After an account holder gives their consent, the third-party provider can check if it is still valid and see what they consented to. If an account holder wants to withdraw their consent, the third party provider can make a call to revoke that consent.
This page explains how you, as a third-party provider, use the /consents endpoint to:
- Check if an account holder's consent is still valid and how a third party provider can use the consent.
- Revoke consent on the account holder's behalf.
Requirements
| Requirement | Description |
|---|---|
| Integration type | Not applicable; this documentation is intended for third-party providers. |
| Setup steps | Before you begin, you must:
|
Check if the account holder granted consent
To get the status of a previously granted consent:
-
Make a GET
/consents/{consent_id}/statusrequest, whereconsent_idis a unique identifier for a specific consent. This is theconsent_idyou saved in the create a consent step. In the headers, include a UUID for theX-Request-IDand theaccess_tokenyou saved in the get and access token step. -
In the response, check the
consentStatus. This value indicates your current stage in the consent process. See theconsentStatusfor all possible values.Parameter Description consentStatusStatus of consent. Possible values: - received: The consent data have been received. The request will need to be repeated to check if its status updates to "valid" for use.
- rejected: The consent data have been rejected. This is a final status.
- valid: The consent is accepted and valid.
- revokedByPsu: The consent has been revoked by the account holder.
- expired: The consent expired.
- terminatedByTpp: The third-party provider has terminated the consent.
psuMessageDetails regarding the account holder's consent.
Check the authorization status of an account holders consent
To get information about consent authorization and to determine where your account holder is in the authentication flow, for accessing account information, or to initiate payments:
-
Make a GET
/consents/{consentId}/authorisations/{authorization-id-consent}request, whereconsent_idis a unique identifier for a specific consent andauthorization-id-consentis a unique identifier for a specific consent authorization.- Note that this
authorization-id-consentcan be found in the create a consent response. This is the last set of characters at the end of thescaStatuslink.
- Note that this
-
The response contains the authorization status, use this to determine what part of the authentication flow your account holder is currently in. See
scaStatusfor all possible values.Parameter Description scaStatusStatus of authorization. Possible values: - scaMethodSelected: The account holder/third-party provider has selected the related Strong Customer Authentication (SCA) routine.
- started: The addressed SCA routine has been started.
- finalised: The SCA routine has been finalized successfully (including a potential confirmation command). This is a final status of the authorization resource.
- failed: The SCA routine failed. This is a final status of the authorization resource.
Check consent details of an account holder
To retrieve the details of a previously granted consent, such as the consent status, expiration date, scope, and other related information:
-
Make a GET
/consents/{consent_id}request, whereconsent_idis a unique identifier for a specific consent. -
Check the response for details about account access, validity period, consent status, and links to available resources.
Delete a consent
Revoking consent withdraws the account holder's authorization to access account information or initiate payments. To revoke a previously granted consent:
-
Make a DELETE
/consents/{consent_id}request, whereconsent_idis a unique identifier for a specific consent. -
If the deactivation was successful, you'll get an HTTP 200 OK response. The
revokedByPsustatus will appear in future calls when you check if the account holder granted consent.