | N | Y |
PTXP | Y | N | Y |
RDTX | Y | N | Y |
TAXES | Y | N | Y |
VATX | Y | N | Y |
WHLD | Y | N | Y |
TAXR | Y | N | Y |
CBTV | Y | N | Y |
ELEC | Y | N | Y |
GASB | Y | N | Y |
PHON | Y | N | Y |
UBIL | Y | N | Y |
WTER | Y | N | Y |
INTERNATIONAL PAYMENTS VARIATIONS
There are several important variations relating to Payment Initiation APIs that PISPs should be aware of for our International Payment endpoints. These are detailed in the table below.
Note: These relate to Immediate International Payments only. International Scheduled Payments and International Standing Orders endpoints are not supported by Lloyds Banking Group. The variations apply to both the API Profile versions, v3.1.x and v4.0.
Endpoints | Description |
---|---|
/international-payment-consents |
Creditor Postal Address is mandatory. The Creditor Postal Address is mandatory and must be provided in the consent request. Maximum three lines of unstructured address. Must include at least one Address Line and Country. |
/international-payment-consents |
Payment Schemes supported for International payment journeys. Schemes supported for international payment journeys are:
For API Profile v3.1.10 UK.OBIE.Paym is not supported, in line with Pay.UK removing the service in March 2023. For API Profile v4.0, UK.OBIE.Wallet & UK.OBIE.Paym are not supported. Note: For API Profile v3.1.x, RemittanceInformation: must be sent with Offer code/ID in the Reference field. For API Profile v4.0, RemittanceInformation: must be sent with Offer code/ID in the CreditorReferenceInformation-Reference field. |
/international-payment-consents |
Creditor Agent Address Requirements. Creditor Agent must have at least either of the pairs provided: Scheme Name and Identification or Name and Postal Address Option 1: Scheme Name and Identification Scheme Name accepted as UK.OBIE.BICFI, and BIC must be sent in Identification. Creditor Agent Name and Address block are optional. Option 2: Name and Postal Address Creditor Agent Name is mandatory. Creditor Agent Postal Address block is mandatory and must be populated in the following format:
|
/international-payment-consents |
Country Requirements - Sending money to the EEA and UK. BIC/SWIFT and IBAN are mandatory requirements when sending money to the EEA and UK. PISPs will need to provide this information when sending International Payments to the following countries: Albania, Austria, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Guernsey, Hungary, Iceland, Republic of Ireland, Italy, Jersey, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, The Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and UK. Creditor Account Scheme Name must be set to UK.OBIE.IBAN. Creditor Agent Scheme Name must be set to UK.OBIE.BICFI and BIC/SWIFT must be sent in Identification. |
/international-payment-consents |
Country Requirements - Sending money to the rest of the world. Option 1: BIC/SWIFT and IBAN mandatory countries BIC/SWIFT and IBAN are mandatory requirements when sending money to some non-EEA countries. PISPs will need to provide this information when sending International Payments to the following countries: Andorra, Bahrain, Faroe Islands, Georgia, Gibraltar, Greenland, Isle of Man, Israel, Jordan, Kuwait, Lebanon, Macedonia, Montenegro, Moldova, Monaco, Pakistan, Palestine, Qatar, San Marino, Saudi Arabia, Switzerland, Tunisia, Turkey, and United Arab Emirates. Creditor Account Scheme Name must be set to UK.OBIE.IBAN. Creditor Agent Scheme Name must be set to UK.OBIE.BICFI and BIC/SWIFT must be sent in Identification. Option 2: National Clearing Code mandatory countries National Clearing Codes are mandatory for the following countries and are expected to be sent as detailed below for each respective country: Australia: Bank-State-Branch (BSB) Code Creditor Account Scheme Name can be sent as BBAN or SCAN Creditor Agent Scheme Name must be UK.LBG.Clearingcode Option 3: All other countries Creditor Account Scheme Name can be IBAN, BBAN or SCAN. Creditor Agent Scheme Name must be set to UK.OBIE.BICFI when IBAN is provided for Creditor Account, and BIC/SWIFT must be sent in Identification. Creditor Agent Address must be sent when BBAN or SCAN are provided for Creditor Account, with the additional details being mandatory:
|
/international-payment-consents |
Payment Risk Categorisation must be provided in OBRisk. For PISP initiated payments to be processed the payment must be categorised Payment Context Code field in OBRisk is mandatory |
/international-payment-consents |
Initiation Parent Block – Request Field Validations. Charge Bearer: Borne by Creditor is not supported. Consent requests with this value will result in an error response. Currency Of Transfer:
Instruction Priority: Lloyds Banking Group do not offer Instruction priority for International Payment requests. All requests will be treated as ‘Normal’. Local Instrument: No value is expected to be received in this field |
/international-payment-consents |
Exchange Rate Information – Request Field Validations Contract Identification and Exchange Rate: This functionality for ‘Agreed’ rates is not supported and therefore these fields must not be sent in the request. Rate Type: Only "Actual" is supported. All other Rate Types provided in the request will result in an error response Note: Where payment requires multiple party authorisations the Exchange Rate Information displayed to user and sent in the response will be ‘Indicative’. Unit Currency: is a mandatory field within the exchange rate block. If this block is provided in the request, then this must be sent as GBP |
/international-payment-consents |
Instructed Amount & Currency – Request Field Validations. Currency Field Validations Most currencies support two decimal places for Instructed Amount e.g. GBP Certain currencies support up to a maximum of three decimal places i.e. Kuwaiti Dinar. Japanese Yen must be sent as a whole integer value. Zero decimal points are supported for this currency Note: When Currency Of Transfer has been provided as GBP, the Instructed Amount Currency must also be GBP. Requests sent where the amount exceeds 3 decimal places will result in error response. For International payment the minimum payment amount is £1.00 (after currency transfer). |
/international-payment-consents |
SCA Exemption requests from PISPs is not supported. PISPs cannot use SCA Support Data block to request SCA Exemption as this is not supported. If consent request is received, this will not be processed and will result in an error response. |
/international-payment-consents |
Multi Party Authorisation - Support for > ‘1 to sign’ payments. Some Business customers have set up Multi Party authorisation for > ‘1 to sign’ payments using Online Payment Control (OPC). PISPs should include OBAuthorisation1 data block in consent requests for these customers. Completion Date Time functionality is not supported. For payments that require Multi Party authorisation, additional approvals occur in our direct channel before the payments are processed, due to which the terminal payment status may not be available. |
/international-payment-consents |
Payment Reason Code – Country Requirements Some Countries mandate the need for the purpose or reason for payment. PISPs are expected to provide this information in Extended Purpose field in the consent request for it to be processed Note: For v3.1.x, Data.Initiation.Purpose as defined in the API specifications will not be used and may lead to error responses. For V4.0 Data.Initiation.Purpose is not applicable. United Arab Emirates and Jordan: These countries require reason codes specific to their own country requirements. Please refer to detailed section on acceptable values. All Other Countries: A generic set of reasons are used. These are also detailed separately and should be referred to for acceptable values. Note: In all cases, only the reason code should be sent, without the additional text description. e.g. R24 should be sent. R24 School Fees would result in error response. |
/international-payment-consents |
Risk – Contract Present Indicator OBRisk block will only accept the correct spelling for Contract Present Indicator field. Any requests received with the incorrect spelling will result in an error response. Risk – Delivery Address Country Code and Town Name are required if Risk Delivery Address details are provided. |
/payment-details |
Endpoints not supported. The implementation for File Payments does not support following optional/conditional endpoints in the API specification:
|
/international-payments |
Time between Consent Authorisation and Payment Submission. There is a maximum time limit of 90 seconds for PISPs to complete payment submission following a successful authorisation of consent request. This is due to live exchange rates being quoted for the transaction. If the first payment submission request is received after 90 seconds this will result in the payment request being rejected. |
/international-payment-consents |
JWS Base64 Encoding JWS must be created with Base64 encoding. Failure to use the correct encoding in the creation of the JWS would result in an error response. |
/international-payment-consents |
Characters Sets for International Payments String fields are restricted to specific character sets and special characters are not allowed. Any special characters sent in the request may not be propagated to onward payment records and may result in an error response. |
Generic Countries – Payment Reason Code
Code | Reason Description | Code | Reason Description |
---|---|---|---|
R01 | Charitable Donation | R15 | Rent |
R02 | Expenses | R16 | Salary |
R03 | Family Maintenance | R17 | Tax |
R04 | Fx Currency Non-Resident Deposit | R18 | Wages |
R05 | Fees | R20 | Commission |
R06 | Gift | R21 | Purchase of Shares |
R07 | Holiday | R22 | Grant |
R08 | Hotel | R23 | House Purchase Resident |
R09 | Invoice | R24 | School Fees |
R10 | Loan | R25 | Other |
R11 | Medical | R26 | House Purchase Non-Resident |
R12 | Own Account Transfer | R27 | Inheritance |
R13 | Pension | R28 | Relocation |
R14 | Personal Transfer | R29 | Mortgage Payment |
United Arab Emirates– Payment Reason Code
Code | Reason Description |
---|---|
ACM | Agency Commissions |
AES | Advance payment against EOS |
AFA | Receipts or payments from personal resident bank account or deposits abroad |
AFL | Receipts or payments from personal non-resident bank account in the UAE |
ALW | Allowance |
ATS | Air transport |
BON | Bonus |
CCP | Corporate Card Payments |
CEA | Equity and investment fund shares for the establishment of new company from residents abroad, equity of merger or acquisition of companies abroad from residents and participation to capital increase of related companies abroad |
CEL | Equity and investment fund shares for the establishment of new company in the UAE from non-residents, equity of merger or acquisition of companies in the UAE from non-residents and participation to capital increase of related companies from non-residents in the UAE |
CHC | Charitable Contributions (Charity and Aid) |
CIN | Commercial Investments |
COM | Commission |
COP | Compensation |
CRP | Credit Card Payment |
DCP | Debit Card Payments |
DIV | Dividend Payouts From FI |
DLA | Purchases and sales of foreign debt securities in not related companies - More than a year |
DLF | Debt instruments intragroup loans, deposits foreign (above 10% share) |
DLL | Purchases and sales of securities issued by residents in not related companies - More than a year |
DOE | Dividends on equity not intragroup |
DSA | Purchases and sales of foreign debt securities in not related companies - Less than a year |
DSF | Debt instruments intragroup foreign securities |
DSL | Purchases and sales of securities issued by residents in not related companies - Less than a year |
EDU | Educational Support |
EMI | Equated Monthly Instalments |
EOS | End of Service / Final Settlement |
FAM | Family Support (Workers' remittances) |
FDA | Financial derivatives foreign |
FDL | Financial derivatives in the UAE |
FIA | Investment fund shares foreign |
FIL | Investment fund shares in the UAE |
FIS | Financial services |
FSA | Equity other than investment fund shares in not related companies abroad |
FSL | Equity other than investment fund shares in not related companies in the UAE |
GDE | Goods sold (Exports in fob value) |
GDI | Goods bought (Imports in cif value) |
GMS | Processing repair and maintenance services on goods |
GOS | Government goods and services embassies etc. |
GRI | Government related income taxes, tariffs, capital transfers, etc. |
IFS | Information services |
IGD | Dividends intragroup |
IGT | INTER GROUP TRANSFER |
IID | Interest on debt intragroup |
INS | Insurance services |
IOD | Income on deposits |
IOL | Income on loans |
IPC | Charges for the use of intellectual property royalties |
IPO | IPO Subscriptions |
IRP | INTEREST RATE SWAP PAYMENTS |
IRW | INTEREST RATE UNWIND PAYMENTS |
ISH | Income on investment funds shares |
ISL | Interest on securities more than a year |
ISS | Interest on securities less than a year |
ITS | Computer services |
LAS | Leave Salary |
LDL | Debt instruments intragroup loans, deposits in the UAE (above 10% share) |
LDS | Debt instruments intragroup securities in the UAE |
LEA | Leasing abroad |
LEL | Leasing in the UAE |
LIP | Loan Interest Payments |
LLA | Loans - Drawings or Repayments on loans extended to non-residents - Long-term |
LLL | Loans - Drawings or Repayments on foreign loans extended to residents - Long-term |
LNC | Loan Charges |
LND | Loan Disbursements From FI |
MCR | Monetary Claim Reimbursements |
MWI | MOBILE WALLET CARD CASH-IN |
MWO | MOBILE WALLET CARD CASH-OUT |
MWP | MOBILE WALLET CARD PAYMENTS |
OAT | OWN ACCOUNT TRANSFER |
OTS | Other modes of transport (including Postal and courier services) |
OVT | Overtime |
PEN | Pension |
PIN | Personal Investments |
PIP | Profits on Islamic products |
PMS | Professional and management consulting services |
POR | Refunds/Reversals on IPO subscriptions |
POS | POS Merchant Settlement |
PPA | Purchase of real estate abroad from residents |
PPL | Purchase of real estate in the UAE from non-residents |
PRP | PROFIT RATE SWAP PAYMENTS |
PRR | Profits or rents on real estate |
PRS | Personal, cultural, audio visual and recreational services |
PRW | PROFIT RATE UNWIND PAYMENTS |
RDA | Reverse debt instruments abroad |
RDL | Reverse debt instruments in the UAE |
RDS | Research and development services |
REA | Reverse equity shares abroad |
REL | Reverse equity shares in the UAE |
RFS | Repos on foreign securities |
RLS | Repos on securities issued by residents |
RNT | Rent Payments |
SAA | Salary Advance |
SAL | Salary (Compensation of employees) |
SCO | Construction |
SLA | Loans - Drawings or Repayments on loans extended to non-residents - Short-term |
SLL | Loans - Drawings or Repayments on foreign loans extended to residents - Short-term |
STR | Travel |
STS | Sea transport |
SVI | STORED VALUE CARD CASH-IN |
SVO | STORED VALUE CARD CASH-OUT |
SVP | STORED VALUE CARD PAYMENTS |
TCP | Trade credits and advances payable |
TCR | Trade credits and advances receivable |
TCS | Telecommunication services |
TKT | Tickets |
TOF | Transfer of funds between persons Normal and Juridical |
TTS | Technical, trade-related and other business services |
UTL | Utility Bill Payments |
TAX | TAX Payment |
Jordan – Payment Reason Code
Code | Reason Description | Code | Reason Description |
---|---|---|---|
0101 | Invoice Payment & Purchase | 0704 | UN Aid |
0102 | Utility Bill Payment | 0705 | Charity Communities Aid |
0103 | Prepaid Card Recharging | 0801 | Telecommunication Services |
0104 | Standing Orders | 0802 | Financial Services |
0105 | Personal Donations | 0803 | Information Technology Services |
0106 | Family Assistance and Expenses | 0804 | Consulting Services |
0107 | Individual Social Security Subscriptions | 0805 | Construction Services |
0108 | Associations Subscriptions | 0806 | Maintenance & Assembling Services |
0109 | Saving and Funding Account | 0807 | Marketing and Media Services |
0110 | Heritance | 0808 | Mining Services |
0111 | End of Service indemnity | 0809 | Medical & Health Services |
0201 | Public Sector Employee Salaries | 0810 | Cultural, Educational & Entertainment Services |
0202 | Labourers Salaries | 0811 | Rental Expenses |
0203 | Private Sector Staff Salaries | 0812 | Real Estate |
0204 | Jordanian Diplomatic Staff Salaries | 0813 | Taxes |
0205 | Foreign Diplomatic Salaries | 0814 | Fees |
0206 | Overseas Incoming Salaries | 0815 | Commissions |
0207 | Civil / Military Retirement Salaries | 0816 | Franchise and License Fees |
0208 | Social Security Retirement Salaries | 0817 | Cheque Collection |
0209 | Establishment Social Security Subscription | 0818 | Membership Fees |
0301 | Investment Revenues | 0901 | Municipality Funds |
0302 | Brokerage Investment | 0902 | Government Funds |
0303 | Insurance | 0903 | Private Sector Funds |
0304 | Subscriptions to international nonmonetary organisations | 0904 | External Incoming Funds |
0305 | Local Investment | 1001 | International Communities and Embassies Remittances |
0306 | External Investment | 1002 | Permanent Diplomatic Missions |
0307 | Tender bond Guarantee | 1003 | Temporary Diplomatic Missions |
0401 | Air Freight | 1004 | Jordanian Embassies Income |
0402 | Land Freight | 1101 | Long-Term Loans Instalments / Public Sector |
0403 | Sea Freight | 1102 | Long-Term Loans interest Instalments / Public Sector |
0404 | Travel and Tourism | 1103 | Short-Term Loans Instalments / Public Sector |
0501 | Governmental Delegation Transfers | 1104 | Short-Term Loans interest Instalments / Public Sector |
0502 | Private Sector Delegation Transfers | 1105 | Long-Term Loans Instalments / Private Sector |
0503 | Governmental Education | 1106 | Long-Term Loans interest Instalments / Public Sector |
0504 | Private Sector Education | 1107 | Short-Term Loans Instalments /Private Sector |
0601 | Public Sector Exportation | 1108 | Short-Term Loans interest Instalments / Private Sector |
0602 | Private Sector Exportation | 1109 | Loans Instalments Against Governmental Guarantee |
0603 | Public Sector Importation | 1110 | Loans Interest Instalments Against Governmental Guarantee |
0604 | Private Sector Importation | 1111 | Credit Card Payment |
0701 | Religious Communities Aid | 1112 | Personal Loan Payment |
0702 | International Communities Aid | 1201 | Rerouting |
0703 | Arab Communities Aid | 1202 | Scientific Research Support |
FILE PAYMENTS VARIATIONS
There are several important variations relating to Payment Initiation APIs that PISPs should be aware of for our File Payment endpoints. These are detailed in the table below.
Endpoints | Description |
---|---|
/file-payment-consents |
Functionality available for Business Customers only. Currently only Business customers using Business Banking (O4B/BIB), or Mobile App can access file payment endpoints functionality. Commercial Customers using Commercial Banking Online (CBO) will not be able initiate payments using File Payment endpoints. |
/file-payment-consents |
Multi Party Authorisation - Support for > ‘1 to sign’ payments. Some Business customers have set up Multi Party authorisation for > ‘1 to sign’ payments using Online Payment Control (OPC). PISPs should include OBAuthorisation1 data block in consent requests for these customers. Completion Date Time functionality is not supported. For payments that require Multi Party authorisation, additional approvals occur in our direct channel before the payments are processed, due to which the terminal payment status may not be available. |
/file-payment-consents |
File Type Enumerations. The File Type in consents request must contain one of the following values for the payment file type:
If any other value is sent in the request, then this will be rejected. |
/file-payment-consents |
Initiation Block – Request Field Validations. The following fields are mandatory for LBG and must be provided in the consent request:
Any requests not providing these details will be rejected. |
/file-payment-consents |
Requested Execution Date Time Validations.
|
/file-payment-consents |
SCA Exemption requests from PISPs is not supported. PISPs cannot use SCA Support Data block to request SCA Exemption as this is not supported. If consent request is received, this will not be processed and will result in an error response. |
/file-payment-consents |
Bulk Payment File Cut-Off Times. Business customers processing a Bulk payment file will see a warning message displayed on the Lloyds Banking Group Secure Payments Gateway screens from 17:45. This warns of the impending cut off time. This will be displayed until 18:00 which is the hard cut-off time. |
/file |
Payment File must be sent in csv. format. Lloyds Banking Group will accept only two file specifications in a csv. file format:
The specification for these files including details of format, structure, field length and character sets are detailed in File Layout sections. Any files received not in the given format for the File Type provided in the consent will be rejected. |
/file-payments |
Field Length and Truncations Data will get truncated where csv. file fields contain more characters than supported by the schemes. Scheme standards are:
|
/file-payments |
Endpoints not supported. The implementation for File Payments does not support following optional/conditional endpoints in the API specification:
|
/file-payment-consents |
Characters Sets for File Payments String fields are restricted to specific character sets and special characters are not allowed. Any special characters sent in the request may not be propagated to onward payment records and may result in an error response. |
/file-payment-consents |
Initiation Block Validations The following fields will have additional validations:
|
File Layout – Bulk Payments (BACS)
File Template
Header Indicator
(Single character always H) |
Date of file creation
(Format yyyymmdd) |
Unique file ID
(10 character field) |
Number of Credits
(Count of credits within the file - max of 25) |
Value
(Total value of credits in the file) |
|
H | 20220301 | 9876543210 | 5 | 10.20 | |
Debit Indicator
(Single character always D) |
Payment Date
(Format yyyymmdd) |
Batch Reference
(18 character field) |
Debit Account Details
(15 character field with sort code-Account Number detailed) |
||
D | 20220302 | Test payments | 309664-12345679 | ||
Credit Indicator
(Single character of C must be present for each credit) |
Recipient
(Alpha numeric field containing beneficiaries name, maximum length 18 characters) |
Recipient Sort Code
(numeric field must be 6 characters in length) |
Recipient Account Number
(numeric field must be 8 characters in length) |
Reference
(18 character field) |
Amount
(18 character decimal field) |
c | Freds No1 account | 100000 | 12345678 | Test 1 | 0.04 |
c | Freds No1 account | 100000 | 12345678 | Test 2 | 1.04 |
c | Freds No1 account | 100000 | 12345678 | Test 3 | 2.04 |
c | Freds No1 account | 100000 | 12345678 | Test 4 | 3.04 |
c | Freds No1 account | 100000 | 12345678 | Test 5 | 4.04 |
Actual File
H | 20220301 | 9876543210 | 5 | 10.20 | |
D | 20220302 | Test payments | 309664-12345679 | ||
c | Freds No1 account | 100000 | 12345678 | Test 1 | 0.04 |
c | Freds No1 account | 100000 | 12345678 | Test 2 | 1.04 |
c | Freds No1 account | 100000 | 12345678 | Test 3 | 2.04 |
c | Freds No1 account | 100000 | 12345678 | Test 4 | 3.04 |
c | Freds No1 account | 100000 | 12345678 | Test 5 | 4.04 |
File Layout – Batch Payments (FPS)
File Template
Header Indicator
(Single character always H) |
Date of file creation
(Format yyyymmdd) |
Unique file ID
(10 character field) |
Number of Credits
(Count of credits within the file - max of 25) |
Value
(Total value of credits in the file) |
||||
H | 20220301 | 9876543210 | 3 | 0.6 | ||||
Debit Indicator
(Single character always D) |
Batch Reference
(18 character field) |
Debit Account Details
(15 character field with sort code-Account Number detailed) |
||||||
D | Test payments | 309664-12345679 | ||||||
Credit Indicator
(Single character of C must be present for each credit) |
Recipient Name
(Alpha numeric field containing beneficiaries name, maximum length 18 characters) |
Recipient Account Number
(numeric field must be 8 characters in length) |
Recipient Sort Code
(numeric field must be 6 characters in length) |
Reference
(18 character field) |
Debit Amount
(18 character decimal field) |
Payment ASAP
(For value today payments set to Y otherwise set to N) |
Payment Date
(Format yyyymmdd, must be left blank if Payment ASAP is set to Y) |
E to E Reference
(256 character field) |
c | BENEFICIARY NAME | 12345678 | 301763 | BENEFICIARY REFERE | 0.1 | N | 20180121 | END TO END REFERENCE |
c | BENEFICIARY NAME | 12345678 | 301763 | BENEFICIARY REFERE | 0.2 | Y | END TO END REFERENCE | |
c | BENEFICIARY NAME | 12345678 | 301763 | BENEFICIARY REFERE | 0.3 | N | 20180121 | END TO END REFERENCE |
Actual File
H | 20220301 | 9876543210 | 3 | 0.6 | ||||
D | Test payments | 309664-12345679 | ||||||
c | BENEFICIARY NAME | 12345678 | 301763 | BENEFICIARY REFERE | 0.1 | N | 20180121 | END TO END REFERENCE |
c | BENEFICIARY NAME | 12345678 | 301763 | BENEFICIARY REFERE | 0.2 | Y | END TO END REFERENCE | |
c | BENEFICIARY NAME | 12345678 | 301763 | BENEFICIARY REFERE | 0.3 | N | 20180121 | END TO END REFERENCE |
VARIABLE RECURRING PAYMENTS VARIATIONS
There are several important variations relating to Variable Recurring Payment APIs that PISPs should be aware when using this service. These are detailed in the table below.
Endpoints | Description |
---|---|
/domestic-vrp-consents /domestic-vrps |
APIs support use cases that meet the definition of sweeping only. Variable Recurring Payment under Sweeping Access will be allowed using VRP APIs. This restricts what values would be accepted in a consent request:
All other enumeration values provided in the specification are not accepted and would result in error response. |
/domestic-vrp-consents /domestic-vrps |
APIs are not supported for Commercial Customers. Commercial Customers using Commercial Banking Online (CBO) will not be able to set up Variable Recurring Payments. Retail Customer using Internet Banking (IB) or Mobile App and Business Customers using Business Banking (O4B/BIB), or Mobile App will be able to set up Variable Recurring Payments. |
/domestic-vrp-consents |
Payment Risk Categorisation must be provided in OBRisk. For PISP initiated payments to be processed the payment must be categorised. Payment Context Code field in OBRisk is mandatory. Acceptable values are ‘Party to Party’ or ‘Transfer to Self’. All other Payment Context Codes will not be accepted for Variable Recurring Payments under Sweeping Access. |
/domestic-vrp-consents |
Creditor Account details must be sent in consent request. Initiation.CreditorAccount details must be populated in the consent request. Any requests not providing Creditor Account details will be rejected. Schemes supported are:
UK.OBIE.Paym is not supported, in line with Pay.UK removing the service in March 2023. UK.OBIE.Wallet is not supported. |
/domestic-vrp-consents |
Consents can be set up no more than 31 days in the future. ValidFromDateTime cannot occur more than 31 days in the future. Where no date is provided, then creation date will be used to determine consent is active. ValidToDateTime cannot be the same date as consent request and must fall after ValidFromDateTime. Where no date is provided, then consent will remain active until a point customer takes an action to revoke or delete consent. |
/domestic-vrp-consents |
Risk – Contract Present Indicator OBRisk block will only accept the correct spelling for Contract Present Indicator field. Any requests received with the incorrect spelling will result in an error response. Risk – Delivery Address Country Code and Town Name are required if Risk Delivery Address details are provided. |
/domestic-vrp-consents /funds-confirmation /domestic-vrps |
Amount fields support up to 2 decimal places only. Requests sent where the amount field exceeds 2 decimal places will result in error response. Consents:
Consent funds-confirmation:
Payments:
|
/domestic-vrp-consents |
Control Parameter Exceptions. Consent request can support up to six instances of Period Limits within one request, however the period type cannot be duplicated within that same consent request. The combination of Period Type of Fortnight and Period Alignment of Calendar cannot be supported. Requests with this combination will result in an error response. Consent requests that contain Period Alignment of Calendar will have the amount pro-rated for the first and last period. Do not accept Maximum Individual Amount value as less than £1.00. |
/funds-confirmation |
Reference details must match. A funds confirmation request must include the same reference as provided in the original consent request. The request will be rejected if this is not provided or does not match. |
/payment-details |
Endpoints not supported. The implementation for Variable Recurring Payments does not support optional endpoint in the API specification: GET /domestic-vrps/{DomesticVRPId}/payment-details |
/domestic-vrp-consents /funds-confirmation /domestic-vrps |
Characters Sets for Variable Recurring Payments String fields are restricted to specific character sets and special characters are not allowed. Any special characters sent in the request may not be propagated to onward payment records and may result in an error response. |
/domestic-vrp-consents/{ConsentId} |
v4.0 Migration of v3.x long-lived consents to v4.0 To allow the longevity of the long-lived consents of users that were created in previous API versions v3.x, a PUT operation can be performed to migrate the consent to support Variable Recurring Payment submission in v4.0. It is not possible to submit a payment in v4.0 with a long-lived consent created in previous API versions v3.x. PATCH operation is currently not supported. |
/domestic-vrp-consents/{ConsentId} |
v4.0 Migration of v3.x long-lived consents to v4.0-Request Body The entire Request body and Headers must be updated as part of the PUT operation, including fields that are not changing. The consent request body may not be modified. The information provided in the older API version (v3.x) must be identical to the one being provided in the Request body to be migrated to v4.0 |
/domestic-vrp-consents/{ConsentId} |
v4.0 Migration of v3.x long-lived consents to v4.0 – Payment Context Codes The Payment Context Code “PartytoParty” will be deprecated in v4.0. For any consents with this Payment Context Code or any Payment Context Code that is invalid in v4.0, the TPP is required to initiate a new consent. |
PAYMENT INITIATION ERROR SCENARIOS
Header Error Responses
Scenario | Expected ASPSP Response v4.0 | Expected ASPSP Response v3.1.x | Expected TPP Action |
---|---|---|---|
TPP attempts to use POST operation with invalid details in the header |
Http Status: 400 ErrorCode: U006 Message: UK.OBIE.Header.Invalid - x-fapi-customer-last-logged-time is not in a valid format |
Http Status: 400 Code: 400 BadRequest Message: Invalid request parameters Error Code: UK.OBIE.Header.Invalid Message: x-fapi-customer-last-logged-time is not in a valid format |
Re-attempt POST operation with a valid header Corrective action required is provided in Error message. |
TPP attempts to use POST operation with header details missing |
Http Status: 400 ErrorCode: U007 Message: UK.OBIE.Header.Missing - x-idempotency-key is missing in the request |
Http Status: 400 Code: 400 BadRequest Message: Invalid request parameters Error Code: UK.OBIE.Header.Invalid Message: x-idempotency-key is missing in the request |
Re-attempt POST operation with a valid header Corrective action required is provided in Error message. |
TPP attempts to use POST operation with the same idempotency key after 24 hours |
Http Status: 409 ErrorCode: U029 Message : |
Http Status: 400 Code: 409 ResourceAlreadyExists Message: ResourceAlreadyExists Error Code: UK.OBIE.Rules.ResourceAlreadyExists Message:Resource with same parameters already exists or in a state that doesn't allow requested operation |
Idempotency supported for 24-hour period. After 24 hours a new request should be created. |
Signature Error Responses
Scenario | Expected ASPSP Response v4.0 | Expected ASPSP Response v3.1.x | Expected TPP Action |
---|---|---|---|
TPP attempts to use POST operation with signature details missing |
Http Status: 409 ErrorCode: U019 Message :UK.OBIE.Signature.Missing - x-jws-signature is missing in the header |
Http Status: 400 Code: 400 Message: Signature missing Error Code: UK.OBIE.Signature.Missing Message: x-jws-signature is missing in the header |
Re-attempt POST operation with a valid signature included. Corrective action required is provided in Error message. For example: Message: x-jws-signature is missing in the header |
TPP attempts to use POST operation with invalid details in the signature |
Http Status: 400 ErrorCode: U015 Message :UK.OBIE.Signature.Invalid - x-jws-signature in the header is invalid |
Http Status: 400 Code: 400 Message: Signature invalid Error Code: UK.OBIE.Signature.Invalid Message: x-jws-signature in the header is invalid |
Re-attempt POST operation with a valid signature |
TPP attempts to use POST operation with a malformed signature |
Http Status: 400 ErrorCode: U018 Message :x-jws-signature in the header was malformed |
Http Status: 400 Code: 400 Message: Signature malformed Error Code: UK.OBIE.Signature.I Message: x-jws-signature in the header was malformed |
Re-attempt POST operation with a valid signature |
Request Error Responses
Scenario | Expected ASPSP Response v4.0 | Expected ASPSP Response v3.1.x | Expected TPP Action |
---|---|---|---|
TPP attempts to set up a payment consent with mandatory field(s) missing from the request payload. |
Http Status: 400 ErrorCode: U004 Message :UK.OBIE.Field.Missing - Amount is missing in the request Path: Data.Initiation.InstructedAmount.Amount |
Http Status: 400 Code: 400 BadRequest Message: Invalid request parameters Error Code: UK.OBIE.Field.Missing Message: Amount is missing in the request Path: Data.Initiation.InstructedAmount.Amount |
Create a new consent using a POST operation with a valid payload. Take the PSU through an authentication journey. Corrective action required is provided in Error message. |
TPP attempts to set up a payment consent with invalid details provided in the request payload. |
Http Status: 400 ErrorCode: U002 Message :UK.OBIE.Field.Invalid - PaymentContextCode is not in a valid format Path: Risk.PaymentContextCode |
Http Status: 400 Code: 400 BadRequest Message: Invalid request parameters Error Code: UK.OBIE.Field.Invalid Message: PaymentContextCode is not in a valid format Path: Risk.PaymentContextCode |
Create a new consent using a POST operation with a valid payload. Take the PSU through an authentication journey. Corrective action required is provided in Error message. |
TPP attempts to access a payment consent resource with an invalid consent id. |
Http Status: 400 ErrorCode: U011 Message :UK.OBIE.Resource.NotFound - Consent Id not found |
Http Status: 400 Code: 400 BadRequest Message: Resource not found Error Code: UK.OBIE.Resource.NotFound Message: Consent Id not found |
Reattempt with a valid Consent ID. Else, create a new consent using a POST operation. Take the PSU through an authentication journey. |
TPP attempts to set up a payment consent for a date in the past. |
Http Status: 400 ErrorCode: U003 Message :UK.OBIE.Field.InvalidDate - CompletionDateTime is not in a valid format |
Http Status: 400 Code: 400 BadRequest Message: Invalid request parameters Error Code: UK.OBIE.Field.InvalidDate Message: CompletionDateTime is not in a valid format Path: Data.Authorisation.CompletionDateTime |
Create a new consent using a POST operation. Take the PSU through an authentication journey. |
TPP attempts to set up a payment consent with a future date that is not supported. |
Http Status: 400 ErrorCode: U003 Message : UK.OBIE.Field.InvalidDate - RequestedExecutionDateTime cannot be more than 31 days in the future Path: Data.Initiation.RequestedExecutionDateTime |
Http Status: 400 Code: 400 BadRequest Message: Invalid request parameters Error Code: UK.OBIE.Field.InvalidDate Message: RequestedExecutionDateTime cannot be more than 31 days in the future Path: Data.Initiation.RequestedExecutionDateTime |
Create a new consent using a POST operation. Take the PSU through an authentication journey. Valid future dates expected are documented in Implementation Guide. |
TPP attempts to set up a payment consent with a scheme that is not supported. |
Http Status: 400 ErrorCode: U027 Message : UK.OBIE.Unsupported.Scheme - SchemeName value is not supported Path: Data.Initiation.CreditorAccount.SchemeName |
Http Status: 400 Code: 400 BadRequest Message: Invalid request parameters Error Code: UK.OBIE.Unsupported.Scheme Message: SchemeName value is not supported Path: Data.Initiation.CreditorAccount.SchemeName |
Create a consent using a POST operation with a payment scheme that is supported. Take the PSU through an authentication journey. Payment journeys supported are documented in Implementation Guide. |
TPP attempts to set up a payment consent with a Local Instrument that is not supported. |
Http Status: 400 ErrorCode: U026 Message : UK.OBIE.Unsupported.LocalInstrument - LocalInstrument value is not supported Path: Data.Initiation.LocalInstrument |
Http Status: 400 Code: 400 BadRequest Message: Invalid request parameters Error Code: UK.OBIE.Unsupported.LocalInstrument Message: LocalInstrument value is not supported Path: Data.Initiation.LocalInstrument |
Create a consent using a POST operation with a Local Instrument that is supported. Take the PSU through an authentication journey. Payment journeys supported are documented in Implementation Guide. |
TPP attempts to set up a payment consent with a currency that is not supported. |
Http Status: 400 ErrorCode: U023 Message : UK.OBIE.Unsupported.Currency - Currency value is not supported Path: Data.Initiation.InstructedAmount.Currency |
Http Status: 400 Code: 400 BadRequest Message: Invalid request parameters Error Code: UK.OBIE.Unsupported.Currency Message: Currency value is not supported Path: Data.Initiation.InstructedAmount.Currency |
Create a new payment order consent using a POST operation with a currency that is supported. Take the PSU through an authentication journey. Currencies supported are documented in Implementation Guide. |
TPP attempts to set up a payment consent with an Account Identifier that is not supported for the payment journey. |
Http Status: 400 ErrorCode: U021 Message : UK.OBIE.Unsupported.AccountIdentifier - Identification value is not supported |
Http Status: 400 Code: 400 BadRequest Message: Invalid request parameters Error Code: UK.OBIE.Unsupported.AccountIdentifier Message: Identification value is not supported |
Create a new payment consent using a POST operation with an Account Identifier that is supported by the payment journey. Take the PSU through an authentication journey. Supported Account Identifiers for payment journeys are documented in Implementation Guide. |
TPP attempts to submit payment order using a Consent ID that has an invalid consent status. Sub-scenario: The underlying consent is status is set to ‘RJCT’(Rejected) or ‘AWAU’(AwaitingAuthorisation) |
Http Status: 400 ErrorCode: U009 Message : UK.OBIE.Resource.InvalidConsentStatus - Invalid consent status |
Http Status: 400 Code: 400 BadRequest Message: Invalid consent status Error Code: UK.OBIE.Resource.InvalidConsentStatus Message: Invalid consent status |
Create a new consent using a POST operation. Take the PSU through an authentication journey. |
TPP attempts to submit payment order using details that do not match the Consent resource. |
Http Status: 400 ErrorCode: U008 Message : UK.OBIE.Resource.ConsentMismatch - Initiation data does not match the consent |
Http Status: 400 Code: 400 BadRequest Message: Consent Mismatch Error Code: UK.OBIE.Resource.ConsentMismatch Message: Initiation data does not match the consent |
Re-attempt POST operation with details that match consent resource. Else, create a new consent using a POST operation. Take the PSU through an authentication journey. |
TPP attempts to set up a payment consent with an unexpected field in the request payload |
Http Status: 400 ErrorCode: U005 Message :UK.OBIE.Field.Unexpected - Unexpected field received in the request |
Http Status: 400 Code: 400 BadRequest Message: Invalid request parameters Error Code: UK.OBIE.Field.Unexpected Message: Unexpected field received in the request |
Create a new consent using a POST operation with a valid payload. Take the PSU through an authentication journey. Corrective action required is provided in Error message. |
TPP Create a consent in Newer version and use it on previous version (If the consent is created in 4.0 and TPP calls 3.1.x resource) |
Http Status: 403 | NA |
Retry with resource endpoints on same API version as consent |
ASPSP downstream services or server is down. |
Http Status: 400 ErrorCode: U000 Message :UK.OBIE.UnexpectedError - Due to a technical problem, the request cannot be completed at this moment |
Http Status: 500 Code: 500 UnexpectedError Message: Unexpected error Error Code: UK.OBIE.UnexpectedError Message: Due to a technical problem, the request cannot be completed at this moment |
Retry Later. |
VARIABLE RECURRING PAYMENTS ERROR SCENARIOS
Header Error Responses
Scenario | Expected ASPSP Response v4.0 | Expected ASPSP Response | Expected TPP Action |
---|---|---|---|
TPP attempts to use POST operation with invalid details in the header |
HTTP Status - 400 ErrorCode: U006, Message: UK.OBIE.Header.Invalid - <header name> is not in a valid format. |
Http Status: 400 BadRequest Error Code: Error Type: |
Re-attempt POST operation with a valid header Corrective action required is provided in Error message. Message: x-fapi-customer-last-logged-time is invalid |
TPP attempts to use POST operation with header details missing |
HTTP Status - 400 ErrorCode: U007, Message: UK.OBIE.Header.Missing - <header name> is missing in the request. |
Http Status: 400 BadRequest Error Code: Error Type: |
Re-attempt POST operation with a valid header Corrective action required is provided in Error message. For example: Message: x-idempotency-key is missing in the request |
TPP attempts to use POST operation with the same idempotency key after 24 hours |
HTTP Status - 400 ErrorCode: U029, Message: UK.OBIE.Rules.ResourceAlreadyExists – Resource already exists. |
Http Status: 400 BadRequest Error Code: Error Type: |
Idempotency supported for 24-hour period. After 24 hours a new request should be created. |
Signature Error Responses
Scenario | Expected ASPSP Response v4.0 | Expected ASPSP Response | Expected TPP Action |
---|---|---|---|
TPP attempts to use POST operation with signature details missing |
HTTP Status - 400 ErrorCode: U019, Message: UK.OBIE.Signature.Missing – The Signature details are missing. |
Http Status: 400 BadRequest Error Code: Error Type: |
Re-attempt POST operation with a valid signature included Corrective action required is provided in Error message. For example: Message: x-jws-signature is missing in the header |
TPP attempts to use POST operation with invalid details in the signature |
HTTP Status - 400 ErrorCode: U015, Message: UK.OBIE.Signature.Invalid – The Signature details are invalid. |
Http Status: 400 BadRequest Error Code: Error Type: |
Re-attempt POST operation with a valid signature |
TPP attempts to use POST operation with a malformed signature |
HTTP Status - 400 ErrorCode: U018, Message: UK.OBIE.Signature.Malformed – The Signature details are malformed. |
Http Status: 400 BadRequest Error Code: Error Type: |
Re-attempt POST operation with a valid signature |
Request Error Responses
Scenario | Expected ASPSP Response v4.0 | Expected ASPSP Response | Expected TPP Action |
---|---|---|---|
TPP attempts to set up a vrp consent with mandatory field(s) missing from the request payload. |
HTTP Status - 400 ErrorCode: U004 Message: UK.OBIE.Field.Missing - <field name> is missing in the request. |
Http Status: 400 BadRequest Error Code: Error Type: |
Create a new consent using a POST operation with a valid payload. Take the PSU through an authentication journey. Corrective action required is provided in Error message. For example: Message: Amount is missing in the request Path: Data.ControlParameters.MaximumIndividualAmount.Amount |
TPP attempts to set up a vrp consent with invalid details provided in the request payload. |
HTTP Status - 400 ErrorCode: U002 Message: UK.OBIE.Field.Invalid - <field name> is not in a valid format. |
Http Status: 400 BadRequest Error Code: Error Type: |
Create a new consent using a POST operation with a valid payload. Take the PSU through an authentication journey. Corrective action required is provided in Error message. Message: PaymentContextCode is not in a valid format. Path: Risk.PaymentContextCode |
TPP attempts to set up a vrp consent with dates that are not supported. |
HTTP Status - 400 ErrorCode: U003, Message: UK.OBIE.Field.InvalidDate - <field name> cannot be in the past. |
Http Status: 400 BadRequest Error Code: Error Type: |
Create a new consent using a POST operation. Take the PSU through an authentication journey. Exception rules for accepted dates are documented in Implementation Guide. |
TPP attempts to set up a vrp consent with a currency that is not supported. |
HTTP Status - 400 ErrorCode: U023, Message: UK.OBIE.Unsupported.Currency - <field name> value is not supported. |
Http Status: 400 BadRequest Error Code: Error Type: |
Create a new consent using a POST operation with a currency that is supported. Take the PSU through an authentication journey. |
TPP attempts to access a vrp consent resource that has been deleted or unknown. |
HTTP Status - 400 ErrorCode: U011, Message: UK.OBIE.Resource.NotFound - Consent does not exist. |
Http Status: 400 BadRequest Error Code: Error Type: |
Reattempt with a valid Consent ID. Else, create a new consent using a POST operation. Take the PSU through an authentication journey. |
TPP attempts to access a vrp consent resource that is expired. |
HTTP Status - 400 ErrorCode: U009, Message: UK.OBIE.Resource.InvalidConsentStatus - "Consent has expired." |
Http Status: 400 BadRequest Error Code: Error Type: |
Create a new consent using a POST operation. Take the PSU through an authentication journey. |
TPP attempts to use a vrp consent resource where the access has been revoked. |
HTTP Status - 401 ErrorCode: U009, Message: UK.OBIE.Resource.InvalidConsentStatus - Consent access is not allowed. Try again later. |
Http Status: 401 Unauthorized Error Code: Error Type: |
Take the PSU through the re-authentication journey. |
TPP attempts to access a vrp payment resource that is unknown. |
HTTP Status - 400 ErrorCode: U011 Message: UK.OBIE.Resource.NotFound - Consent Id not found. |
Http Status: 400 BadRequest Error Code: Error Type: |
Reattempt with a valid DomesticVRPID. |
TPP attempts to access a vrp consent resource to make a payment that breaches control parameters set in the consent. |
HTTP Status - 400 ErrorCode: U014 Message: UK.OBIE.Rules.FailsControlParameters |
Http Status: 400 BadRequest Error Code: Error Type: |
Create a new request using a POST operation within the control parameters. |
TPP attempts to access a vrp consent resource to do a funds-confirmation check or make a payment and the details do not match the consent. |
HTTP Status - 400 ErrorCode: U008, Message: UK.OBIE.Resource.ConsentMismatch - <field name> does not match the value in the URL. |
Http Status: 400 BadRequest Error Code: Error Type: |
Create a new request using a POST operation with a valid payload that matches the consent. |
ASPSP downstream services or server is down. |
HTTP Status - 500 ErrorCode: U000 Message: UK.OBIE.UnexpectedError - Due to a technical problem, the request cannot be completed. |
Http Status: 500 UnexpectedError Error Code: ErrorType: |
Retry Later. |
Migration of Consent using PUT Error scenarios
Scenario | Expected ASPSP Response v4.0 | Expected TPP Action |
---|---|---|
Consent has already been migrated |
HTTP Status - 400 ErrorCode: U029 Message: UK.OBIE.Rules.ResourceAlreadyExists - This consent has already been migrated. |
TPP should make requests in v4.0. |
Payment Context Code not valid in v4.0 |
HTTP Status - 400 ErrorCode: U002 Message: UK.OBIE.Field.Invalid- The PaymentContextCode is invalid. Please provide a valid PaymentContextCode or re-authenticate. |
TPP should create a new consent in v4.0. |
v3.1.10 consent has expired |
HTTP Status - 400 ErrorCode: U009 Message: UK.OBIE.Resource.InvalidConsentStatus - Resource cannot be found. |
TPP should create a new consent in v4.0. |
v3.1.10 consent is invalid |
HTTP Status - 400 ErrorCode: U009 Message: UK.OBIE.Resource.InvalidConsentStatus - Resource is not valid. |
TPP should create a new consent in v4.0. |
Payment submission attempt in v4.0 with v3.1.10 consent |
HTTP Status - 403 ErrorCode: U002 Message: UK.OBIE.Field.Invalid - This action is not valid. Please migrate the old consent to comply with this API version. |
TPP should migrate the old consent to v4.0 or submit the payment in the respective API version. |
AGGREGATED POLLING
The OBIE have defined an Aggregated Polling API (POST /events) which allows an ASPSP to aggregate and deliver multiple signed event notifications to TPPs through the use of polling. The POST /events endpoint allows a TPP to poll and acknowledge and receive event notifications.
-
The POST method allows the TPP to transmit their polling parameters and event notification acknowledgements.
-
The ASPSP responds accordingly, sending event notifications as indicated by the TPPs polling parameters.
-
The Supported scope of Aggregated Polling is accounts, fundsconfirmations, payments.
This detail should be read in conjunction with Open Banking Specifications and our API Products
AGGREGATED POLLING VARIATIONS
The Table lists down the Exceptions implemented for Aggregated Polling API :
SNo | Endpoints | Description |
---|---|---|
1 | /events |
Revoked consentThe LBG Aggregated Polling API returns event notifications for revoked consents only |
2 | /events |
Long PollingLong polling is not supported as described within the OBIE specification – see ‘Polling Parameters’. |
3 | /events |
API Sign ResponseThe response from the LBG Aggregated Polling API signs the whole response and not individual event notifications |
4 | /events |
Event Recycling FrequencyLloyds Banking Group used JTIs to send event notifications. A unique JTI is generated each time the TPP calls the Aggregated Polling API. JTIs do not expire |
5 | /events |
Polling FrequencyLloyds Banking Group will restrict each TPP App to calling the Aggregated Polling API 10 times within 24 hours for each brand, e.g. a TPP may call the Lloyds Aggregated Polling API 10 times, and the Halifax endpoint 10 times within the same 24 hours |
6 | /events |
Polling parametersLloyds Banking Group will return up to 150 event notifications for every Aggregated Polling call made by the TPP. |
7 | /events |
TPP Registration of the Lloyds Banking GroupAggregated Polling APIIf you are a new TPP currently on-boarding then you will be automatically registered to the Aggregated Polling API. If you are an existing TPP then you will be required to follow the instructions in section 2 of this document to use the Aggregated Polling API. |
8 | /events |
Operating without acknowledgementsThe LBG Aggregated Polling API returns event notifications for revoked consents only |
How to register using DCR
This section applies to TPPs who are already registered with the OBIE and have a login for the OBIE directory
-
Certificate Signing Request (CSR) is needed to generate an SSA. Please refer to the Open Banking documentation on how to create CSRs.
-
After creating the CSR, retain the private keys and upload only the CSR to the Open Banking portal to generate the certificates.
-
Follow the OBIE Confluence page to generate the SSA
This applies to all TPPs who are not yet registered with OBIE, but are in possession of eIDAS certificates.
-
For those TPPs who are not registered with Open Banking, OBIE has provided APIs to do a soft onboarding, which can be used to generate an SSA which must be used during LBG dynamic client registration.
-
The SSA is a JSON Web Token (JWT) containing client metadata about an instance of TPP client software. The JWT is issued and signed by the Open Banking Directory.
-
The SSA's Lifetime / Validity period is not defined by Open Banking. ASPSPs in the Open Banking ecosystem are required to implement pragmatic time ranges in which to accept an SSA.
-
LBG has set the SSA validity to 24 hours for use in dynamic registration.
The APIs exposed by OBIE to register and generate an SSA are documented here
Please find the below typical steps to register with OBIE through directory services
The /register endpoint should be called with the appropriate request body and appropriate transport certificate.
- The register endpoint accepts a single jws string as its payload body.
- The claims that should form part of the jws body are described by the OBIE dynamic registration data model
- Include the SSA that was acquired from OBIE in the claims of the request object.
- The main validation checks that will be performed on the request object are detailed below
- SSA contained in the request object should be used within 24 hrs of its issue time, when the dynamic registration request is made.
- The scope in the request object should conform to the roles available in the SSA or a subset of them.
- The request object and the SSAs signature will be validated using the appropriate public certificates.
- Distinguished name (certificate subject) of the transport certificate will be validated against the information contained in the SSA.
- The response structure will conform to the OBIE specification as specified in their swagger contract
- The important information from the response that should be retained for future use is the client_id and client_secret.
- All request object validation failures will result in HTTP 400 error with a short description in the body.
Open Banking Client Registration Request Payload
eyJraWQiOiI3QXdIWFQ0TGJ6N3JiNnNXSkJoemZZV3l5V1EiLCJhbGciOiJQUzI1NiIsImN0eSI6ImFwcGxpY2F0aW9uL2pzb24iLCJ0eXAiOiJKT1NFIn0.eyJpc3MiOiIxeEZrUmNpcU9IbkJXak9VdWl1eXRpIiwiYXVkIjoib3BlbmJhbmtpbmdsbG95ZHMiLCJqdGkiOiIyZWI5NjAyMS1mZDliLTQ2NWEtYTRhNi1mNmY1NWZhMzY5MmYiLCJyZXNwb25zZV90eXBlcyI6WyJjb2RlIGlkX3Rva2VuIl0sInJlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly9kZXZlbG9wZXIubGxveWRzYmFua2luZy5jb20iXSwidG9rZW5fZW5kcG9pbnRfYXV0aF9tZXRob2QiOiJ0bHNfY2xpZW50X2F1dGgiLCJncmFudF90eXBlcyI6WyJhdXRob3JpemF0aW9uX2NvZGUiLCJjbGllbnRfY3JlZGVudGlhbHMiXSwic2NvcGUiOiJvcGVuaWQgYWNjb3VudHMiLCJzdWJqZWN0X3R5cGUiOiJwdWJsaWMiLCJzb2Z0d2FyZV9zdGF0ZW1lbnQiOiJleUpoYkdjaU9pSlFVekkxTmlJc0ltdHBaQ0k2SWpKNWIwOUxMVkpJYmxkaE1EZEhVWFF0T1ZkcVZHRmhaV0l6UzJKZmVFaE1PR0phU1ZCb1NrbEZVMWs5SWl3aWRIbHdJam9pU2xkVUluMC5leUpwYzNNaU9pSlBjR1Z1UW1GdWEybHVaeUJNZEdRaUxDSnBZWFFpT2pFMk9UVTFOemd5Tmpnc0ltcDBhU0k2SWpjMlptSXlOakF5Tm1SaVlqUTFNVFVpTENKemIyWjBkMkZ5WlY5bGJuWnBjbTl1YldWdWRDSTZJbkJ5YjJSMVkzUnBiMjRpTENKemIyWjBkMkZ5WlY5dGIyUmxJam9pVEdsMlpTSXNJbk52Wm5SM1lYSmxYMmxrSWpvaWJUSnFla3RCTnpkYWRqZFNjVFYyUkdWbmVubExTQ0lzSW5OdlpuUjNZWEpsWDJOc2FXVnVkRjlwWkNJNkltMHlhbnBMUVRjM1duWTNVbkUxZGtSbFozcDVTMGdpTENKemIyWjBkMkZ5WlY5amJHbGxiblJmYm1GdFpTSTZJbEJ5YjJSMVkzUnBiMjRnUlhwdmNtOGdRWEJ3SWl3aWMyOW1kSGRoY21WZlkyeHBaVzUwWDJSbGMyTnlhWEIwYVc5dUlqb2lWRzhnWW1VZ2RYTmxaQ0JtYjNJZ2JtVjNJRlpOSUVWNmIzSnZJRUZ3Y0hNaUxDSnpiMlowZDJGeVpWOTJaWEp6YVc5dUlqb2lNUzR3SWl3aWMyOW1kSGRoY21WZlkyeHBaVzUwWDNWeWFTSTZJbWgwZEhCek9pOHZaR1YyWld4dmNHVnlMbXhzYjNsa2MySmhibXRwYm1jdVkyOXRMeUlzSW5OdlpuUjNZWEpsWDNKbFpHbHlaV04wWDNWeWFYTWlPbHNpYUhSMGNITTZMeTloY0hCc2RYWXdPVGxrTG0xaFkyaHBibVV1WjNKdmRYQTZNVEF3TlRBdmNtVmthWEpsWTNRaUxDSm9kSFJ3Y3pvdkwyRndjR3gxZGpBMk4yUXViV0ZqYUdsdVpTNW5jbTkxY0RveE1EQTFNQzl5WldScGNtVmpkQ0lzSW1oMGRIQnpPaTh2WVhCd2RIVjJNRFJpWmk1dFlXTm9hVzVsTG5SbGMzUXVaM0p2ZFhBNk1UQXdOVEF2Y21Wa2FYSmxZM1FpTENKb2RIUndjem92THpFeU55NHdMakF1TVRvNE5EUXpMMk52Ym1admNtMWhibU5sYzNWcGRHVXZZMkZzYkdKaFkyc2lMQ0pvZEhSd2N6b3ZMMlJsZG1Wc2IzQmxjaTVzYkc5NVpITmlZVzVyYVc1bkxtTnZiU0pkTENKemIyWjBkMkZ5WlY5eWIyeGxjeUk2V3lKQlNWTlFJaXdpVUVsVFVDSXNJa05DVUVsSklsMHNJbTl5WjJGdWFYTmhkR2x2Ymw5amIyMXdaWFJsYm5SZllYVjBhRzl5YVhSNVgyTnNZV2x0Y3lJNmV5SmhkWFJvYjNKcGRIbGZhV1FpT2lKR1EwRkhRbElpTENKeVpXZHBjM1J5WVhScGIyNWZhV1FpT2lJeE1Ua3lOemdpTENKemRHRjBkWE1pT2lKQlkzUnBkbVVpTENKaGRYUm9iM0pwYzJGMGFXOXVjeUk2VzNzaWJXVnRZbVZ5WDNOMFlYUmxJam9pUjBraUxDSnliMnhsY3lJNld5SlFTVk5RSWl3aVFVbFRVQ0lzSWtOQ1VFbEpJaXdpUVZOUVUxQWlYWDBzZXlKdFpXMWlaWEpmYzNSaGRHVWlPaUpIUWlJc0luSnZiR1Z6SWpwYklrRkpVMUFpTENKUVNWTlFJaXdpUVZOUVUxQWlMQ0pEUWxCSlNTSmRmVjE5TENKemIyWjBkMkZ5WlY5c2IyZHZYM1Z5YVNJNkltaDBkSEJ6T2k4dlpHVjJaV3h2Y0dWeUxteHNiM2xrYzJKaGJtdHBibWN1WTI5dEx5SXNJbTl5WjE5emRHRjBkWE1pT2lKQlkzUnBkbVVpTENKdmNtZGZhV1FpT2lJd01ERTFPREF3TURBd2FtWTVSMmRCUVVraUxDSnZjbWRmYm1GdFpTSTZJa3hzYjNsa2N5QkNZVzVySUZCTVF5SXNJbTl5WjE5amIyNTBZV04wY3lJNlczc2libUZ0WlNJNklsUmxZMmh1YVdOaGJDSXNJbVZ0WVdsc0lqb2lUMEpTWlhOd2IyNXpaWFJsWVcxQWJHeHZlV1J6WW1GdWEybHVaeTVqYjIwaUxDSndhRzl1WlNJNklpZ3JORFFwSURjM01EWWdNRFl6SURNNE1TSXNJblI1Y0dVaU9pSlVaV05vYm1sallXd2lmU3g3SW01aGJXVWlPaUpDZFhOcGJtVnpjeUlzSW1WdFlXbHNJam9pVDBKU1pYTndiMjV6WlhSbFlXMUFiR3h2ZVdSelltRnVhMmx1Wnk1amIyMGlMQ0p3YUc5dVpTSTZJaWdyTkRRcElEYzRPREFnTVRNNElEUTFNQ0lzSW5SNWNHVWlPaUpDZFhOcGJtVnpjeUo5WFN3aWIzSm5YMnAzYTNOZlpXNWtjRzlwYm5RaU9pSm9kSFJ3Y3pvdkwydGxlWE4wYjNKbExtOXdaVzVpWVc1cmFXNW5MbTl5Wnk1MWF5OHdNREUxT0RBd01EQXdhbVk1UjJkQlFVa3ZNREF4TlRnd01EQXdNR3BtT1VkblFVRkpMbXAzYTNNaUxDSnZjbWRmYW5kcmMxOXlaWFp2YTJWa1gyVnVaSEJ2YVc1MElqb2lhSFIwY0hNNkx5OXJaWGx6ZEc5eVpTNXZjR1Z1WW1GdWEybHVaeTV2Y21jdWRXc3ZNREF4TlRnd01EQXdNR3BtT1VkblFVRkpMM0psZG05clpXUXZNREF4TlRnd01EQXdNR3BtT1VkblFVRkpMbXAzYTNNaUxDSnpiMlowZDJGeVpWOXFkMnR6WDJWdVpIQnZhVzUwSWpvaWFIUjBjSE02THk5clpYbHpkRzl5WlM1dmNHVnVZbUZ1YTJsdVp5NXZjbWN1ZFdzdk1EQXhOVGd3TURBd01HcG1PVWRuUVVGSkwyMHlhbnBMUVRjM1duWTNVbkUxZGtSbFozcDVTMGd1YW5kcmN5SXNJbk52Wm5SM1lYSmxYMnAzYTNOZmNtVjJiMnRsWkY5bGJtUndiMmx1ZENJNkltaDBkSEJ6T2k4dmEyVjVjM1J2Y21VdWIzQmxibUpoYm10cGJtY3ViM0puTG5Wckx6QXdNVFU0TURBd01EQnFaamxIWjBGQlNTOXlaWFp2YTJWa0wyMHlhbnBMUVRjM1duWTNVbkUxZGtSbFozcDVTMGd1YW5kcmN5SXNJbk52Wm5SM1lYSmxYM0J2YkdsamVWOTFjbWtpT2lKb2RIUndjem92TDJSbGRtVnNiM0JsY2k1c2JHOTVaSE5pWVc1cmFXNW5MbU52YlM4aUxDSnpiMlowZDJGeVpWOTBiM05mZFhKcElqb2lhSFIwY0hNNkx5OWtaWFpsYkc5d1pYSXViR3h2ZVdSelltRnVhMmx1Wnk1amIyMHZJaXdpYzI5bWRIZGhjbVZmYjI1ZlltVm9ZV3htWDI5bVgyOXlaeUk2Ym5Wc2JIMC5zamVSWUU4SGMtNG5OSEhqd2VKMDh5Um90QTdad3cteE1jRF83UmhuZkRiQjRGV0dxYlpBNlNwVWZzWko0MkZybUJfZTBWTHlFWUlxamYxSGlOQ2FtXzhSanF6c0htR1lDTlZKbWJVaXhRNDB3akJLR2tBd0Z1OV9pX1NqeVBMeUZyNnRfcHk3RWprQ256ZmZmUVhMcDI4NFZyaHlxT1k3RUp0TlRSb0Y3b1NLcWlkZkJkU3RyN1NvRGpqX1c2WHI4QXRJUmhnbl9kcEFwVVZkSF9JQ0FzWXRQQmZsMEZHRVNsWE50azliLUxoZ0hOenZnWTNTNXV0RVdES2txN0dFdmdLTVRkakxjTTRiSDBqSk8xU2hHcVdwVVpkOVdrYVEwS29pWncxVkR2ZU1iSENYU184ejlxLVI1Z195QnJfSXVxaFVlY0lBLURud0NXVU5IdzJlb1EiLCJzb2Z0d2FyZV9pZCI6Im0yanpLQTc3WnY3UnE1dkRlZ3p5S0giLCJhcHBsaWNhdGlvbl90eXBlIjoid2ViIiwiaWRfdG9rZW5fc2lnbmVkX3Jlc3BvbnNlX2FsZyI6IlBTMjU2IiwicmVxdWVzdF9vYmplY3Rfc2lnbmluZ19hbGciOiJQUzI1NiIsInRva2VuX2VuZHBvaW50X2F1dGhfc2lnbmluZ19hbGciOiJQUzI1NiIsInRsc19jbGllbnRfYXV0aF9zdWJqZWN0X2RuIjoiL0M9R0IvTz1MbG95ZHMgQmFuayBQTEMvb3JnYW5pemF0aW9uSWRlbnRpZmllcj1QU0RHQi1GQ0EtMTE5Mjc4L0NOPTAwMTU4MDAwMDBqZjlHZ0FBSSIsImlhdCI6MTY5NTY0MjcwNDAxOCwiZXhwIjoxNjk1NjQyNzA3NjE4fQ.qu3VEo2cqbNN-zNPM3BxlSgHeJTLqQU4h7F_6tqd8A14O_svnfUKss4ZYBktnqNaez8d6dlDPT8Qj8H9vyqvIcwSpGPnFaFVi7num1dRC52BNXeK5zoceocJM5A2IwPllS6xK67GKhPjfXWQcK7oo6Tp-v76s9TrIK-uTNd5QfgdnFOG5mO8RihgtFKxFXdhAEk-aPlQwjapElNwpnLSkGeAyBgnWoUinrv1Q5pJ3zPUbDN_aiNLcI_GKnA9Ktglp12xXzCixGlUpmbmiTwjzs8ov1Gfowc74rHpkZ3AqZmmuV7NrsMQY3MmHBEW37eI2lGSrn9KXnNKJ5yYC8T8OA
{ "iss": "1xFkRciqOHnBWjOUuiuyti", "aud": "openbankinglloyds", "jti": "2eb96021-fd9b-465a-a4a6-f6f55fa3692f", "response_types": [ "code id_token" ], "redirect_uris": [ "https://developer.lloydsbanking.com" ], "token_endpoint_auth_method": "tls_client_auth", "grant_types": [ "authorization_code", "client_credentials" ], "scope": "openid accounts", "subject_type": "public", "software_statement": "eyJhbGciOiJQUzI1NiIsImtpZCI6IjJ5b09LLVJIbldhMDdHUXQtOVdqVGFhZWIzS2JfeEhMOGJaSVBoSklFU1k9IiwidHlwIjoiSldUIn0.eyJpc3MiOiJPcGVuQmFua2luZyBMdGQiLCJpYXQiOjE2OTU1NzgyNjgsImp0aSI6Ijc2ZmIyNjAyNmRiYjQ1MTUiLCJzb2Z0d2FyZV9lbnZpcm9ubWVudCI6InByb2R1Y3Rpb24iLCJzb2Z0d2FyZV9tb2RlIjoiTGl2ZSIsInNvZnR3YXJlX2lkIjoibTJqektBNzdadjdScTV2RGVnenlLSCIsInNvZnR3YXJlX2NsaWVudF9pZCI6Im0yanpLQTc3WnY3UnE1dkRlZ3p5S0giLCJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6IlByb2R1Y3Rpb24gRXpvcm8gQXBwIiwic29mdHdhcmVfY2xpZW50X2Rlc2NyaXB0aW9uIjoiVG8gYmUgdXNlZCBmb3IgbmV3IFZNIEV6b3JvIEFwcHMiLCJzb2Z0d2FyZV92ZXJzaW9uIjoiMS4wIiwic29mdHdhcmVfY2xpZW50X3VyaSI6Imh0dHBzOi8vZGV2ZWxvcGVyLmxsb3lkc2JhbmtpbmcuY29tLyIsInNvZnR3YXJlX3JlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly9hcHBsdXYwOTlkLm1hY2hpbmUuZ3JvdXA6MTAwNTAvcmVkaXJlY3QiLCJodHRwczovL2FwcGx1djA2N2QubWFjaGluZS5ncm91cDoxMDA1MC9yZWRpcmVjdCIsImh0dHBzOi8vYXBwdHV2MDRiZi5tYWNoaW5lLnRlc3QuZ3JvdXA6MTAwNTAvcmVkaXJlY3QiLCJodHRwczovLzEyNy4wLjAuMTo4NDQzL2NvbmZvcm1hbmNlc3VpdGUvY2FsbGJhY2siLCJodHRwczovL2RldmVsb3Blci5sbG95ZHNiYW5raW5nLmNvbSJdLCJzb2Z0d2FyZV9yb2xlcyI6WyJBSVNQIiwiUElTUCIsIkNCUElJIl0sIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3JpdHlfaWQiOiJGQ0FHQlIiLCJyZWdpc3RyYXRpb25faWQiOiIxMTkyNzgiLCJzdGF0dXMiOiJBY3RpdmUiLCJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0kiLCJyb2xlcyI6WyJQSVNQIiwiQUlTUCIsIkNCUElJIiwiQVNQU1AiXX0seyJtZW1iZXJfc3RhdGUiOiJHQiIsInJvbGVzIjpbIkFJU1AiLCJQSVNQIiwiQVNQU1AiLCJDQlBJSSJdfV19LCJzb2Z0d2FyZV9sb2dvX3VyaSI6Imh0dHBzOi8vZGV2ZWxvcGVyLmxsb3lkc2JhbmtpbmcuY29tLyIsIm9yZ19zdGF0dXMiOiJBY3RpdmUiLCJvcmdfaWQiOiIwMDE1ODAwMDAwamY5R2dBQUkiLCJvcmdfbmFtZSI6Ikxsb3lkcyBCYW5rIFBMQyIsIm9yZ19jb250YWN0cyI6W3sibmFtZSI6IlRlY2huaWNhbCIsImVtYWlsIjoiT0JSZXNwb25zZXRlYW1AbGxveWRzYmFua2luZy5jb20iLCJwaG9uZSI6IigrNDQpIDc3MDYgMDYzIDM4MSIsInR5cGUiOiJUZWNobmljYWwifSx7Im5hbWUiOiJCdXNpbmVzcyIsImVtYWlsIjoiT0JSZXNwb25zZXRlYW1AbGxveWRzYmFua2luZy5jb20iLCJwaG9uZSI6IigrNDQpIDc4ODAgMTM4IDQ1MCIsInR5cGUiOiJCdXNpbmVzcyJ9XSwib3JnX2p3a3NfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5nLm9yZy51ay8wMDE1ODAwMDAwamY5R2dBQUkvMDAxNTgwMDAwMGpmOUdnQUFJLmp3a3MiLCJvcmdfandrc19yZXZva2VkX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZy5vcmcudWsvMDAxNTgwMDAwMGpmOUdnQUFJL3Jldm9rZWQvMDAxNTgwMDAwMGpmOUdnQUFJLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZy5vcmcudWsvMDAxNTgwMDAwMGpmOUdnQUFJL20yanpLQTc3WnY3UnE1dkRlZ3p5S0guandrcyIsInNvZnR3YXJlX2p3a3NfcmV2b2tlZF9lbmRwb2ludCI6Imh0dHBzOi8va2V5c3RvcmUub3BlbmJhbmtpbmcub3JnLnVrLzAwMTU4MDAwMDBqZjlHZ0FBSS9yZXZva2VkL20yanpLQTc3WnY3UnE1dkRlZ3p5S0guandrcyIsInNvZnR3YXJlX3BvbGljeV91cmkiOiJodHRwczovL2RldmVsb3Blci5sbG95ZHNiYW5raW5nLmNvbS8iLCJzb2Z0d2FyZV90b3NfdXJpIjoiaHR0cHM6Ly9kZXZlbG9wZXIubGxveWRzYmFua2luZy5jb20vIiwic29mdHdhcmVfb25fYmVoYWxmX29mX29yZyI6bnVsbH0.sjeRYE8Hc-4nNHHjweJ08yRotA7Zww-xMcD_7RhnfDbB4FWGqbZA6SpUfsZJ42FrmB_e0VLyEYIqjf1HiNCam_8RjqzsHmGYCNVJmbUixQ40wjBKGkAwFu9_i_SjyPLyFr6t_py7EjkCnzfffQXLp284VrhyqOY7EJtNTRoF7oSKqidfBdStr7SoDjj_W6Xr8AtIRhgn_dpApUVdH_ICAsYtPBfl0FGESlXNtk9b-LhgHNzvgY3S5utEWDKkq7GEvgKMTdjLcM4bH0jJO1ShGqWpUZd9WkaQ0KoiZw1VDveMbHCXS_8z9q-R5g_yBr_IuqhUecIA-DnwCWUNHw2eoQ", "software_id": "m2jzKA77Zv7Rq5vDegzyKH", "application_type": "web", "id_token_signed_response_alg": "PS256", "request_object_signing_alg": "PS256", "token_endpoint_auth_signing_alg": "PS256", "tls_client_auth_subject_dn": "/C=GB/O=Lloyds Bank PLC/organizationIdentifier=PSDGB-FCA-119278/CN=0015800000jf9GgAAI", "iat": 1695642704018, "exp": 1695642707618 }
Introduction
Data Dictionary
Name | Occurrence | XPath | EnhancedDefinition | Class | Codes | Pattern | Location |
---|---|---|---|---|---|---|---|
iss | 1..1 | iss | Identifier for the TPP.This value must be unique for each TPP registered by the issuer of the SSA.The value must be a Base62 encoded GUID.For SSAs issued by the OB Directory, this must be the software_id | String (18) | ^[0-9a-zA-Z]{1,18}$ |
Request only | |
iat | 1..1 | iat | The time at which the request was issued by the TPP expressed as "seconds since the epoch" | Integer | Unix timestamp | Request only | |
exp | 1..1 | exp | The time at which the request expires expressed as seconds since the epoch.An ASPSP processing the request must reject requests where the current time is greater than the time specified in the claim. | Integer | Unix timestamp | Request only | |
aud | 1..1 | aud | The audience for the request. This should be the unique identifier for the ASPSP issued by the issuer of the software statement.An ASPSP processing the software statement may validate the value of the claim and reject software statements for which the ASPSP is not the audience.The value must be a Base62 encoded GUID. | String (18) | ^[0-9a-zA-Z]{1,18}$ |
Request only | |
jti | 1..1 | jti | A unique identifier for the JWT. The value must be a UUIDv4 GUID. | String (36) | ^[0-9A-F]{8}-[0-9A-F]{4}-4[0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$ |
Request only | |
redirect_uris | 1..* | redirect_uris | Registered URIs the TPP will use to interact with the ASPSP AS.If the software statement defines a master set of redirect URIs, this must match or be a subset of the redirect URIs in the SSA.Each of the URIs must adhere to the following rules:- The URI MUST use the https scheme- The URI MUST NOT contain a host with a value of localhost- If the request_uris metadata element is omitted from the request, the entire contents of the software_redirect_uris element in the SSA are considered to be requested by the TPP. |
String[] (Each string upto 256) | URL | Both | |
token_endpoint_auth_method | 1..1 | Specifies which Token endpoint authentication method the TPP wants to use. private_key_jwt : if requested the OP should extract the TPPs JWKS location from the software statement assertion included. |
String (32) | private_key_jwt tls_client_auth client_secret_basic client_secret_post | Both | ||
grant_types | 1..* | A JSON array specifying what the TPP can request to be supplied to the token endpoint as exchange for an access token | String[] (32) | client_credentials authorization_code | Both | ||
response_types | 0..* | A JSON array specifying what the TPP can request to be returned from the ASPSP authorisation endpoint.ASPSPs MAY reject the request if any of the requested response_types are not supported by it (as advertised at its .well-known end-points)Defaults to code id_token if not specified. |
String[] (32) | code code id_token | Both | ||
software_id | 0..* | If specified, the software_id in the request MUST match the software_id specified in the SSA.ASPSPs can choose to allow multiple registrations for a given software statement.The Software ID must be represented as a Base62 UUID | String (18) | ^[0-9a-zA-Z]{1,18}$ |
Both | ||
scope | 0..* | Scopes the client is asking for (if not specified, default scopes are assigned by the AS) | String[] (32) | Both | |||
software_statement | 1..1 | Software statement assertion issued by the issuer.The data model for the software statements issued by the Open Banking directory are documented as part of the Directory Specification.This is a encrypted value embeded inside JWT token | JWS | Both | |||
application_type | 1..1 | String (32) | web mobile | Both | |||
id_token_signed_response_alg | 1..1 | Algorithm which the TPP expects to sign the id_token, if an id_token is returned. | String (5) | Supported values as constrained by FAPI-RW | Both | ||
request_object_signing_alg | 1..1 | Algorithm which the TPP expects to sign the request object if a request object will be part of the authorization request sent to the ASPSP. | String (5) | Supported values as constrained by FAPI-RW | Both | ||
token_endpoint_auth_signing_alg | 1..1 | Algorithm which the TPP uses to authenticate with the token endpoint if using private_key_jwt or client_id_jwt | String (5) | Supported values as constrained by FAPI-RW | Both | ||
tls_client_auth_subject_dn | 0..1 | This value must be set iff token_endpoint_auth_method is set to tls_client_auth The tls_client_auth_subject_dn claim MUST contain the DN of the certificate that the TPP will present to the ASPSP token endpoint.The ASPSP may decide to match only a part of the DN so that the match is based only on the part of the DN that will be immutable for the TPP across all EIDAS certificates issued to it. |
String (128) | Both |
DCR - Create an application
The API allows the TPP to request the ASPSP to register (create) a new client.
- curl -k --request POST \
- --url {secure-domain}/prod01/lbg/dcr-api/v1.0/register \
- --header 'accept: application/json' \
- --header 'content-type: application/jose' \
- --data 'eyJraWQiOiI3QXdIWFQ0TGJ6N3JiNnNXSkJoemZZV3l5V1EiLCJhbGciOiJQUzI1NiIsImN0eSI6ImFwcGxpY2F0aW9uL2pzb24iLCJ0eXAiOiJKT1NFIn0.eyJpc3MiOiIxeEZrUmNpcU9IbkJXak9VdWl1eXRpIiwiYXVkIjoib3BlbmJhbmtpbmdsbG95ZHMiLCJqdGkiOiIyZWI5NjAyMS1mZDliLTQ2NWEtYTRhNi1mNmY1NWZhMzY5MmYiLCJyZXNwb25zZV90eXBlcyI6WyJjb2RlIGlkX3Rva2VuIl0sInJlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly9kZXZlbG9wZXIubGxveWRzYmFua2luZy5jb20iXSwidG9rZW5fZW5kcG9pbnRfYXV0aF9tZXRob2QiOiJ0bHNfY2xpZW50X2F1dGgiLCJncmFudF90eXBlcyI6WyJhdXRob3JpemF0aW9uX2NvZGUiLCJjbGllbnRfY3JlZGVudGlhbHMiXSwic2NvcGUiOiJvcGVuaWQgYWNjb3VudHMiLCJzdWJqZWN0X3R5cGUiOiJwdWJsaWMiLCJzb2Z0d2FyZV9zdGF0ZW1lbnQiOiJleUpoYkdjaU9pSlFVekkxTmlJc0ltdHBaQ0k2SWpKNWIwOUxMVkpJYmxkaE1EZEhVWFF0T1ZkcVZHRmhaV0l6UzJKZmVFaE1PR0phU1ZCb1NrbEZVMWs5SWl3aWRIbHdJam9pU2xkVUluMC5leUpwYzNNaU9pSlBjR1Z1UW1GdWEybHVaeUJNZEdRaUxDSnBZWFFpT2pFMk9UVTFOemd5Tmpnc0ltcDBhU0k2SWpjMlptSXlOakF5Tm1SaVlqUTFNVFVpTENKemIyWjBkMkZ5WlY5bGJuWnBjbTl1YldWdWRDSTZJbkJ5YjJSMVkzUnBiMjRpTENKemIyWjBkMkZ5WlY5dGIyUmxJam9pVEdsMlpTSXNJbk52Wm5SM1lYSmxYMmxrSWpvaWJUSnFla3RCTnpkYWRqZFNjVFYyUkdWbmVubExTQ0lzSW5OdlpuUjNZWEpsWDJOc2FXVnVkRjlwWkNJNkltMHlhbnBMUVRjM1duWTNVbkUxZGtSbFozcDVTMGdpTENKemIyWjBkMkZ5WlY5amJHbGxiblJmYm1GdFpTSTZJbEJ5YjJSMVkzUnBiMjRnUlhwdmNtOGdRWEJ3SWl3aWMyOW1kSGRoY21WZlkyeHBaVzUwWDJSbGMyTnlhWEIwYVc5dUlqb2lWRzhnWW1VZ2RYTmxaQ0JtYjNJZ2JtVjNJRlpOSUVWNmIzSnZJRUZ3Y0hNaUxDSnpiMlowZDJGeVpWOTJaWEp6YVc5dUlqb2lNUzR3SWl3aWMyOW1kSGRoY21WZlkyeHBaVzUwWDNWeWFTSTZJbWgwZEhCek9pOHZaR1YyWld4dmNHVnlMbXhzYjNsa2MySmhibXRwYm1jdVkyOXRMeUlzSW5OdlpuUjNZWEpsWDNKbFpHbHlaV04wWDNWeWFYTWlPbHNpYUhSMGNITTZMeTloY0hCc2RYWXdPVGxrTG0xaFkyaHBibVV1WjNKdmRYQTZNVEF3TlRBdmNtVmthWEpsWTNRaUxDSm9kSFJ3Y3pvdkwyRndjR3gxZGpBMk4yUXViV0ZqYUdsdVpTNW5jbTkxY0RveE1EQTFNQzl5WldScGNtVmpkQ0lzSW1oMGRIQnpPaTh2WVhCd2RIVjJNRFJpWmk1dFlXTm9hVzVsTG5SbGMzUXVaM0p2ZFhBNk1UQXdOVEF2Y21Wa2FYSmxZM1FpTENKb2RIUndjem92THpFeU55NHdMakF1TVRvNE5EUXpMMk52Ym1admNtMWhibU5sYzNWcGRHVXZZMkZzYkdKaFkyc2lMQ0pvZEhSd2N6b3ZMMlJsZG1Wc2IzQmxjaTVzYkc5NVpITmlZVzVyYVc1bkxtTnZiU0pkTENKemIyWjBkMkZ5WlY5eWIyeGxjeUk2V3lKQlNWTlFJaXdpVUVsVFVDSXNJa05DVUVsSklsMHNJbTl5WjJGdWFYTmhkR2x2Ymw5amIyMXdaWFJsYm5SZllYVjBhRzl5YVhSNVgyTnNZV2x0Y3lJNmV5SmhkWFJvYjNKcGRIbGZhV1FpT2lKR1EwRkhRbElpTENKeVpXZHBjM1J5WVhScGIyNWZhV1FpT2lJeE1Ua3lOemdpTENKemRHRjBkWE1pT2lKQlkzUnBkbVVpTENKaGRYUm9iM0pwYzJGMGFXOXVjeUk2VzNzaWJXVnRZbVZ5WDNOMFlYUmxJam9pUjBraUxDSnliMnhsY3lJNld5SlFTVk5RSWl3aVFVbFRVQ0lzSWtOQ1VFbEpJaXdpUVZOUVUxQWlYWDBzZXlKdFpXMWlaWEpmYzNSaGRHVWlPaUpIUWlJc0luSnZiR1Z6SWpwYklrRkpVMUFpTENKUVNWTlFJaXdpUVZOUVUxQWlMQ0pEUWxCSlNTSmRmVjE5TENKemIyWjBkMkZ5WlY5c2IyZHZYM1Z5YVNJNkltaDBkSEJ6T2k4dlpHVjJaV3h2Y0dWeUxteHNiM2xrYzJKaGJtdHBibWN1WTI5dEx5SXNJbTl5WjE5emRHRjBkWE1pT2lKQlkzUnBkbVVpTENKdmNtZGZhV1FpT2lJd01ERTFPREF3TURBd2FtWTVSMmRCUVVraUxDSnZjbWRmYm1GdFpTSTZJa3hzYjNsa2N5QkNZVzVySUZCTVF5SXNJbTl5WjE5amIyNTBZV04wY3lJNlczc2libUZ0WlNJNklsUmxZMmh1YVdOaGJDSXNJbVZ0WVdsc0lqb2lUMEpTWlhOd2IyNXpaWFJsWVcxQWJHeHZlV1J6WW1GdWEybHVaeTVqYjIwaUxDSndhRzl1WlNJNklpZ3JORFFwSURjM01EWWdNRFl6SURNNE1TSXNJblI1Y0dVaU9pSlVaV05vYm1sallXd2lmU3g3SW01aGJXVWlPaUpDZFhOcGJtVnpjeUlzSW1WdFlXbHNJam9pVDBKU1pYTndiMjV6WlhSbFlXMUFiR3h2ZVdSelltRnVhMmx1Wnk1amIyMGlMQ0p3YUc5dVpTSTZJaWdyTkRRcElEYzRPREFnTVRNNElEUTFNQ0lzSW5SNWNHVWlPaUpDZFhOcGJtVnpjeUo5WFN3aWIzSm5YMnAzYTNOZlpXNWtjRzlwYm5RaU9pSm9kSFJ3Y3pvdkwydGxlWE4wYjNKbExtOXdaVzVpWVc1cmFXNW5MbTl5Wnk1MWF5OHdNREUxT0RBd01EQXdhbVk1UjJkQlFVa3ZNREF4TlRnd01EQXdNR3BtT1VkblFVRkpMbXAzYTNNaUxDSnZjbWRmYW5kcmMxOXlaWFp2YTJWa1gyVnVaSEJ2YVc1MElqb2lhSFIwY0hNNkx5OXJaWGx6ZEc5eVpTNXZjR1Z1WW1GdWEybHVaeTV2Y21jdWRXc3ZNREF4TlRnd01EQXdNR3BtT1VkblFVRkpMM0psZG05clpXUXZNREF4TlRnd01EQXdNR3BtT1VkblFVRkpMbXAzYTNNaUxDSnpiMlowZDJGeVpWOXFkMnR6WDJWdVpIQnZhVzUwSWpvaWFIUjBjSE02THk5clpYbHpkRzl5WlM1dmNHVnVZbUZ1YTJsdVp5NXZjbWN1ZFdzdk1EQXhOVGd3TURBd01HcG1PVWRuUVVGSkwyMHlhbnBMUVRjM1duWTNVbkUxZGtSbFozcDVTMGd1YW5kcmN5SXNJbk52Wm5SM1lYSmxYMnAzYTNOZmNtVjJiMnRsWkY5bGJtUndiMmx1ZENJNkltaDBkSEJ6T2k4dmEyVjVjM1J2Y21VdWIzQmxibUpoYm10cGJtY3ViM0puTG5Wckx6QXdNVFU0TURBd01EQnFaamxIWjBGQlNTOXlaWFp2YTJWa0wyMHlhbnBMUVRjM1duWTNVbkUxZGtSbFozcDVTMGd1YW5kcmN5SXNJbk52Wm5SM1lYSmxYM0J2YkdsamVWOTFjbWtpT2lKb2RIUndjem92TDJSbGRtVnNiM0JsY2k1c2JHOTVaSE5pWVc1cmFXNW5MbU52YlM4aUxDSnpiMlowZDJGeVpWOTBiM05mZFhKcElqb2lhSFIwY0hNNkx5OWtaWFpsYkc5d1pYSXViR3h2ZVdSelltRnVhMmx1Wnk1amIyMHZJaXdpYzI5bWRIZGhjbVZmYjI1ZlltVm9ZV3htWDI5bVgyOXlaeUk2Ym5Wc2JIMC5zamVSWUU4SGMtNG5OSEhqd2VKMDh5Um90QTdad3cteE1jRF83UmhuZkRiQjRGV0dxYlpBNlNwVWZzWko0MkZybUJfZTBWTHlFWUlxamYxSGlOQ2FtXzhSanF6c0htR1lDTlZKbWJVaXhRNDB3akJLR2tBd0Z1OV9pX1NqeVBMeUZyNnRfcHk3RWprQ256ZmZmUVhMcDI4NFZyaHlxT1k3RUp0TlRSb0Y3b1NLcWlkZkJkU3RyN1NvRGpqX1c2WHI4QXRJUmhnbl9kcEFwVVZkSF9JQ0FzWXRQQmZsMEZHRVNsWE50azliLUxoZ0hOenZnWTNTNXV0RVdES2txN0dFdmdLTVRkakxjTTRiSDBqSk8xU2hHcVdwVVpkOVdrYVEwS29pWncxVkR2ZU1iSENYU184ejlxLVI1Z195QnJfSXVxaFVlY0lBLURud0NXVU5IdzJlb1EiLCJzb2Z0d2FyZV9pZCI6Im0yanpLQTc3WnY3UnE1dkRlZ3p5S0giLCJhcHBsaWNhdGlvbl90eXBlIjoid2ViIiwiaWRfdG9rZW5fc2lnbmVkX3Jlc3BvbnNlX2FsZyI6IlBTMjU2IiwicmVxdWVzdF9vYmplY3Rfc2lnbmluZ19hbGciOiJQUzI1NiIsInRva2VuX2VuZHBvaW50X2F1dGhfc2lnbmluZ19hbGciOiJQUzI1NiIsInRsc19jbGllbnRfYXV0aF9zdWJqZWN0X2RuIjoiL0M9R0IvTz1MbG95ZHMgQmFuayBQTEMvb3JnYW5pemF0aW9uSWRlbnRpZmllcj1QU0RHQi1GQ0EtMTE5Mjc4L0NOPTAwMTU4MDAwMDBqZjlHZ0FBSSIsImlhdCI6MTY5NTY0MjcwNDAxOCwiZXhwIjoxNjk1NjQyNzA3NjE4fQ.qu3VEo2cqbNN-zNPM3BxlSgHeJTLqQU4h7F_6tqd8A14O_svnfUKss4ZYBktnqNaez8d6dlDPT8Qj8H9vyqvIcwSpGPnFaFVi7num1dRC52BNXeK5zoceocJM5A2IwPllS6xK67GKhPjfXWQcK7oo6Tp-v76s9TrIK-uTNd5QfgdnFOG5mO8RihgtFKxFXdhAEk-aPlQwjapElNwpnLSkGeAyBgnWoUinrv1Q5pJ3zPUbDN_aiNLcI_GKnA9Ktglp12xXzCixGlUpmbmiTwjzs8ov1Gfowc74rHpkZ3AqZmmuV7NrsMQY3MmHBEW37eI2lGSrn9KXnNKJ5yYC8T8OA’ \
- --key ./private-cert.key \
- --cert ./public-cert.pem \
- --cacert ./root-ca.pem
{ "client_id": "f613c7b2-406b-4ddf-b15a-fdec5800110d", "client_secret": "O7cG2aN6vC3wO5fN8sW3jY2wK2cJ5iB5fF4tY3bE8oM7iI1mP8", "client_id_issued_at": 1678719693, "redirect_uris": [ "https://developer.lloydsbanking.com" ], "token_endpoint_auth_method": "client_secret_basic", "grant_types": [ "authorization_code" ], "response_types": [ "code id_token" ], "software_id": "4YWcIQpEvWxirs256qq", "scope": "openid accounts", "software_statement": "eyJhbGciOiJQUzI1NiIsImtpZCI6IjJ5b09LLVJIbldhMDdHUXQtOVdqVGFhZWIzS2JfeEhMOGJaSVBoSklFU1k9IiwidHlwIjoiSldUIn0.eyJpc3MiOiJPcGVuQmFua2luZyBMdGQiLCJpYXQiOjE2OTU1NzgyNjgsImp0aSI6Ijc2ZmIyNjAyNmRiYjQ1MTUiLCJzb2Z0d2FyZV9lbnZpcm9ubWVudCI6InByb2R1Y3Rpb24iLCJzb2Z0d2FyZV9tb2RlIjoiTGl2ZSIsInNvZnR3YXJlX2lkIjoibTJqektBNzdadjdScTV2RGVnenlLSCIsInNvZnR3YXJlX2NsaWVudF9pZCI6Im0yanpLQTc3WnY3UnE1dkRlZ3p5S0giLCJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6IlByb2R1Y3Rpb24gRXpvcm8gQXBwIiwic29mdHdhcmVfY2xpZW50X2Rlc2NyaXB0aW9uIjoiVG8gYmUgdXNlZCBmb3IgbmV3IFZNIEV6b3JvIEFwcHMiLCJzb2Z0d2FyZV92ZXJzaW9uIjoiMS4wIiwic29mdHdhcmVfY2xpZW50X3VyaSI6Imh0dHBzOi8vZGV2ZWxvcGVyLmxsb3lkc2JhbmtpbmcuY29tLyIsInNvZnR3YXJlX3JlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly9hcHBsdXYwOTlkLm1hY2hpbmUuZ3JvdXA6MTAwNTAvcmVkaXJlY3QiLCJodHRwczovL2FwcGx1djA2N2QubWFjaGluZS5ncm91cDoxMDA1MC9yZWRpcmVjdCIsImh0dHBzOi8vYXBwdHV2MDRiZi5tYWNoaW5lLnRlc3QuZ3JvdXA6MTAwNTAvcmVkaXJlY3QiLCJodHRwczovLzEyNy4wLjAuMTo4NDQzL2NvbmZvcm1hbmNlc3VpdGUvY2FsbGJhY2siLCJodHRwczovL2RldmVsb3Blci5sbG95ZHNiYW5raW5nLmNvbSJdLCJzb2Z0d2FyZV9yb2xlcyI6WyJBSVNQIiwiUElTUCIsIkNCUElJIl0sIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3JpdHlfaWQiOiJGQ0FHQlIiLCJyZWdpc3RyYXRpb25faWQiOiIxMTkyNzgiLCJzdGF0dXMiOiJBY3RpdmUiLCJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0kiLCJyb2xlcyI6WyJQSVNQIiwiQUlTUCIsIkNCUElJIiwiQVNQU1AiXX0seyJtZW1iZXJfc3RhdGUiOiJHQiIsInJvbGVzIjpbIkFJU1AiLCJQSVNQIiwiQVNQU1AiLCJDQlBJSSJdfV19LCJzb2Z0d2FyZV9sb2dvX3VyaSI6Imh0dHBzOi8vZGV2ZWxvcGVyLmxsb3lkc2JhbmtpbmcuY29tLyIsIm9yZ19zdGF0dXMiOiJBY3RpdmUiLCJvcmdfaWQiOiIwMDE1ODAwMDAwamY5R2dBQUkiLCJvcmdfbmFtZSI6Ikxsb3lkcyBCYW5rIFBMQyIsIm9yZ19jb250YWN0cyI6W3sibmFtZSI6IlRlY2huaWNhbCIsImVtYWlsIjoiT0JSZXNwb25zZXRlYW1AbGxveWRzYmFua2luZy5jb20iLCJwaG9uZSI6IigrNDQpIDc3MDYgMDYzIDM4MSIsInR5cGUiOiJUZWNobmljYWwifSx7Im5hbWUiOiJCdXNpbmVzcyIsImVtYWlsIjoiT0JSZXNwb25zZXRlYW1AbGxveWRzYmFua2luZy5jb20iLCJwaG9uZSI6IigrNDQpIDc4ODAgMTM4IDQ1MCIsInR5cGUiOiJCdXNpbmVzcyJ9XSwib3JnX2p3a3NfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5nLm9yZy51ay8wMDE1ODAwMDAwamY5R2dBQUkvMDAxNTgwMDAwMGpmOUdnQUFJLmp3a3MiLCJvcmdfandrc19yZXZva2VkX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZy5vcmcudWsvMDAxNTgwMDAwMGpmOUdnQUFJL3Jldm9rZWQvMDAxNTgwMDAwMGpmOUdnQUFJLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZy5vcmcudWsvMDAxNTgwMDAwMGpmOUdnQUFJL20yanpLQTc3WnY3UnE1dkRlZ3p5S0guandrcyIsInNvZnR3YXJlX2p3a3NfcmV2b2tlZF9lbmRwb2ludCI6Imh0dHBzOi8va2V5c3RvcmUub3BlbmJhbmtpbmcub3JnLnVrLzAwMTU4MDAwMDBqZjlHZ0FBSS9yZXZva2VkL20yanpLQTc3WnY3UnE1dkRlZ3p5S0guandrcyIsInNvZnR3YXJlX3BvbGljeV91cmkiOiJodHRwczovL2RldmVsb3Blci5sbG95ZHNiYW5raW5nLmNvbS8iLCJzb2Z0d2FyZV90b3NfdXJpIjoiaHR0cHM6Ly9kZXZlbG9wZXIubGxveWRzYmFua2luZy5jb20vIiwic29mdHdhcmVfb25fYmVoYWxmX29mX29yZyI6bnVsbH0.sjeRYE8Hc-4nNHHjweJ08yRotA7Zww-xMcD_7RhnfDbB4FWGqbZA6SpUfsZJ42FrmB_e0VLyEYIqjf1HiNCam_8RjqzsHmGYCNVJmbUixQ40wjBKGkAwFu9_i_SjyPLyFr6t_py7EjkCnzfffQXLp284VrhyqOY7EJtNTRoF7oSKqidfBdStr7SoDjj_W6Xr8AtIRhgn_dpApUVdH_ICAsYtPBfl0FGESlXNtk9b-LhgHNzvgY3S5utEWDKkq7GEvgKMTdjLcM4bH0jJO1ShGqWpUZd9WkaQ0KoiZw1VDveMbHCXS_8z9q-R5g_yBr_IuqhUecIA-DnwCWUNHw2eoQ", "application_type": "web", "id_token_signed_response_alg": "PS256", "request_object_signing_alg": "PS256", "token_endpoint_auth_signing_alg": "PS256", "tls_client_auth_subject_dn": "lloyds" }
Request Param | Parameter | Example Value | Description |
---|---|---|---|
URL | secure-domain |
OB Transport, OBWAC:https://secure-api.lloydsbank.com OBWAC, QWAC:https://secure-api-eidas.lloydsbank.com/ |
Please refer to the Other Useful Information section for all brand specific domains |
Certs | CACert | Combination of Root & Intermediate (Full chain) | Must provide in the request if the QWAC transport certs are being used. However this is optional for the OBWAC, OB Transport. |
Data | Nested JWS with SSA | Valid JWS token | Construct the request payload as the OBIE Dynamic Client Registration V3.2 |
Header | Requested Headers | Accept headers,accept: application/json,content-type: application/jose | Headers are required to construct the request. |
Product Auto subscription and auto approval based on TPP role
If dynamic registration response completed successfully, based on the scopes sent in the request object, the appropriate API Products will be auto subscribed and auto approved and will become available for immediate consumption.
DCR - Set up Client Credentials Token
In this step you obtain an Access Token using a Client Credentials Grant Type. The access expires within 10 minutes after the generation. When an Access Token expires, you will need to re-request for another Access Token.
Authentication methods - client_secret_basic and client_secret_post
curl -k -X POST \
- --key private-cert.key \
- --cert public-cert.pem \
- --cacert QTSP-root-ca.pem \
- url{secure-domain}/prod01/lbg/lyds/oidc-api/v1.1/token \
- {secure-domain}/prod01/lbg/lyds/oidc-api/v1.1/token \
- --header 'cache-control: no-cache' \
- --header 'content-type: application/x-www-form-urlencoded' \
- --data 'grant_type=client_credentials&client_id=f613c7b2-406b-4ddf-b15a-fdec5800110d&client_secret=O7cG2aN6vC3wO5fN8sW3jY2wK2cJ5iB5fF4tY3bE8oM7iI1mP8&s cope=openId accounts'
{
"token_type": "Bearer",
"access_token": "gktvoeyJhbGciOiJSUzI1NiIsImtpZCI6ImF0X3NpZ25fb2JqZWN0X29iX0xZRFNfY3VycmVudCJ9.eyJpc3MiOiJsbG95ZHMiLCJwcml2YXRlIjoiQUFJa1pqWXhNMk0zWWpJdE5EQTJZaTAwWkdSbUxXSXhOV0V0Wm1SbFl6VTRNREF4TVRCa3k0OTFqVXhLaW9KekkyS0gwbG1hS1U4VS11dkVnTzhiZUM4OTdvbVBObktHTlQxUm5Id3lQWlRzR0o3WlRSUG9vRUNtRy1ZZHhuTTNtWHVwdzNHaXd2OFdWN2VkS204TUFiZ2NVbS03c3hWcnhqd1RUcTdWZjdpYjZEM05RNjhpNG5RQU1XTTdPdUxVSk4tSXh0NDl0USIsImV4cCI6MTY4NjQ5NjE4ODIzMywiaWF0IjoxNjc4NzIwMTg4MjMzfQ.Uy8-QDi49Ip0pYDMZjl4R4JEUTfq2HrXQzYRepUrpDaOKU5BoIyxJLQ2jiPIemmZzvPGCUkuqx5nqVz6YqKbK_kqO1hQFSvnE2s9ma75pGignOf43CEXc1kXzUP4BVhCXyiy0gPEHiiu4R2M2hZjDeKOQRRPr5AK_68Gc-3ILZCkDCg6RgpBTVXHIuk_6LJQdZZtYYHKxjEd5RlYsBV-EvBuzZOv4Q0yP7qPCvEIQXtw1UFtGtsX7gu38_0L03u2Jv0Tq6XkAA5TEMl5SbPy16fIIkmJnbVEF6rN6llTaB-a60IdWLPQuiiY--h_FCTu5RKYmGPBOsJNrqD65EGmDA",
"expires_in": 7776000,
"consented_on": 1678720188,
"scope": "openid accounts"
}
Authentication method - tls_client_auth
- curl -k -X POST \
- --key ./private-cert.key \
- --cert ./public-cert.pem \
- --cacert ./ca-cert.pem \
- url{secure-domain}/prod01/lbg/lyds/mtls-token-api/v1.1/token \
- --header 'accept: application/json' \
- --header 'cache-control: no-cache' \
- --header 'content-type: application/x-www-form-urlencoded' \
- --data 'grant_type=client_credentials&client_id=f613c7b2-406b-4ddf-b15a-fdec5800110d& scope=accounts'
{
"token_type": "Bearer",
"access_token": "gktvoeyJhbGciOiJSUzI1NiIsImtpZCI6ImF0X3NpZ25fb2JqZWN0X29iX0xZRFNfY3VycmVudCJ9.eyJpc3MiOiJsbG95ZHMiLCJwcml2YXRlIjoiQUFJa1pqWXhNMk0zWWpJdE5EQTJZaTAwWkdSbUxXSXhOV0V0Wm1SbFl6VTRNREF4TVRCa3k0OTFqVXhLaW9KekkyS0gwbG1hS1U4VS11dkVnTzhiZUM4OTdvbVBObktHTlQxUm5Id3lQWlRzR0o3WlRSUG9vRUNtRy1ZZHhuTTNtWHVwdzNHaXd2OFdWN2VkS204TUFiZ2NVbS03c3hWcnhqd1RUcTdWZjdpYjZEM05RNjhpNG5RQU1XTTdPdUxVSk4tSXh0NDl0USIsImV4cCI6MTY4NjQ5NjE4ODIzMywiaWF0IjoxNjc4NzIwMTg4MjMzfQ.Uy8-QDi49Ip0pYDMZjl4R4JEUTfq2HrXQzYRepUrpDaOKU5BoIyxJLQ2jiPIemmZzvPGCUkuqx5nqVz6YqKbK_kqO1hQFSvnE2s9ma75pGignOf43CEXc1kXzUP4BVhCXyiy0gPEHiiu4R2M2hZjDeKOQRRPr5AK_68Gc-3ILZCkDCg6RgpBTVXHIuk_6LJQdZZtYYHKxjEd5RlYsBV-EvBuzZOv4Q0yP7qPCvEIQXtw1UFtGtsX7gu38_0L03u2Jv0Tq6XkAA5TEMl5SbPy16fIIkmJnbVEF6rN6llTaB-a60IdWLPQuiiY--h_FCTu5RKYmGPBOsJNrqD65EGmDA",
"expires_in": 7776000,
"consented_on": 1678720188,
"scope": "openid accounts"
}
Request Param | Parameter | Example Value | Description |
---|---|---|---|
URL | secure-domain |
OB Transport, OBWAC:https://secure-api.lloydsbank.com OBWAC, QWAC:https://secure-api-eidas.lloydsbank.com/ |
Please refer to the Other Useful Information section for all brand specific domains |
Data | grant_type | client_credentials | The grant type being requested |
Data | client_id | f613c7b2-406b-4ddf-b15a-fdec5800110d | Your LBG application Client ID |
Data | client_secret | O7cG2aN6vC3wO5fN8sW3jY2wK2cJ5iB5fF4tY3bE8oM7iI1mP8 | Your LBG application client_secret, its not required for tls_client_auth method. |
Data | scope | openid accounts | The scope being requested. |
Certs | CACert | Combination of Root & Intermediate | Must provide in the request if the QWAC transport certs are being used. However this is optional for the OBWAC, OB Transport. |
Header | Requested Headers | accept: application/json,cache-control: no-cache and content-type: application/x-www-form-urlencoded | Headers are required to construct the request. |
DCR - Update Client Application
The API allows the TPP to request the ASPSP to modify one or more attributes related to an existing client.
curl -k -–request PUT \
- url{secure-domain}/prod01/lbg/dcr-api/v1.0/register/REPLACE_CLIENTID \
- --key private-cert.key \
- --cert public-cert.pem \
- --cacert QTSP-root-ca.pem \
- --header 'content-type: application/jose' \
- --header 'accept: application/json' \
- --header 'authorization: Bearer gktvoeyJhbGciOiJSUzI1NiIsImtpZCI6ImF0X3NpZ25fb2JqZWN0X29iX0xZRFNfY3VycmVudCJ9.eyJpc3MiOiJsbG95ZHMiLCJwcml2YXRlIjoiQUFJa1pqWXhNMk0zWWpJdE5EQTJZaTAwWkdSbUxXSXhOV0V0Wm1SbFl6VTRNREF4TVRCa3k0OTFqVXhLaW9KekkyS0gwbG1hS1U4VS11dkVnTzhiZUM4OTdvbVBObktHTlQxUm5Id3lQWlRzR0o3WlRSUG9vRUNtRy1ZZHhuTTNtWHVwdzNHaXd2OFdWN2VkS204TUFiZ2NVbS03c3hWcnhqd1RUcTdWZjdpYjZEM05RNjhpNG5RQU1XTTdPdUxVSk4tSXh0NDl0USIsImV4cCI6MTY4NjQ5NjE4ODIzMywiaWF0IjoxNjc4NzIwMTg4MjMzfQ.Uy8-QDi49Ip0pYDMZjl4R4JEUTfq2HrXQzYRepUrpDaOKU5BoIyxJLQ2jiPIemmZzvPGCUkuqx5nqVz6YqKbK_kqO1hQFSvnE2s9ma75pGignOf43CEXc1kXzUP4BVhCXyiy0gPEHiiu4R2M2hZjDeKOQRRPr5AK_68Gc-3ILZCkDCg6RgpBTVXHIuk_6LJQdZZtYYHKxjEd5RlYsBV-EvBuzZOv4Q0yP7qPCvEIQXtw1UFtGtsX7gu38_0L03u2Jv0Tq6XkAA5TEMl5SbPy16fIIkmJnbVEF6rN6llTaB-a60IdWLPQuiiY--h_FCTu5RKYmGPBOsJNrqD65EGmDA' \
- --data 'eyJraWQiOiI3QXdIWFQ0TGJ6N3JiNnNXSkJoemZZV3l5V1EiLCJhbGciOiJQUzI1NiIsImN0eSI6ImFwcGxpY2F0aW9uL2pzb24iLCJ0eXAiOiJKT1NFIn0.eyJpc3MiOiIxeEZrUmNpcU9IbkJXak9VdWl1eXRpIiwiYXVkIjoib3BlbmJhbmtpbmdsbG95ZHMiLCJqdGkiOiIyZWI5NjAyMS1mZDliLTQ2NWEtYTRhNi1mNmY1NWZhMzY5MmYiLCJyZXNwb25zZV90eXBlcyI6WyJjb2RlIGlkX3Rva2VuIl0sInJlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly9kZXZlbG9wZXIubGxveWRzYmFua2luZy5jb20iXSwidG9rZW5fZW5kcG9pbnRfYXV0aF9tZXRob2QiOiJ0bHNfY2xpZW50X2F1dGgiLCJncmFudF90eXBlcyI6WyJhdXRob3JpemF0aW9uX2NvZGUiLCJjbGllbnRfY3JlZGVudGlhbHMiXSwic2NvcGUiOiJvcGVuaWQgYWNjb3VudHMiLCJzdWJqZWN0X3R5cGUiOiJwdWJsaWMiLCJzb2Z0d2FyZV9zdGF0ZW1lbnQiOiJleUpoYkdjaU9pSlFVekkxTmlJc0ltdHBaQ0k2SWpKNWIwOUxMVkpJYmxkaE1EZEhVWFF0T1ZkcVZHRmhaV0l6UzJKZmVFaE1PR0phU1ZCb1NrbEZVMWs5SWl3aWRIbHdJam9pU2xkVUluMC5leUpwYzNNaU9pSlBjR1Z1UW1GdWEybHVaeUJNZEdRaUxDSnBZWFFpT2pFMk9UVTFOemd5Tmpnc0ltcDBhU0k2SWpjMlptSXlOakF5Tm1SaVlqUTFNVFVpTENKemIyWjBkMkZ5WlY5bGJuWnBjbTl1YldWdWRDSTZJbkJ5YjJSMVkzUnBiMjRpTENKemIyWjBkMkZ5WlY5dGIyUmxJam9pVEdsMlpTSXNJbk52Wm5SM1lYSmxYMmxrSWpvaWJUSnFla3RCTnpkYWRqZFNjVFYyUkdWbmVubExTQ0lzSW5OdlpuUjNZWEpsWDJOc2FXVnVkRjlwWkNJNkltMHlhbnBMUVRjM1duWTNVbkUxZGtSbFozcDVTMGdpTENKemIyWjBkMkZ5WlY5amJHbGxiblJmYm1GdFpTSTZJbEJ5YjJSMVkzUnBiMjRnUlhwdmNtOGdRWEJ3SWl3aWMyOW1kSGRoY21WZlkyeHBaVzUwWDJSbGMyTnlhWEIwYVc5dUlqb2lWRzhnWW1VZ2RYTmxaQ0JtYjNJZ2JtVjNJRlpOSUVWNmIzSnZJRUZ3Y0hNaUxDSnpiMlowZDJGeVpWOTJaWEp6YVc5dUlqb2lNUzR3SWl3aWMyOW1kSGRoY21WZlkyeHBaVzUwWDNWeWFTSTZJbWgwZEhCek9pOHZaR1YyWld4dmNHVnlMbXhzYjNsa2MySmhibXRwYm1jdVkyOXRMeUlzSW5OdlpuUjNZWEpsWDNKbFpHbHlaV04wWDNWeWFYTWlPbHNpYUhSMGNITTZMeTloY0hCc2RYWXdPVGxrTG0xaFkyaHBibVV1WjNKdmRYQTZNVEF3TlRBdmNtVmthWEpsWTNRaUxDSm9kSFJ3Y3pvdkwyRndjR3gxZGpBMk4yUXViV0ZqYUdsdVpTNW5jbTkxY0RveE1EQTFNQzl5WldScGNtVmpkQ0lzSW1oMGRIQnpPaTh2WVhCd2RIVjJNRFJpWmk1dFlXTm9hVzVsTG5SbGMzUXVaM0p2ZFhBNk1UQXdOVEF2Y21Wa2FYSmxZM1FpTENKb2RIUndjem92THpFeU55NHdMakF1TVRvNE5EUXpMMk52Ym1admNtMWhibU5sYzNWcGRHVXZZMkZzYkdKaFkyc2lMQ0pvZEhSd2N6b3ZMMlJsZG1Wc2IzQmxjaTVzYkc5NVpITmlZVzVyYVc1bkxtTnZiU0pkTENKemIyWjBkMkZ5WlY5eWIyeGxjeUk2V3lKQlNWTlFJaXdpVUVsVFVDSXNJa05DVUVsSklsMHNJbTl5WjJGdWFYTmhkR2x2Ymw5amIyMXdaWFJsYm5SZllYVjBhRzl5YVhSNVgyTnNZV2x0Y3lJNmV5SmhkWFJvYjNKcGRIbGZhV1FpT2lKR1EwRkhRbElpTENKeVpXZHBjM1J5WVhScGIyNWZhV1FpT2lJeE1Ua3lOemdpTENKemRHRjBkWE1pT2lKQlkzUnBkbVVpTENKaGRYUm9iM0pwYzJGMGFXOXVjeUk2VzNzaWJXVnRZbVZ5WDNOMFlYUmxJam9pUjBraUxDSnliMnhsY3lJNld5SlFTVk5RSWl3aVFVbFRVQ0lzSWtOQ1VFbEpJaXdpUVZOUVUxQWlYWDBzZXlKdFpXMWlaWEpmYzNSaGRHVWlPaUpIUWlJc0luSnZiR1Z6SWpwYklrRkpVMUFpTENKUVNWTlFJaXdpUVZOUVUxQWlMQ0pEUWxCSlNTSmRmVjE5TENKemIyWjBkMkZ5WlY5c2IyZHZYM1Z5YVNJNkltaDBkSEJ6T2k4dlpHVjJaV3h2Y0dWeUxteHNiM2xrYzJKaGJtdHBibWN1WTI5dEx5SXNJbTl5WjE5emRHRjBkWE1pT2lKQlkzUnBkbVVpTENKdmNtZGZhV1FpT2lJd01ERTFPREF3TURBd2FtWTVSMmRCUVVraUxDSnZjbWRmYm1GdFpTSTZJa3hzYjNsa2N5QkNZVzVySUZCTVF5SXNJbTl5WjE5amIyNTBZV04wY3lJNlczc2libUZ0WlNJNklsUmxZMmh1YVdOaGJDSXNJbVZ0WVdsc0lqb2lUMEpTWlhOd2IyNXpaWFJsWVcxQWJHeHZlV1J6WW1GdWEybHVaeTVqYjIwaUxDSndhRzl1WlNJNklpZ3JORFFwSURjM01EWWdNRFl6SURNNE1TSXNJblI1Y0dVaU9pSlVaV05vYm1sallXd2lmU3g3SW01aGJXVWlPaUpDZFhOcGJtVnpjeUlzSW1WdFlXbHNJam9pVDBKU1pYTndiMjV6WlhSbFlXMUFiR3h2ZVdSelltRnVhMmx1Wnk1amIyMGlMQ0p3YUc5dVpTSTZJaWdyTkRRcElEYzRPREFnTVRNNElEUTFNQ0lzSW5SNWNHVWlPaUpDZFhOcGJtVnpjeUo5WFN3aWIzSm5YMnAzYTNOZlpXNWtjRzlwYm5RaU9pSm9kSFJ3Y3pvdkwydGxlWE4wYjNKbExtOXdaVzVpWVc1cmFXNW5MbTl5Wnk1MWF5OHdNREUxT0RBd01EQXdhbVk1UjJkQlFVa3ZNREF4TlRnd01EQXdNR3BtT1VkblFVRkpMbXAzYTNNaUxDSnZjbWRmYW5kcmMxOXlaWFp2YTJWa1gyVnVaSEJ2YVc1MElqb2lhSFIwY0hNNkx5OXJaWGx6ZEc5eVpTNXZjR1Z1WW1GdWEybHVaeTV2Y21jdWRXc3ZNREF4TlRnd01EQXdNR3BtT1VkblFVRkpMM0psZG05clpXUXZNREF4TlRnd01EQXdNR3BtT1VkblFVRkpMbXAzYTNNaUxDSnpiMlowZDJGeVpWOXFkMnR6WDJWdVpIQnZhVzUwSWpvaWFIUjBjSE02THk5clpYbHpkRzl5WlM1dmNHVnVZbUZ1YTJsdVp5NXZjbWN1ZFdzdk1EQXhOVGd3TURBd01HcG1PVWRuUVVGSkwyMHlhbnBMUVRjM1duWTNVbkUxZGtSbFozcDVTMGd1YW5kcmN5SXNJbk52Wm5SM1lYSmxYMnAzYTNOZmNtVjJiMnRsWkY5bGJtUndiMmx1ZENJNkltaDBkSEJ6T2k4dmEyVjVjM1J2Y21VdWIzQmxibUpoYm10cGJtY3ViM0puTG5Wckx6QXdNVFU0TURBd01EQnFaamxIWjBGQlNTOXlaWFp2YTJWa0wyMHlhbnBMUVRjM1duWTNVbkUxZGtSbFozcDVTMGd1YW5kcmN5SXNJbk52Wm5SM1lYSmxYM0J2YkdsamVWOTFjbWtpT2lKb2RIUndjem92TDJSbGRtVnNiM0JsY2k1c2JHOTVaSE5pWVc1cmFXNW5MbU52YlM4aUxDSnpiMlowZDJGeVpWOTBiM05mZFhKcElqb2lhSFIwY0hNNkx5OWtaWFpsYkc5d1pYSXViR3h2ZVdSelltRnVhMmx1Wnk1amIyMHZJaXdpYzI5bWRIZGhjbVZmYjI1ZlltVm9ZV3htWDI5bVgyOXlaeUk2Ym5Wc2JIMC5zamVSWUU4SGMtNG5OSEhqd2VKMDh5Um90QTdad3cteE1jRF83UmhuZkRiQjRGV0dxYlpBNlNwVWZzWko0MkZybUJfZTBWTHlFWUlxamYxSGlOQ2FtXzhSanF6c0htR1lDTlZKbWJVaXhRNDB3akJLR2tBd0Z1OV9pX1NqeVBMeUZyNnRfcHk3RWprQ256ZmZmUVhMcDI4NFZyaHlxT1k3RUp0TlRSb0Y3b1NLcWlkZkJkU3RyN1NvRGpqX1c2WHI4QXRJUmhnbl9kcEFwVVZkSF9JQ0FzWXRQQmZsMEZHRVNsWE50azliLUxoZ0hOenZnWTNTNXV0RVdES2txN0dFdmdLTVRkakxjTTRiSDBqSk8xU2hHcVdwVVpkOVdrYVEwS29pWncxVkR2ZU1iSENYU184ejlxLVI1Z195QnJfSXVxaFVlY0lBLURud0NXVU5IdzJlb1EiLCJzb2Z0d2FyZV9pZCI6Im0yanpLQTc3WnY3UnE1dkRlZ3p5S0giLCJhcHBsaWNhdGlvbl90eXBlIjoid2ViIiwiaWRfdG9rZW5fc2lnbmVkX3Jlc3BvbnNlX2FsZyI6IlBTMjU2IiwicmVxdWVzdF9vYmplY3Rfc2lnbmluZ19hbGciOiJQUzI1NiIsInRva2VuX2VuZHBvaW50X2F1dGhfc2lnbmluZ19hbGciOiJQUzI1NiIsInRsc19jbGllbnRfYXV0aF9zdWJqZWN0X2RuIjoiL0M9R0IvTz1MbG95ZHMgQmFuayBQTEMvb3JnYW5pemF0aW9uSWRlbnRpZmllcj1QU0RHQi1GQ0EtMTE5Mjc4L0NOPTAwMTU4MDAwMDBqZjlHZ0FBSSIsImlhdCI6MTY5NTY0MjcwNDAxOCwiZXhwIjoxNjk1NjQyNzA3NjE4fQ.qu3VEo2cqbNN-zNPM3BxlSgHeJTLqQU4h7F_6tqd8A14O_svnfUKss4ZYBktnqNaez8d6dlDPT8Qj8H9vyqvIcwSpGPnFaFVi7num1dRC52BNXeK5zoceocJM5A2IwPllS6xK67GKhPjfXWQcK7oo6Tp-v76s9TrIK-uTNd5QfgdnFOG5mO8RihgtFKxFXdhAEk-aPlQwjapElNwpnLSkGeAyBgnWoUinrv1Q5pJ3zPUbDN_aiNLcI_GKnA9Ktglp12xXzCixGlUpmbmiTwjzs8ov1Gfowc74rHpkZ3AqZmmuV7NrsMQY3MmHBEW37eI2lGSrn9KXnNKJ5yYC8T8OA’
{ "client_id": "f613c7b2-406b-4ddf-b15a-fdec5800110d", "client_secret": "********************************************", "client_id_issued_at": 1678719693, "redirect_uris": [ "https://developer.lloydsbanking.com" ], "token_endpoint_auth_method": "client_secret_basic", "grant_types": [ "authorization_code" ], "response_types": [ "code id_token" ], "software_id": "m2jzKA77Zv7Rq5vDegzyKH", "scope": "openid accounts", "software_statement": "eyJhbGciOiJQUzI1NiIsImtpZCI6IjJ5b09LLVJIbldhMDdHUXQtOVdqVGFhZWIzS2JfeEhMOGJaSVBoSklFU1k9IiwidHlwIjoiSldUIn0.eyJpc3MiOiJPcGVuQmFua2luZyBMdGQiLCJpYXQiOjE2OTU1NzgyNjgsImp0aSI6Ijc2ZmIyNjAyNmRiYjQ1MTUiLCJzb2Z0d2FyZV9lbnZpcm9ubWVudCI6InByb2R1Y3Rpb24iLCJzb2Z0d2FyZV9tb2RlIjoiTGl2ZSIsInNvZnR3YXJlX2lkIjoibTJqektBNzdadjdScTV2RGVnenlLSCIsInNvZnR3YXJlX2NsaWVudF9pZCI6Im0yanpLQTc3WnY3UnE1dkRlZ3p5S0giLCJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6IlByb2R1Y3Rpb24gRXpvcm8gQXBwIiwic29mdHdhcmVfY2xpZW50X2Rlc2NyaXB0aW9uIjoiVG8gYmUgdXNlZCBmb3IgbmV3IFZNIEV6b3JvIEFwcHMiLCJzb2Z0d2FyZV92ZXJzaW9uIjoiMS4wIiwic29mdHdhcmVfY2xpZW50X3VyaSI6Imh0dHBzOi8vZGV2ZWxvcGVyLmxsb3lkc2JhbmtpbmcuY29tLyIsInNvZnR3YXJlX3JlZGlyZWN0X3VyaXMiOlsiaHR0cHM6Ly9hcHBsdXYwOTlkLm1hY2hpbmUuZ3JvdXA6MTAwNTAvcmVkaXJlY3QiLCJodHRwczovL2FwcGx1djA2N2QubWFjaGluZS5ncm91cDoxMDA1MC9yZWRpcmVjdCIsImh0dHBzOi8vYXBwdHV2MDRiZi5tYWNoaW5lLnRlc3QuZ3JvdXA6MTAwNTAvcmVkaXJlY3QiLCJodHRwczovLzEyNy4wLjAuMTo4NDQzL2NvbmZvcm1hbmNlc3VpdGUvY2FsbGJhY2siLCJodHRwczovL2RldmVsb3Blci5sbG95ZHNiYW5raW5nLmNvbSJdLCJzb2Z0d2FyZV9yb2xlcyI6WyJBSVNQIiwiUElTUCIsIkNCUElJIl0sIm9yZ2FuaXNhdGlvbl9jb21wZXRlbnRfYXV0aG9yaXR5X2NsYWltcyI6eyJhdXRob3JpdHlfaWQiOiJGQ0FHQlIiLCJyZWdpc3RyYXRpb25faWQiOiIxMTkyNzgiLCJzdGF0dXMiOiJBY3RpdmUiLCJhdXRob3Jpc2F0aW9ucyI6W3sibWVtYmVyX3N0YXRlIjoiR0kiLCJyb2xlcyI6WyJQSVNQIiwiQUlTUCIsIkNCUElJIiwiQVNQU1AiXX0seyJtZW1iZXJfc3RhdGUiOiJHQiIsInJvbGVzIjpbIkFJU1AiLCJQSVNQIiwiQVNQU1AiLCJDQlBJSSJdfV19LCJzb2Z0d2FyZV9sb2dvX3VyaSI6Imh0dHBzOi8vZGV2ZWxvcGVyLmxsb3lkc2JhbmtpbmcuY29tLyIsIm9yZ19zdGF0dXMiOiJBY3RpdmUiLCJvcmdfaWQiOiIwMDE1ODAwMDAwamY5R2dBQUkiLCJvcmdfbmFtZSI6Ikxsb3lkcyBCYW5rIFBMQyIsIm9yZ19jb250YWN0cyI6W3sibmFtZSI6IlRlY2huaWNhbCIsImVtYWlsIjoiT0JSZXNwb25zZXRlYW1AbGxveWRzYmFua2luZy5jb20iLCJwaG9uZSI6IigrNDQpIDc3MDYgMDYzIDM4MSIsInR5cGUiOiJUZWNobmljYWwifSx7Im5hbWUiOiJCdXNpbmVzcyIsImVtYWlsIjoiT0JSZXNwb25zZXRlYW1AbGxveWRzYmFua2luZy5jb20iLCJwaG9uZSI6IigrNDQpIDc4ODAgMTM4IDQ1MCIsInR5cGUiOiJCdXNpbmVzcyJ9XSwib3JnX2p3a3NfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5nLm9yZy51ay8wMDE1ODAwMDAwamY5R2dBQUkvMDAxNTgwMDAwMGpmOUdnQUFJLmp3a3MiLCJvcmdfandrc19yZXZva2VkX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZy5vcmcudWsvMDAxNTgwMDAwMGpmOUdnQUFJL3Jldm9rZWQvMDAxNTgwMDAwMGpmOUdnQUFJLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZy5vcmcudWsvMDAxNTgwMDAwMGpmOUdnQUFJL20yanpLQTc3WnY3UnE1dkRlZ3p5S0guandrcyIsInNvZnR3YXJlX2p3a3NfcmV2b2tlZF9lbmRwb2ludCI6Imh0dHBzOi8va2V5c3RvcmUub3BlbmJhbmtpbmcub3JnLnVrLzAwMTU4MDAwMDBqZjlHZ0FBSS9yZXZva2VkL20yanpLQTc3WnY3UnE1dkRlZ3p5S0guandrcyIsInNvZnR3YXJlX3BvbGljeV91cmkiOiJodHRwczovL2RldmVsb3Blci5sbG95ZHNiYW5raW5nLmNvbS8iLCJzb2Z0d2FyZV90b3NfdXJpIjoiaHR0cHM6Ly9kZXZlbG9wZXIubGxveWRzYmFua2luZy5jb20vIiwic29mdHdhcmVfb25fYmVoYWxmX29mX29yZyI6bnVsbH0.sjeRYE8Hc-4nNHHjweJ08yRotA7Zww-xMcD_7RhnfDbB4FWGqbZA6SpUfsZJ42FrmB_e0VLyEYIqjf1HiNCam_8RjqzsHmGYCNVJmbUixQ40wjBKGkAwFu9_i_SjyPLyFr6t_py7EjkCnzfffQXLp284VrhyqOY7EJtNTRoF7oSKqidfBdStr7SoDjj_W6Xr8AtIRhgn_dpApUVdH_ICAsYtPBfl0FGESlXNtk9b-LhgHNzvgY3S5utEWDKkq7GEvgKMTdjLcM4bH0jJO1ShGqWpUZd9WkaQ0KoiZw1VDveMbHCXS_8z9q-R5g_yBr_IuqhUecIA-DnwCWUNHw2eoQ", "application_type": "web", "id_token_signed_response_alg": "PS256", "request_object_signing_alg": "PS256", "token_endpoint_auth_signing_alg": "PS256", "tls_client_auth_subject_dn": "lloyds" }
Request Param | Parameter | Example Value | Description |
---|---|---|---|
URL | secure-domain |
OB Transport, OBWAC:https://secure-api.lloydsbank.com OBWAC, QWAC:https://secure-api-eidas.lloydsbank.com/ |
Please refer to the Other Useful Information section for all brand specific domains |
Certs | CACert | Combination of Root & Intermediate (Full chain) | Must provide in the request if the QWAC transport certs are being used. However this is optional for the OBWAC, OB Transport. |
Data | Nested JWS with SSA | Valid JWS token | Construct the request payload as the OBIE Dynamic Client Registration V3.2 |
Key | Public and Private Key | Files of public and private key | These Keys are provided by OBIE directory. |
Header | Requested Headers | content-type: application/jose,accept: application/json,authorization: Bearer Access token | Headers are required to construct the request. |
DCR - View Client Application
The API allows the TPP to retrieve the details for a client that has already been registered.
curl -k -X GET\
- --url {secure-domain}/prod01/lbg/dcr-api/v1.0/register/REPLACE_CLIENTID \
- --key private-cert.key \
- --cert public-cert.pem \
- --cacert QTSP-root-ca.pem \
- --header 'accept: application/json' \
- --header 'content-type: application/jose' \
- --header 'authorization: Bearer gktvoeyJhbGciOiJSUzI1NiIsImtpZCI6ImF0X3NpZ25fb2JqZWN0X29iX0xZRFNfY3VycmVudCJ9.eyJpc3MiOiJsbG95ZHMiLCJwcml2YXRlIjoiQUFJa1pqWXhNMk0zWWpJdE5EQTJZaTAwWkdSbUxXSXhOV0V0Wm1SbFl6VTRNREF4TVRCa3k0OTFqVXhLaW9KekkyS0gwbG1hS1U4VS11dkVnTzhiZUM4OTdvbVBObktHTlQxUm5Id3lQWlRzR0o3WlRSUG9vRUNtRy1ZZHhuTTNtWHVwdzNHaXd2OFdWN2VkS204TUFiZ2NVbS03c3hWcnhqd1RUcTdWZjdpYjZEM05RNjhpNG5RQU1XTTdPdUxVSk4tSXh0NDl0USIsImV4cCI6MTY4NjQ5NjE4ODIzMywiaWF0IjoxNjc4NzIwMTg4MjMzfQ.Uy8-QDi49Ip0pYDMZjl4R4JEUTfq2HrXQzYRepUrpDaOKU5BoIyxJLQ2jiPIemmZzvPGCUkuqx5nqVz6YqKbK_kqO1hQFSvnE2s9ma75pGignOf43CEXc1kXzUP4BVhCXyiy0gPEHiiu4R2M2hZjDeKOQRRPr5AK_68Gc-3ILZCkDCg6RgpBTVXHIuk_6LJQdZZtYYHKxjEd5RlYsBV-EvBuzZOv4Q0yP7qPCvEIQXtw1UFtGtsX7gu38_0L03u2Jv0Tq6XkAA5TEMl5SbPy16fIIkmJnbVEF6rN6llTaB-a60IdWLPQuiiY--h_FCTu5RKYmGPBOsJNrqD65EGmDA'
{ "client_id": "f613c7b2-406b-4ddf-b15a-fdec5800110d", "software_id": "m2jzKA77Zv7Rq5vDegzyKH", "software_statement": "eyJhbGciOiJQUzI1NiIsImtpZCI6ImR6cXV3U1RubUFiN0owMWRWRGZJd2oxS1ctYUQ4M1RYTTFtVmJvOWtkRWs9IiwidHlwIjoiSldUIn0.eyJpc3MiOiJPcGVuQmFua2luZyBMdGQiLCJpYXQiOjE2NzUzMzMyNjMsImp0aSI6ImYwYmY4YzgzZDNhZTRjMGIiLCJzb2Z0d2FyZV9lbnZpcm9ubWVudCI6InNhbmRib3giLCJzb2Z0d2FyZV9tb2RlIjoiVGVzdCIsInNvZnR3YXJlX2lkIjoiMEZ3MWNwdlREbUlDaGNJRTFmSDBHUiIsInNvZnR3YXJlX2NsaWVudF9pZCI6IjBGdzFjcHZURG1JQ2hjSUUxZkgwR1IiLCJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6IkZNTyBBcHAiLCJzb2Z0d2FyZV9jbGllbnRfZGVzY3JpcHRpb24iOiJUZXN0Iiwic29mdHdhcmVfdmVyc2lvbiI6MS4wLCJzb2Z0d2FyZV9jbGllbnRfdXJpIjoiaHR0cHM6Ly9kZXZlbG9wZXIubGxveWRzYmFua2luZy5jb20vIiwic29mdHdhcmVfcmVkaXJlY3RfdXJpcyI6WyJodHRwczovL2RldmVsb3Blci5sbG95ZHNiYW5raW5nLmNvbSIsImh0dHBzOi8vc2l0MDEtZGV2ZWxvcGVyLmxsb3lkc2JhbmtpbmcuY29tIiwiaHR0cHM6Ly9zaXQwMi1kZXZlbG9wZXIubGxveWRzYmFua2luZy5jb20iXSwic29mdHdhcmVfcm9sZXMiOlsiUElTUCIsIkFJU1AiLCJDQlBJSSJdLCJvcmdhbmlzYXRpb25fY29tcGV0ZW50X2F1dGhvcml0eV9jbGFpbXMiOnsiYXV0aG9yaXR5X2lkIjoiRkNBR0JSIiwicmVnaXN0cmF0aW9uX2lkIjoiMTE5Mjc4Iiwic3RhdHVzIjoiQWN0aXZlIiwiYXV0aG9yaXNhdGlvbnMiOlt7Im1lbWJlcl9zdGF0ZSI6IkdCIiwicm9sZXMiOlsiQUlTUCIsIlBJU1AiLCJDQlBJSSIsIkFTUFNQIl19LHsibWVtYmVyX3N0YXRlIjoiSUUiLCJyb2xlcyI6WyJQSVNQIiwiQVNQU1AiLCJDQlBJSSIsIkFJU1AiXX0seyJtZW1iZXJfc3RhdGUiOiJOTCIsInJvbGVzIjpbIkFTUFNQIiwiQ0JQSUkiLCJQSVNQIiwiQUlTUCJdfV19LCJzb2Z0d2FyZV9sb2dvX3VyaSI6Imh0dHBzOi8vZGV2ZWxvcGVyLmxsb3lkc2JhbmtpbmcuY29tLyIsIm9yZ19zdGF0dXMiOiJBY3RpdmUiLCJvcmdfaWQiOiIwMDE1ODAwMDAwamY5R2dBQUkiLCJvcmdfbmFtZSI6Ikxsb3lkcyBCYW5rIFBMQyIsIm9yZ19jb250YWN0cyI6W3sibmFtZSI6IlRlY2huaWNhbCIsImVtYWlsIjoiT0JSZXNwb25zZXRlYW1AbGxveWRzYmFua2luZy5jb20iLCJwaG9uZSI6IigrNDQpIDc3MDYgMDYzIDM4MSIsInR5cGUiOiJUZWNobmljYWwifSx7Im5hbWUiOiJCdXNpbmVzcyIsImVtYWlsIjoiT0JSZXNwb25zZXRlYW1AbGxveWRzYmFua2luZy5jb20iLCJwaG9uZSI6IigrNDQpIDc3MDYwNjMzODEiLCJ0eXBlIjoiQnVzaW5lc3MifV0sIm9yZ19qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDBqZjlHZ0FBSS8wMDE1ODAwMDAwamY5R2dBQUkuandrcyIsIm9yZ19qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmOUdnQUFJL3Jldm9rZWQvMDAxNTgwMDAwMGpmOUdnQUFJLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX2VuZHBvaW50IjoiaHR0cHM6Ly9rZXlzdG9yZS5vcGVuYmFua2luZ3Rlc3Qub3JnLnVrLzAwMTU4MDAwMDBqZjlHZ0FBSS8wRncxY3B2VERtSUNoY0lFMWZIMEdSLmp3a3MiLCJzb2Z0d2FyZV9qd2tzX3Jldm9rZWRfZW5kcG9pbnQiOiJodHRwczovL2tleXN0b3JlLm9wZW5iYW5raW5ndGVzdC5vcmcudWsvMDAxNTgwMDAwMGpmOUdnQUFJL3Jldm9rZWQvMEZ3MWNwdlREbUlDaGNJRTFmSDBHUi5qd2tzIiwic29mdHdhcmVfcG9saWN5X3VyaSI6Imh0dHBzOi8vZGV2ZWxvcGVyLmxsb3lkc2JhbmtpbmcuY29tLyIsInNvZnR3YXJlX3Rvc191cmkiOiJodHRwczovL2RldmVsb3Blci5sbG95ZHNiYW5raW5nLmNvbS8iLCJzb2Z0d2FyZV9vbl9iZWhhbGZfb2Zfb3JnIjpudWxsfQ.c4HFKZo0MlSSLN24mpDEXYL9Tt9HAtzOoo4yhx5ClUK12rEn6CigpqEdlp7yQf1485KpL5m-Td9l9FMCyTeVYe8OAfnfle94i9STCyUi7dTbsDy8z4Zwi_4v_Wcn7tZEV22fEz7i4orNaq3G8gv391O87JOSw6IFrhZ_MVnXxz3wY0F1yC7G8nwSF0rc4TXlixlBUznONI1Oqc7AAN28M9zEmXpZihkuTu1xfR_kpK2jO9Oy6rbQGqKMF4ab5aEsTgtPZ-eMeD6cwSIbth9sYtxynvwFZPsI62Fn3MSoC1rkntZCHtqscJh_Wj6fLyHZAHAGWBf1YISLbkhUjoRocA" }
Request Param | Parameter | Example Value | Description |
---|---|---|---|
URL | secure-domain |
OB Transport, OBWAC:https://secure-api.lloydsbank.com OBWAC, QWAC:https://secure-api-eidas.lloydsbank.com/ |
Please refer to the Other Useful Information section for all brand specific domains |
Certs | CACert | Combination of Root & Intermediate (Full chain) | Must provide in the request if the QWAC transport certs are being used. However this is optional for the OBWAC, OB Transport. |
Key | Public and Private Key | Files of public and private key | These Keys are provided by OBIE directory. |
Header | Requested Headers | content-type: application/jose,accept: application/json,authorization: Bearer Access token | Headers are required to construct the request. |
DCR - Delete Client Application API
The API allows the TPP to request the ASPSP to delete an existing client.
curl --location -g --request DELETE \
- --url {secure-domain}/prod01/lbg/dcr-api/v1.0/register/REPLACE_CLIENTID \
- --key private-cert.key \
- --cert public-cert.pem \
- --cacert QTSP-root-ca.pem \
- --header 'accept: application/json' \
- --header 'content-type: application/jose' \
- --header 'authorization: Bearer gktvoeyJhbGciOiJSUzI1NiIsImtpZCI6ImF0X3NpZ25fb2JqZWN0X29iX0xZRFNfY3VycmVudCJ9.eyJpc3MiOiJsbG95ZHMiLCJwcml2YXRlIjoiQUFJa1pqWXhNMk0zWWpJdE5EQTJZaTAwWkdSbUxXSXhOV0V0Wm1SbFl6VTRNREF4TVRCa3k0OTFqVXhLaW9KekkyS0gwbG1hS1U4VS11dkVnTzhiZUM4OTdvbVBObktHTlQxUm5Id3lQWlRzR0o3WlRSUG9vRUNtRy1ZZHhuTTNtWHVwdzNHaXd2OFdWN2VkS204TUFiZ2NVbS03c3hWcnhqd1RUcTdWZjdpYjZEM05RNjhpNG5RQU1XTTdPdUxVSk4tSXh0NDl0USIsImV4cCI6MTY4NjQ5NjE4ODIzMywiaWF0IjoxNjc4NzIwMTg4MjMzfQ.Uy8-QDi49Ip0pYDMZjl4R4JEUTfq2HrXQzYRepUrpDaOKU5BoIyxJLQ2jiPIemmZzvPGCUkuqx5nqVz6YqKbK_kqO1hQFSvnE2s9ma75pGignOf43CEXc1kXzUP4BVhCXyiy0gPEHiiu4R2M2hZjDeKOQRRPr5AK_68Gc-3ILZCkDCg6RgpBTVXHIuk_6LJQdZZtYYHKxjEd5RlYsBV-EvBuzZOv4Q0yP7qPCvEIQXtw1UFtGtsX7gu38_0L03u2Jv0Tq6XkAA5TEMl5SbPy16fIIkmJnbVEF6rN6llTaB-a60IdWLPQuiiY--h_FCTu5RKYmGPBOsJNrqD65EGmDA'
Successfully deleted
Request Param | Parameter | Example Value | Description |
---|---|---|---|
URL | secure-domain |
OB Transport, OBWAC:https://secure-api.lloydsbank.com OBWAC, QWAC:https://secure-api-eidas.lloydsbank.com/ |
Please refer to the Other Useful Information section for all brand specific domains |
Certs | CACert | Combination of Root & Intermediate (Full chain) | Must provide in the request if the QWAC transport certs are being used. However this is optional for the OBWAC, OB Transport. |
Key | Public and Private Key | Files of public and private key | These Keys are provided by OBIE directory. |
Header | Requested Headers | content-type: application/jose,accept: application/json,authorization: Bearer Access token | Headers are required to construct the request. |
Open Data APIs
In this Article
OPEN DATA APIs
The following section contains useful information for TPPs who wish to consume Lloyds Banking Group’s Open Data APIs, broken down by each group of APIs.
DATA LATENCY IN LLOYDS BANKING GROUP OPEN DATA API
TPPs should be aware that on the initial release of Open Data v2.1.1, in some circumstances (for example Bank of England rate changes), the Open Data API may be up to 18 hrs out of sync with equivalent data presented via the bank’s public website. TPPs can expect full synchronicity at the latest by 18:00 each day.
TPPs are advised to consider the possibility of this latency in the design of their services, communications with PSUs and, in the case of price comparison uses, take steps to advise the customer that in exceptional circumstances the product available at the point of application may differ from that at the point of comparison.
ATM / BRANCH
Exception | Description |
---|---|
Branch Identification |
For ATMs that are linked to a physical branch, ATM API Branch Identification = Branch API Branch Identification. For ATMs that are not linked to a physical branch, the ATM API Branch Identification’s final 2 digits are ‘99’. |
PCA
Exception | Description |
---|---|
Account Behaviour Conditions |
The data standard does not currently allow for conditions to be associated with certain fees and benefits. Lloyds Banking Group has addressed this by including notes with the related items. TPPs should be aware of this when consuming the data in the API. For example, as at launch of the API, the following notes were included in the data for certain products: Notes from OtherFeesCharges for Club Lloyds: The Club Lloyds monthly account fee comprises of: Club Lloyds monthly account fee is Free or £3 per month. The £3 fee is waived for each month you pay in at least £1,500 into your account. If in any month you don't pay in this amount, you will need to pay the £3 monthly account fee. Notes from OtherFeesCharges for Club Lloyds Platinum: The Club Lloyds Platinum monthly account fee comprises of:
The £3 fee is waived for each month you pay in at least £1,500 into your account. If in any month you don't pay in this amount, you will need to pay the £3 monthly account fee. Maximum combined monthly account fee of £20 per month. Notes from FeaturesBenefits for Halifax Reward: £3 reward each month you pay in £750 or more, pay out at least 2 different direct debits and stay in credit. If in any month you miss out on the £3 reward, you can still get it in future months too (when you meet the qualifying requirements. Notes from FeaturesBenefits for Halifax Ultimate Reward Account: A lower monthly fee of £12 applies if in the previous calendar month you pay in £750 or more and pay out at least 2 different direct debits and remain in credit. You also need to keep your account open/not change it to a different current account until the fee is due to be debited (by the 2nd working day of the following calendar month). |
Packaged Accts | “Packaged” is shown as Segment under PCA; there is no FeatureBenefitGroup - Type option specifically for “Packaged” Bank Accounts so Lloyds Banking Group are recording as ‘Other’. |
Vantage Product | Lloyds Banking Group maintains separate API data records for Bank of Scotland Classic Vantage Account and Bank of Scotland Platinum Vantage Account as these are distinct products with their own product identifiers. |
Club Products | Lloyds Banking Group maintains separate API data records for Club Lloyds and Club Lloyds Platinum as these are distinct products with their own product identifiers. |
PCAs not eligible for Overdrafts |
Lloyds Banking Group has the following products that do not provide an overdraft facility, and has referenced this as a product Note on the PCAMarketingState tab
|
Unplanned Overdrafts | Lloyds Banking Group no longer charges for Unplanned Overdrafts so this is not referenced anywhere in API data records. |
Card withdrawal limits | No specific field for ATM daily withdrawal limits so Lloyds Banking Group uses the Notes fields in the Features and Benefits. |
Linking Account Information API to Open Data PCA products |
Account Information API can only be linked to the Open Data for front book (on sale) products. Where Product Identifier is returned for a particular customer account (following a call to Account Information /accounts/{AccountId}/product) it means that the customer is on a product for which the terms, features and benefits can be found in the Open Data. This Product Identifier can be used to locate that product in the Open Data PCA API This linking mechanism is only available at a product level so if multiple marketing state variations exist in Open Data for that product then the TPP should engage in further dialogue with the account holder to determine which applies to their present situation. For example, for the Lloyds Bank Student product terms vary depending on the academic year the student is in. These are represented as marketing states in the Open Data API, so while the linkage will allow a TPP to identify if the customer has a student product it will not facilitate the identification of the year of study, therefore the TPP will have to gather further information from the customer to identify the relevant PCA information. |
Promotional vs. Destination products |
Distinction between promotion ending and destination products:
|
Credit Interest |
Lloyds Banking Group has the following products that offer Credit Interest on account balances within a defined tier and this will be reflected on the CreditInterest tab. Any account balance outside of the defined tier values will not receive credit interest.
|
BUSINESS CURRENT ACCOUNTS (BCAS) - £0 - £1M TURNOVER
API Section | Field(s) | Usage Notes |
---|---|---|
Overdraft |
Overdraft/Notes OverdraftFeeCharge Cap/Notes |
Notes fields within the Overdraft section have been set as String (len 2000) rather than Array of strings (len 2000). |
Overdraft | OverdraftFeeCharge Detail/Notes | Conditions which are applied to when certain fee/charges may be applied to an account are shown within the corresponding Notes field, linked via the corresponding OverdraftFeeChargeDetail (ID) value. |
Eligibility | ResidencyIncluded | Regex pattern for this field insists on four characters, although it ought to be defined as up to four characters. |
Other Fees Charges |
FeeChargeDetail(ID)/ FeeType FeeChargeDetail(ID)/ OtherFeeType FeeChargeDetail(ID)/ FeeCategory |
FeeCategory to FeeType mapping from CodeList references different enumerations compared to DD and Swagger specifications; the reason for this because the stated enumerations do not accurately reflect the categorisation of Fees and Charges by Lloyds Banking Group. This will not impact consumption of the data because the enumeration mappings are not forced within the Swagger. |
Other Fees Charges |
FeeChargeDetail(ID)/ FeeAmount FeeChargeDetail(ID)/ Notes |
For some FeeTypes, the corresponding FeeAmount fields may be blank because: Conditions may apply which determine what price is charged for a particular transaction. The price of a particular transaction may vary depending on Customer and/or Account behaviour. The price of a particular transaction may be controlled/determined by a third party (i.e. not Lloyds Banking Group). Prices for a particular non-standard transaction are available via a discussion with the Customer. Anywhere where the FeeAmount field is blank will be explained/supported within the corresponding Notes field, linked via the corresponding FeeChargeDetail (ID) value. |
Mapping of Account Information API (Transactional Data) to the Open Data API (Product Information) | BCA(ID)/Identification |
Transactional data made available via the Account Information API can only be linked/mapped to the Open Data API for front book (on sale) products only; these include products which may have elements within them which are no longer offered (e.g. discontinued overdraft offerings no longer available for new lending). Where a Product Identifier is returned for a particular customer account (following a call to Account Information /accounts/{AccountId}/product) it means that the account is on a product for which the terms and conditions, features and benefits, and pricing information can be found in the Open Data API content. This Product Identifier can be used to locate that product within the Open Data BCA API content. Exceptions to the above will be where an underlying product may be shared by different customer segments (e.g. which have distinct Terms and Conditions which will apply) each of which is published via the Open Data API, but where customer and/or segment level (in addition to Account-level) information would be required to determine the correct mapping; this complexity for specialist BCA products is not supported at this time. Examples of these products would be the Schools Account, Treasurers’ Account and Credit Union Account. |
SME BUSINESS CURRENT ACCOUNTS (BCAS) - TURNOVER £1M-25M
Exception | Description |
---|---|
Mandatory / optional fields | Most optional fields have been left unpopulated due to either (a) being not applicable for the product (b) having variations depending on the customer type. |
Products | All Lloyds Bank products currently are identical to those for Bank of Scotland with the exception of brand, product identifiers, product naming and the Unauthorised Borrowing Rate for overdrafts which is different for each brand. |
Marketing State | No products have promotional marketing states – only one single regular state per product. |
Credit interest | Only one product (School Banking Account) currently pays credit interest as standard. It has no tiers or banding just a single gross rate applicable for balances of £1 and above. |
Overdrafts | Only customers with Business Extra or Electronic Business Tariff products can currently have an overdraft facility. Identical overdrafts rates (with the exception mentioned above) and fees are applicable for all tiers/bands. Unauthorised Borrowing and Unpaid Item fees are represented in the Overdraft section not under Other Fees and Charges section. |
Eligibility | Only the entity yearly turnover (£1m-25m) is specified as a requirement for opening or managing accounts. Other eligibility requirements are handled at account opening and may vary depending on the customer – they are optional fields and are left blank. |
Fees and Charges |
Several fees have been bundled under the ‘Other’ FeeCategory as the codelist supplied did not sufficiently represent the type of fee (description). Fees and charges are generally unsorted. It was unknown whether they should be sorted according to FeeCategory, how we as a bank should wish to sort them or how a TPP would approach sorting and display to the customer. In addition, if sorted by FeeCategory the fees under the ‘Other’ FeeCategory may be badly ‘positioned’ in a list. Criteria for sorting or presentation of data may also apply equally to features and benefits. Where fees have been represented under the ‘Other’ FeeCategory the description of the fee will reside under the ‘OtherFeetype’ construct. Where fee amounts (FeeAmounts) could not be represented by a single value then they are defined under the FeeChargeDetail construct. |
SME LOANS (SMELS) - £0 - £1M TURNOVER
API Section | Field(s) | Usage Notes |
---|---|---|
Eligibility | ResidencyIncluded | Regex pattern for this field insists on four characters, although it ought to be defined as up to four characters. Values provided state “UK” which would be highlighted as a fail. |
SME LOANS (SMELS) - £1M - £25M TURNOVER
Exception | Description |
---|---|
Product Maximum Loan Amount | The largest standard loan amount is £25,000 however in exceptional circumstances if the client’s situation and financial stability is sufficient a loan of up to £50,000 may be considered. This is covered in the notes section. |
Eligibility Financial Holdings | It is necessary for a customer to hold a current account with Lloyds Banking Group in order to facilitate the business loan. Customers reviewing data may also therefore be interested in viewing Lloyds Banking Group business current accounts on offer. |
SIC Codes | Lloyds Banking Group has opted to leave the SIC code section blank as there are no industries which would be considered automatically ineligible for a business loan. Customers should be encouraged to contact the bank if they would like additional details. |
Fixed Rate APR | Our fixed rate business loan product only utilises a single rate and as the current product is set up this would not change. A new product would be created if we ever chose to change this aspect of our business loans. |
SME Loan Segment | Our Base Rate Business Loans provide additional flexibility to our business customers however our Fixed Rate Business Loans will be restricted to clients with sufficient collateral to cover the loan. |
BUSINESS CREDIT CARDS
Exception | Description |
---|---|
Eligibility Financial Holdings | It is necessary for a customer to hold a current account with Lloyds Banking Group before we will issue a business credit card. Customers reviewing data may also therefore be interested in viewing Lloyds Banking Group business current accounts on offer. |
Eligibility MinMax | Business Credit Cards are split by turnover however there are no functional differences to these products by design. Similarities are not an error and should be presented as directed. |
Contact and support
For general queries, please email :- obresponseteam@lloydsbanking.com
We will be able to respond from 9am to 5pm Monday to Friday, except public holidays.
For technical Issues please log a ticket via the OBSD:- Sign in - Open Banking
FAQs
How should I use the Open Banking Model Bank
The OBIE has set up a ‘Developer Zone’ for TPP developers. This contains the Open Banking API specifications and Data Standards required to build your own applications. You should use these as the standards against which you should develop your applications.
The OBIE Developer Zone can found here.
Do you have a Sandbox environment for me to do my development against?
We do not currently support a Sandbox environment. The OBIE has built a Sandbox environment (Model Bank) to enable developers to prototype solutions against its specifications.
We strongly recommend that you develop and test your application using this environment as you are likely to be asked to show successful requests/responses as part of troubleshooting any issues you are facing. You can find the link to the OBIE’s Sandbox page here.
How do I register an application?
Which OIDC flows are you supporting?
We are supporting OIDC hybrid flow with the response type code ID token and code. We have also exposed our discovery endpoint with Open Banking, which has all the necessary information for our OIDC. This information can be found on the Open Banking Directory here.
When should I come to LBG to deal with development issues and when should I go to Open Banking Ltd?
As a first port of call, you should refer to the OBIE’s Developer Zone. If you have fulfilled all of the requirements documented there, and you would like to raise an issue with us directly, please use the Issue form in the Support section of our Developer Portal.
You may well be asked for successful request / response calls that have been made against Open Banking Model Bank to assist in troubleshooting.
Do you have a set of known issues that you can share with us?
We will communicate known issues to you via email.
Lloyds Banking Group Sandbox
The Sandbox is designed to replicate the LBG production environment. It provides a safe, controlled environment for registered TPPs to develop and test APIs.
Before you start we recommend users view and familiarise themselves with the Sandbox Developer Guide on this page.
App set up
Register your Applications using Dynamic Client Registration (DCR) the details of which can be found in the below documents.
Lloyds Banking Group Sandbox Developers Guide
How to Register using DCR
This guide provides a technical overview of how to use the LBG Sandbox.
Screen Scraping Plus
This guide provides an overview of how to use our Screen Scraping Plus interface. It is intended to help TPPs carry out connectivity testing of the interface.
High level information is included about:
- What is Screen Scraping Plus?
- Websites on which Screen Scraping is enabled
- How to enrol with Open Banking OBIE Directory
This guide provides a technical overview of how to use the LBG Screen Scraping Plus.
How to register using DCR
Overview
The Dynamic Client Registration API enables Third Party Providers to register OAuth clients with NewDay to obtain client credentials and access tokens that can be used for making authentication requests.
How it works
Third party providers use our Dynamic Client Registration API to register their consumer applications with us and obtain access to Open Banking APIs to retrieve customer details needed for application services.
Before registering with Black Horse FlexPay, you must register with a regulated directory to obtain a Software Statement Assertion (SSA) and signing and transport certificates.
You can make a registration request to the Dynamic Client Registration endpoint with Black Horse FlexPay. After successful validation of the request with the given secret credentials, you will receive a client identifier in the response, which you can use to obtain application access tokens and access our Open Banking APIs.
The Environment URLs that would be applicable to Black Horse FlexPay are as follows
Sandbox: https://api.blackhorseflexpay.com/sandbox/open-banking/v3.1
Production: https://api.blackhorseflexpay.com/open-banking/v3.1
Access to Sandbox
To register on Open Banking Sandbox, please use Register
To make use of the Sandbox data, we have setup a test account, Loki, that cover all possible Sandbox requests.
User Credentials | Description | Required | value |
---|---|---|---|
Username | The username of the Mock User. The username needs to be provided as part of the user authentication process. | Mandatory | loki |
One Time Passcode | The one-time passcode for the Mock User. The one-time passcode is a 6 number code that is sent to the selected device during the user authentication process. Regardless of the device that the code has requested to be sent to it will not be delivered to this device in the sandbox environment. | Mandatory | 000000 |
Verification Code | The verification code of the Mock User. The verification code is 6 number code provided on the second step of the user authentication process. | Mandatory | 123456 |
Account Id | The account Id is used as part of the request to Black Horse's APIs. It's provided as part of the request url to retrieve user resources related to an account Id. | Optional | 904000 |
Statement Ids | The statement Id is used as part of the request to Black Horse's APIs. It's provided as part of the request url to retrieve user statement resources. | Optional | 8sfhke-sifhkeug-00001 |
8sfhke-sifhkeug-00002 | |||
8sfhke-sifhkeug-00003 | |||
8sfhke-sifhkeug-00004 | |||
8sfhke-sifhkeug-00005 | |||
8sfhke-sifhkeug-00006 | |||
8sfhke-sifhkeug-00007 | |||
8sfhke-sifhkeug-00008 | |||
8sfhke-sifhkeug-00009 |
Our live APIs follow the same URL schemes as specified on this developer portal, but with the '/sandbox' path element removed.
For example:
Sandbox: https://api.blackhorseflexpay.co.uk/sandbox/open-banking/v3.1/register
Production: https://api.blackhorseflexpay.co.uk/open-banking/v3.1/register
Contact & Technical Issues
For general queries, please email :- EmbeddedFinanceProductTeam@lloydsbanking.com
We will be able to respond from 9am to 5pm Monday to Friday, except public holidays.