Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
SahamatiNet Router serves as an additional layer on top of the AA network, offering extra services and policies. By integrating with the Sahamati Router, FIUs, FIPs, and AAs can seamlessly connect with all other entities within the Router. This eliminates the need for multiple integration points, significantly reducing the integration and operational efforts for members
Comprehensive Technology Infrastructure โ SahamatiNet
SahamatiNet - Services on Observability
MIS :
Daily reports on Discovery, Linking, Consent, and data fetch, generated from the Routerโs meta data. Will be more accurate that currently available due to varying cadences, formats, incorrect data and naming conventions.
Network Health :
Complete picture of health of FIP and AA applications derived from a single source of truth. Avoids overlapped calls from AAs to the FIPs and ecosystem health reporting is not dependent on vagaries of reporting.
SLA Reporting :
Report on SLA Adherence for each scenarioโs success case, error rate for AAs and FIPs.
Need to define and agree SLAs for each ecosystem participants and report on adherence and Report on non-adherence to SLA commitments
NOC Support :
Sahamati NOC Support using Network Health metrics and SLA Adherence
Facilitates proactive action to correct โsickโ nodes
Grievance Redressal
Technical Audit :
API Telemetry
Tracking of changes in Ecosystem such as onboarding of REs, ad
Billing and Recon :
Generate data fetch statements to support downstream billing & any reconciliation efforts amongst participants bilaterally
SahamatiNet is the technological infrastructure developed and maintained by Sahamati to support the Account Aggregator (AA) ecosystem. It comprises a set of specifications, Application Programming Interfaces (APIs), and services aimed at improving the ecosystem's performance, trust, and reliability. By establishing a robust infrastructure, SahamatiNet addresses key challenges such as interoperability, data compliance, data quality, and operational efficiency, thereby ensuring a seamless and trustworthy experience for AA ecosystem entities involved.
Current AA Network Mode - Many to Many Integrations
The integration and interoperability within the AA ecosystem are significantly simplified through the use of SahamatiNet, a unified platform that serves as a central hub for all participantsโFIUs (Financial Information Users), AAs (Account Aggregators), and FIPs (Financial Information Providers). Traditionally, these entities would have to establish separate connections and integrations with one another, each facing unique challenges related to data exchange, security, and compliance with standards. However, with SahamatiNet, this complexity is reduced as all participantsโFIUs, AAs, and FIPsโnow only need to integrate with this single application.
At present, the integration model within the Account Aggregator (AA) ecosystem involves multiple connections:
(FIU x AA): Financial Information Users (FIUs) integrate with Account Aggregators (AAs).
(AA x FIP): Account Aggregators (AAs) also integrate with Financial Information Providers (FIPs).
This results in a complex network of individual, point-to-point connections between participants, which increases the integration effort and maintenance overhead.
SahamatiNet serves as a central interface that significantly enhances interoperability within the AA ecosystem. It allows all participantsโFIUs, AAs, and FIPsโto interact seamlessly by leveraging a unified set of shared protocols and standards defined by ReBIT. By integrating with SahamatiNet Router, each participant can effortlessly connect with and exchange data with other members of the ecosystem, without needing to establish multiple individual integrations. This centralised approach reduces complexity and eliminates the need for separate, technical connections, ensuring consistent data handling, security, and simplified interoperability across all participants.
The platform standardises communication between all roles, facilitating smoother and more efficient connections. Participants no longer have to navigate through complex and disparate systems to access necessary data or services. Instead, they rely on SahamatiNet Router to manage interactions, significantly simplifying integration efforts. This approach leads to a more streamlined and scalable model for data exchange, security enforcement, and access management, fostering a cohesive ecosystem. By consolidating previously fragmented connections into a single, unified application, SahamatiNet Router makes interoperability faster, more secure, and more efficient for all participants in the AA ecosystem.
However, as entities integrate with SahamatiNet, this integration model will be streamlined. The number of necessary integrations will be significantly reduced to a simpler structure:
(FIU + AA + FIP): Financial Information Users (FIUs), Account Aggregators (AAs), and Financial Information Providers (FIPs) will now interact with one central service (SahamatiNet). This centralisation simplifies the communication process, reduces the number of direct integrations, and enhances the overall efficiency of the ecosystem.
The AA ecosystem shifts from a traditional bilateral-trust model to a more scalable network-trust framework, where trust is centrally managed through SahamatiNet. This framework guarantees interoperability across all participantsโFIPs, AAs, and FIUsโby applying consistent security standards and protocols. Instead of each participant individually establishing trust with others, trust is delegated to SahamatiNet, ensuring secure and seamless interactions throughout the ecosystem.
To maintain this trust, FIPs are required to subject SahamatiNet to a rigorous onboarding process before integrating with it, ensuring the platform meets their security and operational standards. Once FIPs are onboarded, Sahamati applies the same level of scrutiny when onboarding AAs. Similarly, AAs apply rigorous checks when onboarding FIUs, and once an FIU passes this process, Sahamati applies the same level of rigor to onboard the FIU to SahamatiNet. This delegation of trust streamlines the process, enabling more efficient and reliable interoperability across the entire AA ecosystem.
SahamatiNet Applications
Interoperability is a core challenge in any data-sharing ecosystem. The Router acts as a bridge to ensure smooth and standardised communication between various ecosystem members using ReBIT APIs. When a request is made by one member to another (such as an FIU requesting data from an FIP), the Router ensures that the API requests and responses are correctly routed and formatted. This service is crucial for ensuring that no matter what system or infrastructure a member uses, the interaction remains standardised and interoperable across the network.
Key Features:
Facilitates interoperability between ecosystem members.
Routes and standardises API requests and responses.
Simplifies cross-ecosystem communication by eliminating compatibility issues.
The following diagram shows the current flow between FIU and AA flow for Consent API. With the current structure, the API requests are sent to the respective recipient member directly. This requires each member to understand the metadata of the recipient member and use their base path while sending.
Sahamati Router simplifies the process for members to send requests to any recipient by simply including the recipient identifier (x-recipient-id) in the header, under x-request-meta. The Router will then redirect the request to the corresponding recipient. This update must be implemented across all ReBIT APIs in the respective regulated entity's application.
Currently, the Router is fully implemented with all APIs compliant with ReBIT specifications v2.x.
The Central Registry is a core service in the AA ecosystem, provided by Sahamati, which serves as a directory for all participantsโAccount Aggregators (AAs), Financial Information Providers (FIPs), and Financial Information Users (FIUs). It provides essential information about each participant, including their public IP addresses and public keys, enabling secure and interoperable communication within the ecosystem.
The Central Registry offers an API that allows participants to access details of other members, subject to role-based access restrictions. These roles are defined through identity tokens issued by Sahamati, ensuring that each participant can only access relevant information. For instance, AAs can fetch details of FIPs and FIUs, while FIPs and FIUs can retrieve information about AAs.
Additionally, the Central Registry is closely integrated with the Token Issuance service, which provides each participant with a short-lived JSON Web Token (JWT) for secure API calls across the ecosystem. This JWT is used to authenticate each participant and must be refreshed every 24 hours.
The Central Registry ensures seamless interaction within the AA ecosystem by making vital participant information easily accessible and securely managed.
The Identity and Access Management (IAM) system within the AA ecosystem is responsible for ensuring secure and authorized access to ecosystem APIs. It manages participant roles, such as AA, FIP, or FIU, which are assigned during registration and embedded in the identity tokens issued by Sahamati. These roles govern access to services and ensure that participants can only access information they are authorized for.
To facilitate secure interactions, IAM utilizes Access Tokensโshort-lived JSON Web Tokens (JWT)โto authorise participants when they access ecosystem APIs. The Access Tokens, linked to the participant's role, ensure that only authorised individuals or entities can retrieve specific data or interact with services. Through role-based access control and token-based authentication, IAM safeguards the ecosystem's integrity and protects sensitive data while enabling secure communication among participants.
For the SahamatiNet Proof Of Concept (POC)
Register as a Ecosystem Member for POC
Identify the key fields needed for registration.
Choose your member type: Account Aggregator (AA), Financial Information Provider (FIP), or Financial Information User (FIU).
Provide the following organisation details for the Central Registry (CR):
Entity ID (unique identifier)
Base URL for your service
RSA Public Key for secure communication
IP Address, Inbound and Outbound Ports (for production; optional for UAT and Sandbox)
Designate a user (preferably with a service email account) to manage the entity as an admin in CR and IAM.
Complete the Google Form for Registration to onboard with the Central Registry (CR).
Verify and Set Up User and Entity Access Tokens
The designated user will receive an email with a password reset link.
Reset the password and complete the account setup.
Generate the User Access Token using the userโs email and new password.
Use the User Access Token to read the entityโs secret from the Sahamati IAM API.
If needed, reset the secret using the designated API.
Use the entity secret to generate the Entity Access Token for ReBIT APIs.
Refer to the section on these APIs here
Integrate with SahamatiNet Router in Sandbox
Understand the required changes for integration with the Router.
Sahamati Router simplifies the process by allowing members to send requests to any recipient by adding the recipient identifier (recipient-id) in the header under x-request-meta. Refer here for more details.
Changes of additional step of onboarding in your application
With the transition to integrating with the SahamatiNet Router, the onboarding process for FIUs (Financial Information Users), AAs (Account Aggregators), and FIPs (Financial Information Providers) is no longer necessary. Previously, this step was essential for establishing peer-to-peer trust and enabling communication within the AA ecosystem. However, with Router integration, trust is managed through technical means, eliminating the need for additional onboarding on your side.
As an AA Ecosystem participant, you can bypass the manual onboarding for FIUs, AAs, and FIPs in your application. These participants would undergo the required compliance through SahamatiNet before interacting with other entities via the Router. This change streamlines the integration process, removing the need for extra code or configuration, and improving the efficiency and ease of connections across the AA ecosystem.
Note that while the technical integrations are now handled through the Router, the necessary commercial agreements between AA ecosystem participants remain unchanged and will continue as they are.
Review ReBIT workflows relevant to your entity using the Router.
Integration with Simulators
Test and validate the Router's functionality with ReBIT workflows tailored to your entity type by using the integration simulators in the sandbox environment (FIU, AA, FIP). You can also test this with your own simulators, if you have them. Please be sure to include the simulator details in the Google form provided above. We will onboard it for validation in the Sandbox environment as part of the POC.
Refer to the section on how to use SahamatiNet simulators here and respective simulators links below
Validate Integration with Simulators and Regulated Entities
Conduct tests with other onboarded entities in the sandbox environment to review all integration points and ensure seamless operation.
More details on this step will be provided as we progress through the POC.
By following these steps, you will successfully onboard and integrate with SahamatiNet in the sandbox environment, ensuring compliance with ReBIT specifications and the AA ecosystem standards
The Account Aggregator (AA) infrastructure is a sophisticated technological framework designed to revolutionize data sharing across the financial sector in India. The collaboration among financial sector regulators (FSRs)โReserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Insurance Regulatory Development Authority (IRDA), and Pension Fund Regulatory Development Authority (PFRDA)โunder the Financial Sector Development Council (FSDC) has aimed to establish a seamless, secure, and efficient data-sharing mechanism.
The Reserve Bank Information Technology Pvt Ltd (ReBIT), a wholly-owned subsidiary of the RBI, was authorized to establish technology standards for the ecosystem. This regulatory framework established a high-level architecture, and the market was kept independent of operationalizing the data-sharing mechanism. This market-driven approach has led to the formation of Sahamati as an industry alliance to collaboratively build the necessary procedural and technological foundations for the AA ecosystem.
SahamatiNet is the technological infrastructure developed and maintained by Sahamati to support the Account Aggregator (AA) EcoSystem. Hosted in a secure, highly available, and scalable environment, this technological infrastructure ensures the robustness and reliability of the AA EcoSystem. The infrastructure aims to engender trust, build visibility in ecosystem health, offer implementation support and grievance redressal mechanisms, foster a culture of compliance, and enable efficient integrations across the ecosystem. Sahamati has co-created these crucial technology artefacts with the collective intelligence of the ecosystem to serve its diverse needs.
Delve into the functional aspects of the SahamatiNet:
Sahamati maintains a Central Registry (CR) to facilitate the discoverability of public information related to each member endpoint. CR is a comprehensive database listing all authenticated and authorized entities within the AA ecosystem. It ensures that only verified Account Aggregators, Financial Information Providers (FIPs), and Financial Information Users (FIUs) can participate. CR empowers eligibility verification and streamlines the onboarding process onto the network, fostering stakeholder confidence and trust.
The CR is supported through a token service that ensures the validity & reliability of end-point information. It enhances security by managing secure and efficient data exchanges between entities. It issues and validates tokens, ensuring that all data requests and transfers are authenticated, authorized, and encrypted. By codifying network-level authorization rules, the token service safeguards against unauthorized access and enhances trust within the network.
Sahamati has built a network health monitoring infrastructure that provides visibility into various parameters of health in the ecosystem. Through continual tracking of the performance of the ecosystem, the system equips identification of potential issues such as downtimes or implementation bugs. It enables proactive management and rapid resolution of any disruptions, ensuring smooth and efficient operations. Complementing the monitoring system are the Management Information System (MIS) dashboards, which offer real-time visibility into key metrics and performance indicators. These dashboards provide detailed insights into volumes of accounts linked as well as consents fulfilled.
Sahamati is committed to fostering a culture of compliance in the Account Aggregator (AA) ecosystem. It has institutionalized a certification process before onboarding members to foster a standardized and secure ecosystem. Members can opt for this certification service to ensure adherence to the Technical Standards set by ReBIT and simplify compliance. Sahamati has strategically empanelled organizations to provide independent certification services, guaranteeing compliance and impartial assessment. Certification also fosters trust and enables easy integration, facilitating seamless interoperability and reducing integration friction.
Sahamati equips the ecosystem with implementation support and grievance redressal mechanisms. During the implementation phase, Sahamati provides comprehensive support, offering technical assistance, guidance, and resources to ensure smooth onboarding and effective utilization of the infrastructure. A dedicated support application is available to address grievances and resolve issues faced by members. This mechanism ensures that any problems are promptly addressed, maintaining member satisfaction and trust in the ecosystem.
SahamatiNet aims to create an interoperable, customer-centric ecosystem through a secure, transparent, and efficient infrastructure. This holistic infrastructure ensures the reliability, security, and growth of the AA ecosystem. The infrastructure enhances the efficiency of data-sharing transactions and promotes trust and collaboration among all stakeholders, driving the overall success of the AA ecosystem.
Currently, SahamatiNet is dedicated to addressing key ecosystem challenges, including interoperability, data usage compliance, and operational efficiency, to provide a seamless experience for AA ecosystem members. The following are the primary focus areas of SahamatiNet:
Interoperability: Enable ecosystem members to connect seamlessly with all other Sahamati Network entities. This eliminates the need for multiple integration points, significantly reducing the integration and operational efforts for members.
Fair Use Compliance: FIUs and AAs are expected to align their consent usage within ecosystem-defined boundaries to ensure the fair use of AA. SahamatiNet aims to develop a programmatic, policy-based automated framework that ensures compliance with fair use policies regarding customer consent and data.
Network Observability: SahamatiNet aims to scale the current network health monitoring system to a comprehensive infrastructure that provides real-time data access and monitors fraud to aid efficient dispute resolution, billing & reconciliation, and tracking network usage.
Policy Development and Advocacy: The organization is engaged in developing policies and advocating for regulatory frameworks that support the growth and sustainability of the AA ecosystem.
Additional Initiatives: Sahamati is continually exploring and implementing other initiatives to support and enhance the AA ecosystem's functionality and resilience.
However, it is important to adopt and implement technological solutions alongside governance measures to expedite the resolution of these challenges.
To participate in the SahamatiNet Router in the Sandbox, an entity (AA, FIP, or FIU) must ensure its API implementation is ReBIT standards-compliant. This ensures that the entity's APIs meet the necessary interoperability standards for the AA ecosystem and can be tested via the SahamatiNet Router.
The onboarding process involves submitting the Entity (member) information such as
For Ecosystem Member Type: Specify whether you represent an AA, FIP or FIU.
Account Aggregators (AA) : Entities that facilitate the secure sharing of user financial data between financial information providers (FIPs) and financial information ussers (FIUs)
Financial Information Providers (FIP) : Entities that hold user financial data, such as banks, NBFC, etc.
Financial Information Users (FIU): Entities that seek user financial data to provide value-added services like loans, wealth management, and more.
For IP Address, Inbound and Outbound Ports: Network details for connecting with the AA ecosystem are required for Production, optional for UAT and Sandbox.
The Designated User of the entity information such as
The member (entity) will be onboarded along with a user with admin role for managing the profile, secret rotation of entity etc,.
Designated User: Contact details of the representative responsible for generating and managing the client secret in IAM (Token Service). It is recommended to use a service account email for the long-term management and consistency.
If you're experiencing difficulties accessing the Google form from your organization's network, you can alternatively generate the following JSON request and email it as an attachment to sandbox@sahamati.org.in. Please use the subject line: Onboarding to SahamatiNet Router POC: and make sure to include the designated user's email ID and full name for each entry.
Ecosystem Member should provide the above details in the . Sahamati team will validate the details and onboard the entity as the member to the Sahamati's Central Registry (CR) and IAM (Token Service).
ID (Entity ID)
Unique identifier for your organisation used as Entity ID in Central Registry.
Name
Name of the entity
Type
Entity Type - one of FIU, FIP, AA (Member Type)
Base URL
Base URL ( Endpoint ) of your respective application to access the APIs and send requests.
(Only v2 API endpoint are supported in Sandbox environment)
Certificate
The RSA public key of the entity for secure communication. It will be used by the members to validate the signature
(x-jws-signature) of the API request.
ips
The IP address(es) of the entity to whitelist to access of Sahamati Network services (Ex: Router).
inboundports
The port of the member that the Sahamati services can connect to.
outboundports
The port of the member that the Sahamati services can expect to receive requests from.
entityhandle
Relevant and required only for AAs.
Name
Name of the user from entity who will manage client secret
Email address of the user - preferably service account email
Mobile [Optional]
Mobile number of the user
Central Registry APIs
A RE should fetch the metadata of the other REs to interact with them through ReBIT APIs to handle the AA ecosystem functionalities. Sahamati provided the CR APIs to access the REs metadata. Here is the sequence diagram for Fetching REs metadata.
Identity and Access Management ( Token Service) APIs
Each member of the Sahamati Network will be onboarded with a designated user who holds an admin role to manage the entityโs profile and secret.
During the onboarding process, the designated user will receive an email containing a verification link. After email verification, the user will be prompted to set a password, completing the account activation process.
Once the password is set, the user can generate the User Access Token by providing their email and the new password. This token is used for authenticating the entityโs secrets.
The designated user can then use the User Access Token to access the entityโs secret and, if necessary, reset the secret.
Finally, the entity secret is used to generate the Entity Access Token, which is needed for interactions with the ReBIT APIs within the AA network.
The Regulated Entities (REs) should generate the Access Token using the Token API from Sahamati for accessing and authentication of any APIs in the AA ecosystem including Sahamati APIs.
Here is the sequence diagram for the Token Generation Process.
Below are the Base URL of each environment to use IAM APIs.
Production
https://api.sahamati.org.in/iam
UAT
https://api.uat.sahamati.org.in/iam
Sandbox (Used for PoC)
https://api.sandbox.sahamati.org.in/iam
Please note that the following documentation displays the Base URLs from the Sandbox environment. Ensure you use the appropriate Base URLs depending on the environment you are working in.
Below is the Sandbox Environment file for SahamatiNet Services
The following pages provide an overview of these API implementations.
Outlined below are the changes that members need to make to their implementation to use the SahamatiNet Router.
Use the following Sahamati Router API endpoint as base path for all the requests.
Do note the Router API endpoint URL mentioned above is used for Sandbox, the respective URL for each environment (UAT and Production) will be updated when we progress to next environments.
Add the recipient ID under the new header x-request-meta with recipient-id in a JSON object which is the identifier of the receiver to whom the API call needs to be forwarded.
The value of the x-request-meta is Base64 string of the JSON object with recipient-id.
This structure helps us to easily extend the JSON object by adding the required attributes for future use cases.
The receiver could be any of the participant, FIU, AA or FIP.
These header changes need to be implemented for communication between FIU and AA, AA and FIP, FIP and AA, as well as FIU and AA.
Service Name and their URLS
Public Key
IAM (Token Service)
Central Registry (CR)
Router
API Collection:
The Router, currently in the Sandbox environment for the POC, implements all ReBIT API specifications as detailed in .
Please ensure that, in addition to the changes in the ReBIT API calls, the entity key validation for the public key is also pointing to the Sandbox for your code changes for POC. These URLs will vary across different environments. You can find the Base URLs for these in the .
Host
The base path to use by the members of SahamatiNet Router.
Headers
This will remain same as previous.
โ
x-jws-signature - Authorization
Token (from sender)
Additional Headers
The recipient id is a required property. It is the identifier of the receiver to whom the API call needs to be forwarded.
x-request-meta
In the Account Aggregator (AA) ecosystem, secure data sharing is facilitated through three key workflows, each governed by standardized ReBIT APIs. The process begins with User Login to AA for Account Discovery & Linking, where users provide identifiers such as mobile numbers to identify and connect their financial accounts across multiple institutions; the linking is authorized via a One-Time Password (OTP). Following this, the Consent Workflow enables Financial Information Users (FIUs) to obtain explicit user consent for accessing their financial data from various Financial Information Providers (FIPs), ensuring compliance with stringent privacy standards. Finally, once consent is granted, the Financial Information (FI) Request Workflow allows FIUs to securely request financial data from FIPs through the AA, ensuring that only authorized data is retrieved and shared, thereby maintaining privacy and data integrity throughout the process.
Account Discovery & Linking allows users to identify and link their accounts across multiple financial institutions. This process is initiated when a user provides their mobile number or other identification, which the Account Aggregator uses to query Financial Information Providers (FIPs) for linked accounts. Upon identification, the user is prompted to authorize the linking via an OTP (One-Time Password). ReBIT APIs facilitate the communication and data flow between the AA, FIU, and FIP during the discovery and linking phases.
The Consent Workflow is at the core of the Account Aggregator (AA) ecosystem. It governs how a Financial Information User (FIU) obtains explicit consent from the user to access their financial data held by various Financial Information Providers (FIPs). This workflow ensures that data sharing is fully authorized by the user, adhering to stringent data privacy regulations. The consent mechanism follows a standardized flow, involving the FIU, AA, and FIP, where ReBIT APIs are used to securely request, manage, and process user consent.
The FI Request Workflow outlines how a Financial Information User (FIU) requests data from Financial Information Providers (FIPs) via the Account Aggregator. Once consent is granted, the FIU can initiate a financial information request, and the AA retrieves the required data from the FIP. ReBIT APIs are integral in transmitting these requests securely and ensuring that only authorized data is shared with the FIU.
The following sections provide a detailed explanation of these above mentioned workflows, including a diagram illustrating API interactions (Reference) within the AA ecosystem. The diagram also highlights changes related to the Router. Review these sections carefully to understand the modifications and the necessary updates to your code.
The Account Discovery & Linking process involves identifying the financial accounts a user holds across various institutions (FIPs) and linking them to the Account Aggregator for easy management and data access.
The user logs into the AA application and provides their mobile number or other identity verification details. The AA then queries the FIPs to discover accounts associated with the user.
API (Internal API Spec): /user/send-otp (POST): The user login process after entering the phone number sends an OTP for login.
API (Internal API Spec): /user/verify-otp (POST): The user enters the OTP sent in the previous step to verify and login.
The Account Discovery request is routed to the FIP via the Router, following these steps:
Retrieve the FIP identifier from the Central Registry.
Construct the request header (x-request-meta) using the retrieved identifier for Router compatibility.
Transmit the request to the Router along with the prepared header.
Upon receiving the request, each FIP searches its records for accounts associated with the provided identity (e.g., mobile number or email).
ReBIT API: /Accounts/discover (POST) with 'x-request-meta' header: The FIP returns details about the user's accounts to the AA.
Once the AA receives the list of accounts from various FIPs, it presents this information to the user. The user selects the accounts they wish to link with the AA. To authorize the linking, the user receives a One-Time Password (OTP).
ReBIT API: /Accounts/link (POST) with 'x-request-meta' header: The AA sends a request to FIP through Router with request header (x-request-meta) to initiate linking of the account with the AA customer account.
ReBIT API: /Accounts/link/verify (POST) with 'x-request-meta' header: The user needs to provide the OTP sent with the previous step to complete the account linking. The AA send the OTP as token to FIP through Router with request header (x-request-meta) to verify the account link.
After successful OTP verification, the userโs selected accounts are linked to the AA. The FIP will send a notification to the AA on successful OTP verification for the account linking. These accounts can now be used for data sharing in future consent workflows.
ReBIT API: /Account/link/Notification (POST) with 'x-request-meta' header: The FIP sends a notification about status of account linking to AA through Router. The AA confirms that the accounts have been successfully linked and communicates this to the user.
For the above use case implementation, AA need to implement a few internal APIs for hanlding the user registration, login and accounts data along with the ReBIT API Specification.
In this scenario, the AA need to have a mock FIP to support the integration testing with mock response for the API requests to FIP. Please use the "FIP-SIMULATOR" for the integration testing with mock data. Please refer to Testing with Simulator for more details.
The consent workflow is a fundamental part of the Account Aggregator (AA) ecosystem. It ensures that Financial Information Users (FIUs) can access user data from Financial Information Providers (FIPs) only after obtaining explicit consent from the user. This workflow is governed by a series of secure and standardized interactions using the ReBIT APIs.
The Account Discovery & Linking is handled by the user to execute the Consent workflow.
The FIU initiates the process by sending a consent request to the Account Aggregator (AA). The request specifies the type of financial data, the duration, and the purpose for which it is being requested. This consent request is made by the FIU to the AA through Router, following these steps:
Retrieve the FIP identifier from the Central Registry.
Construct the request header (x-request-meta) using the retrieved identifier for Router compatibility.
Transmit the request to the Router along with the prepared header.
ReBIT API: /Consent (POST) with 'x-request-meta' header: The FIU sends the consent request to the AA using this API through Router. The request includes the data access requirements, purpose, and duration for which access is required.
API (AA Internal Spec): /Consent/create (POST): The AA create the consent artefact and stores for future use with pending status.
After receiving the consent request, the AA communicates with the user via its mobile app or web portal, presenting the consent details. The user reviews and either approves or denies the request.
API (AA Internal Spec): /Consent/read (GET): The AA retrieves the consent artefact details to present to the user for approval.
If the user approves the consent request, the AA generates a consent artefact. This artefact is a formal document containing all the details of the userโs consent, such as the scope, purpose, and validity.
API (AA Internal Spec): /Consent/accept (POST): The AA update the status and stores the consent artefact after the user grants approval.
Once consent is granted, the AA sends the consent artefact to both the FIU and the relevant FIP. The FIP uses this consent artefact to validate requests for financial data.
ReBIT API: /Consent/Notification (POST) with 'x-request-meta' header: The FIU & FIP is notified about the granted consent via this API. It helps,
FIU to fetch the consent artefact from AA and use it for FI request.
FIP to validate the future FI data requests from the FIU.
ReBIT API: /Consent/fetch (POST) with 'x-request-meta' header: The FIU fetches the Consent artefact from AA through Router to use it for future FI data requests.
The user has the ability to revoke consent at any time, cutting off access to their data.
API (AA Internal Spec): /Consent/revoke (POST): This API allows the user to revoke previously granted consent.
SahamatiNet has developed Response Simulators for each type of entity in the AA ecosystem. These simulators replicate the behaviour of AA, FIU, or FIP while interacting with ReBIT APIs for Router integration, enabling seamless testing and validation.
By mimicking real Entity Protocol APIs, the Response Simulator provides a controlled environment where developers can test the router service independently without relying on a live entity.
The sample workflow diagram below illustrates the usage of the Response Simulator by including a simulated response with the expected response.
The following two details are required in the request to use the APIs with Response Simulator:
recipient-id: This is specified in the x-request-meta header through which the router that will route the request to the respective response simulator.
Based on the respective use case you can use the following Entity ID as recipient-id, which are mapped to the respective Response Simulators in Sandbox environment,
AA-SIMULATOR
FIU-SIMULATOR and
FIP-SIMULATOR
x-simulate-res: This header should contain a hint for the expected response from the response simulator. It can be any of the options listed in the specific entity tables. If this is not included, the response simulator will default to returning a 200 OK response.
The FIP's Accounts/link/verify API is the only one that utilizes the OTP received from the customer. This API is responsible for submitting the token/OTP back to the FIP to complete the account linkage process. The Response Simulator is set up to accept a predefined list of OTPs for successful account linkage. If an OTP outside of this list is used, the account linkage will fail. This is the default behavior of the Response Simulator, functioning without the need for the x-simulate-res header.
1234
123456
654321
999999
223344
567890
456789
234567
345678
555444
222333
The sample workflow diagram below illustrates the usage of the valid OTP
The sample workflow diagram below illustrates the usage of the invalid OTP
This AA response simulator will support all the APIs listed under this ReBIT Spec - https://api.rebit.org.in/viewSpec/AA_2_1_0.yaml
All
200 OK
Ok
All
400 Bad Request
BadRequest
All
401 Unauthorized Access
Unauthorized
All
404 Not Found
NotFound
All
409 Conflict
Conflict
All
412 Precondition failed
PreconditionFail
All
501 Not Implemented
NotImplemented
All
503 Service Unavailable
ServiceUnavailable
FI/fetch
403 Forbidden
(DataFetchRequestInProgress)
Forbidden
FI/fetch
410 Data Gone
DataGone
All
Timeout Scenario
(delay in sending response)
TimeOut
Sample FI/fetch workflow using AA-SIMULATOR:
The AA Response Simulator (AA-SIMULATOR) includes preloaded scenarios that can be accessed by sending the corresponding scenario ID in the x-scenario-id header. The table below lists the scenarios available from the AA Simulator.
/Consent
ConsentDeposit_Success
Successful consent request
/Consent/handle
ConsentHandleDeposit_Approved
Consent response with status as Approved
/Consent/handle
ConsentHandleDeposit_Ready
Consent response with status as Ready
/Consent/handle
ConsentHandleDeposit_Rejected
Consent response with status as Rejected
/Consent/handle
ConsentHandleDeposit_Expired
Consent response with status as Expired
/Consent/handle
ConsentHandleDeposit_Failed
Consent response with status as Failed
/Consent/handle
ConsentHandleDeposit_Pending
Consent response with status as Pending
/Consent/fetch
ConsentFetchDeposit_Active
Consent fetch with status as Active
/Consent/fetch
ConsentFetchDeposit_Paused
Consent fetch with status as Paused
/Consent/fetch
ConsentFetchDeposit_Revoked
Consent fetch with status as Revoked
/Consent/fetch
ConsentFetchDeposit_Expired
Consent fetch with status as Expired
/FI/request
FIRequestDeposit_Success
Successful FI request
/FI/request
FIRequestDeposit_Expired
FI request with expired consent
/FI/fetch
FIFetchDeposit_Success_1
Successful FI fetch from Bank 1
/FI/fetch
FIFetchDeposit_Success_2
Successful FI fetch from Bank 2
/Consent/Notification
ConsentNotificationDeposit_Success
Successful consent notification
/FI/Notification
FINotificationDeposit_Success
Successful FI notification
/Account/link/Notification
AccountLinkNotificationDeposit_Success
Successful Account Link notification
This is to inform all participants of the Account Aggregator (AA) ecosystem about the deprecation of the ReBIT API V1 in the Central Registry and the necessary steps for transitioning to the V2 API.
Deprecation of ReBIT API V1: As per the notification from ReBIT on 12th May 2024, the ReBIT V1 API has been officially deprecated. All ecosystem participants, including FIPs, FIUs, and AAs, must complete their transition to the ReBIT V2 API by 30th June 2024.
For Participants Using V1: You are required to update your API Endpoint URLs to V2 in the Central Registry. Please share your V2 endpoint details with the Sahamati Services team.
For Participants Supporting Both V1 and V2: To ensure a smooth transition, it is recommended to deprecate the V1 endpoint URL by updating it to /v1/nonexistent-resource in the Central Registry. This will signal to users that the V1 endpoint is no longer valid, ensuring they switch to V2 seamlessly.
Best Practices: As a best practice, participants should refresh the Entities Endpoint URL from the Central Registry daily. This ensures that any updates made by other participants transitioning to V2 are reflected in your system, helping avoid miscommunication or errors.
The ReBIT V1 API deadline has already passed. Participants must ensure that their V1 API Base URLs are updated in the Central Registry to V2 to avoid disruptions.
Update your Base URLs Please reach out to services@sahamati.org.in to update your application Endpoint Base URLs from V1 to V2 in the Central Registry.
The Financial Information (FI) Request Workflow allows a Financial Information User (FIU) to request data from a Financial Information Provider (FIP) via the Account Aggregator (AA), based on user consent.
The Account Discovery & Linking, Consent Workflow are handled by the user to execute the FI request.
After the userโs consent is obtained, the FIU sends a Financial Information (FI) request to the AA to retrieve the data from the relevant FIPs. This request contains the details of the data required (such as bank account statements, loan details, etc.).
ReBIT API: /FI/Request (POST) with 'x-request-meta' header: The FIU sends the FI request to the AA specifying the type of financial data required and the consent artefact through Router, following these steps:
Retrieve the FIP identifier from the Central Registry.
Construct the request header (x-request-meta) using the retrieved identifier for Router compatibility.
Transmit the request to the Router along with the prepared header.
The AA validates the request against the consent artefact and forwards it to the relevant FIP through Router. The FIP retrieves the requested data from its system.
ReBIT API: /FI/Request (POST) with 'x-request-meta' header: The AA forwards the FI request to the FIP, including the consent artefact and data requirements.
Upon receiving the request and validating it against the consent artefact, the FIP provides a session Id to use as reference to fetch the data once it is ready.
FIP asyncronously compose the requested FI data and sends a notification to AA about the readiness to trigger the FI fetch request to get the data.
ReBIT API: /FI/Notification (POST) with 'x-request-meta' header: The FIP sends a notification to AA through Router once the FI data composed and available to fetch.
Once the AA receives the notification from the FIP, it fetches the financial information from the FIP through Router. This data is provided in the agreed format and scope as per the consent.
Once the FI data is ready, AA sends a notification to FIU about the readiness of FI data to fetch by FIU from AA.
ReBIT API: /FI/fetch (POST) with 'x-request-meta' header: The AA sends a FI fetch request to FIP through Router to receive the FI data for the specific Session Id.
ReBIT API: /FI/Notification (POST) with 'x-request-meta' header: The AA sends a notification to FIU through Router once the FI data available to fetch.
Once the AA receives the data from the FIP, it delivers the financial information to the FIU. This data is provided in the agreed format and scope as per the consent.
ReBIT API: /FI/fetch (POST) with 'x-request-meta' header: The AA delivers the financial information to the FIU through Router based on the initial request.
After the FIU receives the data, the FI request workflow is marked as complete. The FIU can now process the data in line with the consent provided by the user.
This FIU response simulator will support all the APIs listed under this ReBIT Spec -
All
200 OK
Ok
All
400 Bad Request
BadRequest
All
401 Unauthorized Access
Unauthorized
All
404 Not Found
NotFound
All
409 Conflict
Conflict
All
412 Precondition failed
PreconditionFail
All
501 Not Implemented
NotImplemented
All
503 Service Unavailable
ServiceUnavailable
All
Timeout Scenario
(delay in sending response)
TimeOut
/Consent/Notification
ConsentNotificationDeposit_Success
Successful consent notification
/FI/Notification
FINotificationDeposit_Success
Successful FI notification
For the POC integration, there are two key validation steps to be completed:
Validation with Simulators: The first step involves validating your Application/APIs with the respective simulators based on your Entity Type. If you are an FIU, you will test the integration with the AA Simulator. If you are an AA, you will validate with both the FIU and FIP Simulators. If you are an FIP, you will validate with the AA Simulator. This ensures that all APIs are functioning correctly and the response codes align with the ReBIT Specification Response Codes.
Validation with REs: The second step occurs once other respective REs (Registered Entities) have onboarded and completed their validation with the simulators. You will then test your integration with these REs to ensure that your application works seamlessly with other participants in the ecosystem.
The Sahamati team will share the list of test cases for API testing based on the ReBIT specification. We will collaborate with you to evolve these test cases throughout the POC, refining and improving them to ensure they comprehensively cover all aspects of the integration and make the process more streamlined and effective.
In both of these validation steps, you are required to share the results with the Sahamati team as evidence to confirm that the integration meets the necessary standards.
More details on these validations will be provided as we progress through the POC.
The Release Calendar outlines the updates and improvements introduced by Sahamati in the common services provided to the Account Aggregator (AA) ecosystem. It highlights key feature deployments and their scheduled timelines for both UAT and Production environments, enabling participants to stay aligned with regulatory and ecosystem-related enhancements. By adhering to the deployment dates, participants can seamlessly integrate these updates into their own release cycles, ensuring they stay up to date with the evolving changes.
2024 - Q4
Customisable Client Secret Expiry Duration
Ecosystem members can specify the expiry duration for secrets' rotation within regulator-defined boundaries.
Members can set expiry duration value via the API request, with a default value of 180 days or a customised value using the secretExpiryDays parameter defined by the entity itself.
Grace Period for Expired Secrets
A grace period allows access token generation with expired secrets, accompanied by a warning.
Tokens can still be generated during the 5-day grace period after expiry, with a warning that the secret has expired.
Error Reduction in Automated Secret Reset
Changes to reduce errors in the automated secret reset process, even if environment configurations change.
Reduces errors during the secret reset process, ensuring compatibility with updated expiry durations or other configuration changes.
Human Readable Expiry Date Format
The expiry date is now visible in a human-readable ISO format.
The expiry date is now provided in the response attribute expirationDate along with expiresOn in the secret API, formatted in an easily readable ISO format.
For detailed information on the API changes, do refer to the API documentation link here
2024 - Q3
Deployed (August 2024)
Deployed (Oct 2024)
Deployed (August 2024)
Deployed (Oct 2024)
Deployed (July 2024)
Deployed (Oct 2024)
Update on Client Secret Rotation:
Based on the UAT feedback regarding client secret rotation, we will be updating the validity period for newly generated tokens to 180 days. As a result, the planned deployment, originally scheduled for 3rd October 2024, has been deployed on 16th October 2024, following the next round of UAT.
The next release will also include changes that allow entities to parameterise and configure the expiry period themselves, based on their respective regulatory guidelines.
This is to inform all participants in the Account Aggregator (AA) ecosystem about the new Client Secret Rotation policy, following the recommendations from market participants.
Best Practice Recommendation: Following feedback from market participants, it was recommended that the Client Secret Token used for authentication of Token Service should be rotated periodically to enhance security and mitigate risks related to token misuse or compromise.
Current Observations: A substantial number of participants have not rotated the Client Secret provided during their initial onboarding with the Central Registry (CR). To address this, Sahamati is introducing a Client Secret Rotation feature that enables participants to rotate their secrets efficiently and securely.
Designated Authorised Users: Each participant organisation must designate an authorised user who will be responsible for managing the Client Secret rotation. This user will be onboarded into the Token Service (Identity & Access Management) and tasked with rotating the secret using new APIs. The SPOC (Single Point of Contact) must also ensure that the newly generated secret token is securely integrated into their organisation's systems. It is recommended to use a service account email associated with the participant organisation. This ensures the account remains under the organisation's control for long-term management, providing consistency and seamless operation over time.
Secret Token Expiration: Moving forward, Client Secret Tokens set by Entities will expire every 180 days. All participants are required to rotate their Client Secrets before the expiration date to ensure uninterrupted access to the network. This regular rotation is essential to maintaining the security of the AA ecosystem.
UAT Environment: The Client Secret Rotation feature is now live in the UAT environment, allowing participants to begin testing the process immediately.
Production Environment: The feature is now available in the Production environment post deployment on 16th October 2024.
Onboard Your Designated User: Each participant must onboard a designated user to the Central Registry, ensuring they are responsible for secret rotations. You can share the designated user's details, along with your current entity information in the Central Registry, with services@sahamati.org.in.
Generate and Rotate Client Secrets: Once the designated user is onboarded by Sahamati, they will receive an email to set a password. Using this email and the newly set password, the designated user can generate a user token for the Token Service (IAM) through User Token Generate API. They can retrieve the existing secret using the Secret - Read API and reset it using the Secret - Reset API to generate a new client secret. The new secret should be rotated into your application. Please refer to the API documentation for further details.
Update Systems for Token Expiration: Ensure that your systems and applications are prepared to handle the periodic 180-day token expiration. Implement a token rotation mechanism using the new APIs to automate this process.
Manual Rotation Option: If automation is not yet ready, you can still rotate the token manually by directly calling Sahamatiโs API.
Please ensure these changes are incorporated into your applications and processes by the given deadlines to maintain uninterrupted access to the AA ecosystem.
Update on Client Secret Rotation:
Based on feedback from UAT on client secret rotation, we have extended the validity period for newly generated tokens to 180 days. Consequently, the deployment, initially scheduled for 3rd October 2024, was completed on 16th October 2024.
Please note that there will be NO automatic expiration of existing secret tokens in the Central Registry. Entities must initiate and set the expiration themselves, using the process outlined above.
In the upcoming release, entities will also be able to parameterise and configure the expiry period of their secrets, in line with their specific regulatory guidelines.
This FIP response simulator will support all the APIs listed under this ReBIT Spec -
All
200 OK
Ok
All
400 Bad Request
BadRequest
All
401 Unauthorized Access
Unauthorized
All
404 Not Found
NotFound
All
409 Conflict
Conflict
All
412 Precondition failed
PreconditionFail
All
501 Not Implemented
NotImplemented
All
503 Service Unavailable
ServiceUnavailable
FI/fetch
403 Forbidden
(DataFetchRequestInProgress)
Forbidden
All
Timeout Scenario
(delay in sending response)
TimeOut
/Accounts/discover
DiscoveryFlowDeposit_Success
Successful account discovery
/Accounts/discover
DiscoveryFlowDeposit_NotFoundMatch
Not found any accounts
/Accounts/discover
DiscoveryFlowDeposit_Multiple
Successful account discovery with 2 accounts - Bank 1 & Bank 2
/Accounts/link
LinkFlowDeposit_Success_1
Successful account link for Bank 1
/Accounts/link
LinkFlowDeposit_Success_2
Successful account link for Bank 2
/Accounts/delink
DeLinkFlowDeposit_Success_1
Successful account de-link for Bank 1
/Accounts/delink
DeLinkFlowDeposit_Success_2
Successful account de-link for Bank 2
/Accounts/link/verify
LinkVerifyFlowDeposit_Success_1
Successful account verification for Bank 1
/Accounts/link/verify
LinkVerifyFlowDeposit_Success_2
Successful account verification for Bank 1
/Accounts/link/verify
LinkVerifyFlowDeposit_InvalidOTP
Invalid OTP for account verification
/Consent
ConsentDeposit_Success
Successful consent response
/FI/request
FIRequestDeposit_Success
Successful FI request
/FI/request
FIRequestDeposit_Expired
FI request with expired consent
/FI/fetch
FIFetchDeposit_Success_1
Successful FI fetch from Bank 1
/FI/fetch
FIFetchDeposit_Success_2
Successful FI fetch from Bank 2
/Consent/Notification
ConsentNotificationDeposit_Success
Successful consent notification
As part of Sahamatiโs ongoing enhancements, the Central Registry APIs have transitioned to Version 2 (V2), following the ReBIT V2 standard. The V2 APIs upgrades done in Jan 2024 are aimed to improve the discovery of entities and streamline the retrieval of endpoints and certificates.
The v1 APIs of Central Registry had been deprecated since Jan 2024.
Transition to V2 APIs: While most ecosystem participants have successfully migrated to the V2 APIs of Central Registry, some are still using the now deprecated V1 APIs. To enforce this transition, V1 APIs are scheduled for decommissioning with this release.
Impact on V1 API Users: Starting from the decommissioning date, any requests made to the deprecated V1 APIs will return a 410 HTTP Status Code, indicating that the requested resource is no longer available and that users must switch to the V2 endpoint.
UAT Environment: These changes have already been deployed in the UAT environment.
Production Environment: The decommissioning will take effect in the Production environment post deployment in October 2024.
For Participants Still Using V1 APIs: If you are among the participants still using the V1 API to access the Central Registry, you need to transition to the V2 APIs of Central Registry immediately. Any attempt to use the V1 version after decommissioning will result in a 410 HTTP response code.
Update your application accordingly to ensure compatibility with the V2 APIs.
Member / Entity
Definition: Refers to a Financial Information User (FIU), Financial Information Provider (FIP), or Account Aggregator (AA) within the Account Aggregator ecosystem and Sahamati Network.
This FAQ section summarises the key aspects of the SahamatiNet Router and its integration process in a clear, concise manner.
Q. What is the SahamatiNet Router, and what role does it play in the AA ecosystem?
The SahamatiNet Router is a network service that streamlines and secures interactions between Financial Information Providers (FIPs), Account Aggregators (AAs), and Financial Information Users (FIUs). It simplifies communication by reducing integration complexity, ensuring interoperability, and enabling secure data exchange.
Q. How does the SahamatiNet Router enhance integration and collaboration within the AA Ecosystem?
The Router provides a standardised network interface, eliminating the need for multiple custom integrations. It handles backend tasks like traffic routing and load balancing, simplifying data exchange and promoting better collaboration among participants in the AA ecosystem.
Q. How does the Router handle scalability as the AA ecosystem grows?
The Router is designed for scalability and can manage increased traffic and participants as the ecosystem expands. It supports horizontal scaling, multiple availability zones, and multi-region cloud deployments, ensuring high performance and availability.
Q. How does observability in the SahamatiNet Router benefit participants?
The Router offers real-time observability, allowing participants to monitor API call frequency, response times, and error rates. This enables optimised system performance, easier issue diagnosis, and improved operational efficiency.
Q. Is the additional onboarding process for FIUs, AAs, and FIPs still required by the AA Ecosystem application when integrating with the SahamatiNet Router?
Once onboarded to the SahamatiNet Router, there is no additional onboarding required for FIUs, AAs, or FIPs in their respective applications. All participants will have already undergone the necessary compliance and validation through SahamatiNet, ensuring this step is covered for all entities. This process aligns with current participant interactions.
Q. Will this change impact the integration process?
Yes, this change simplifies the integration process by eliminating the need for extra code or configuration for additional onboarding in your application. It enhances the ease of connection and overall efficiency across the AA ecosystem.
Q. Are there any data size limits or timeout considerations?
Yes, there are defined data size limits and timeout rules outlined in the integration guidelines. These values will be finalised and standardised during the Proof Of Concept (POC), with a consensus process involving all participants.
Q. What about the delay in using the integration?
The integration is designed to be sub-second, ensuring minimal delay. The Router ensures fast, efficient communication between entities, facilitating seamless interactions.
Q. Is integration with SahamatiNet mandatory?
No, integrating with SahamatiNet via the Router is not mandatory for participating in the AA ecosystem. However, integration simplifies interactions and ensures secure, standardised, and efficient communication between REs (Registered Entities).
For example, if an AA gets onboarded to SahamatiNet, it gets access to all the onboarded FIPs without having to integrate individually with each FIP. Similarly, when an FIU gets onboarded to SahamatiNet, technically, it has access to all AAs who are onboarded. AA will still need the bilateral commercial agreement with the FIUs.
Q. What is the purpose of the SahamatiNet Router sandbox environment?
The sandbox environment allows participants to test integrations in a risk-free setting that mimics real-world conditions. For the Proof of Concept (POC), the SahamatiNet Sandbox is used for validation and troubleshooting before transitioning to UAT and production environments.
Note: The Sandbox environment is independent of the UAT and Production environments of SahamatiNet.
Environment
Base URL
Sandbox
UAT
Production
How To create or decide on an Entity ID value in the onboarding request ?
An Entity ID is a unique identifier that represents a specific entity such as an FIU (Financial Information User), AA (Account Aggregator), or FIP (Financial Information Provider). It should follow a clear, readable naming convention that helps identify the entity.
Best practice for naming Entity IDs: Use a suffix-based naming convention like:
For FIUs: XYZ_FIU
For AAs: ABC_AA
For FIPs: AXBYCZ_FIP
For Lower environments you can even add the environment name as well
For FIU : XYZ_UAT_FIU or XYX_SANDBOX_FIU
For AA : ABC_UAT_AA or ABC_SANDBOX_AA
For FIP : AXBYCZ_UAT_FIP or AXBYCZ_SANDBOX_FIP
Ensure that the Entity ID is a unique and easily recognisable name of the organisation that is getting onboarded. It can include letters, numbers, or symbols, but a simple and meaningful string is recommended.
Do note, the above examples and recommendations use an underscore ( _ ) as the delimiter. You can also use hyphens ( - ) if preferred.
To fetch the metadata of a specific entity by its type and ID
Type of entity
Entity identifier
Steps for Onboarding to SahamatiNet Router in Sandbox:
1. What You Need to Provide:
Organisation Details: For onboarding your organisation as an Entity (FIP, AA, or FIU) in the Central Registry.
Entity ID for your organisation
Base URL Endpoint to your application
RSA Public Key
IP Address, inbound and outbound ports [optional for UAT, required for Production environment for whitelisting]
Designated User: Provide required contact details of a representative responsible for generating and managing the client secret key for your entity in IAM(Token Service).
Name, Email address of the designated email account from your organisation.
It is recommended to use a service account email associated with the participant organisation. This ensures the account remains under the organisation's control for long-term management, providing consistency and seamless operation over time.
2. Where to Find Onboarding Details:
3. Submission Process:
For regulated entities in AA ecosystem, do send the required details to sandbox@sahamati.org.in.
The Sahamati team will review your submission and provide access credentials to your designated user via an email.
Do note, this step will be moved to a registration page on a self service portal for SahamatiNet Router going forward.
4. Client Secret Token Generation:
Once the designated user is onboarded by Sahamati, they will receive an email to set a password.
Using this email and the newly set password, the designated user can:
To generate a User Access Token, the user must provide their username (email) and the password configured during the account activation process. This access token is necessary for interacting with the member's secret management APIs. The access token has an expiry of 180 days. Below is the API specification.
User email.
The password associated with the user.
To generate a Member (Entity) Access Token, the client ID and Secret are required. The API generates the token with a warning if the secret is within the grace period, but it will fail once the grace period has ended. This token is used for interactions with other members and has a validity of 24 hours. The API specification is detailed below.
The entity ID.
The secret associated with the entity.
Full onboarding instructions and required JSON details can be found.
Generate a user token for the Token Service (IAM) through the .
Reset the secret using the to generate a new client secret.
Retrieve the existing entity secret using the .
Using this entity secret, you can .
Refer to the for more details.
The Read Secret API enables admin to retrieve the current secret for a specific member. To access this information, an user access token with administrative rights must be provided. Below is the API specification.
User Bearer token for authorization
1.0.02024-07-16T11:33:34.509Zf35761ac-4a18-11e8-96ff-0277a9fbfedcaa-1Specifies the number of days before the secret expires. This field is optional; if not provided, a default value will be used.
100The Reset Secret API is designed to allow an admin to reset a member's secret. To perform this action, an access token with administrative privileges for the specified member is required. Once reset, the newly generated secret will have a validity period of 180 days by default, after which it will need to be renewed or reset again.
With the latest enhancements, members can now select their desired validity period for secrets, up to a defined maximum limit (default: 180 days). The specified validity period is compared with the admin access token expiry, and the minimum value is applied to ensure authentication and security. Additionally, a grace period of 5 days is provided to facilitate a seamless transition between old and new secrets.
Below is the API specification.
User Bearer token for authorization
1.0.02024-07-16T11:33:34.509Zf35761ac-4a18-11e8-96ff-0277a9fbfedcaa-1Specifies the number of days before the secret expires. This field is optional; if not provided, a default value will be used.
100This section offers simple instructions for performing essential tasks within the Sahamati ecosystem. These guides aim to help participants easily navigate and complete key technical processes
How to generate and validate tokens using APIs (using curl)
To generate and validate access tokens from Sahamati, here are sample curl commands for User Token and Entity Token APIs. It is recommended to use Postman for quicker and more efficient testing. However, the following curl commands are helpful for direct implementation within code.
User Access Token API: This API generates a token for a user (email/password-based authentication). To generate a User Access Token, the user must provide their username (email) and the password configured during the account activation process. This access token is necessary for interacting with the member's secret management APIs. The access token has an expiry of 24 hrs.
Example curl
Entity Access Token API: This API generates a token for an entity based on its ID and secret. The generation of a Member (Entity) Access Token requires the ID (client ID) and the Secret. This access token is used for the interaction with other members. The access token has an expiry of 24 hrs.
Example curl
Ensure you replace <your-email>, <your-password>, <entityId>, and <entitySecret> mentioned in above curl with actual values when running these commands.
Postman Collection: You can also download the Postman collection from the Sahamati developer portal. The Postman collection includes pre-configured API requests and is ideal for rapid testing and validation of token generation.
This API can be used by the AAs to check availability of the FIP application.
Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
This API is intended to be used by AA to notify FIU about the change in consent status due to the consent management operations performed by the Customer. For more details about consent notification flow, please refer FAQ section. Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
aa_api_key is provided to FIU by the AA
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver (recipient-id) to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message
2023-06-26T11:39:57.153ZThe unique transaction identifier used for providing an end to end traceability.
0b811819-9044-4856-b0ee-8c88035f8858Information about the notifier
Contains the Consent ID, Consent Handle and Consent Status details.
This API can be used by AAs to send notifications related to Financial Information (FI) fetch to FIU/AA Client. Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
aa_api_key is provided to FIU by the AA
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver (recipient-id) to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message
2023-06-26T11:39:57.153ZThe unique transaction identifier used for providing an end to end traceability.
0b811819-9044-4856-b0ee-8c88035f8858Information about the notifier
Contains the financial information fetch session id and session status details.
This API enables an AA to discover accounts belonging to a customer based on the customer identifiers. A list of masked account information and corresponding linkRefNumber for each discovered account is returned based on the identifier matching logic at FIP.
Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
aa_api_key is provided to FIP by the AA
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver (recipient-id) to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version.
2.0.0Request creation timestamp.
2023-06-26T06:41:54.904+0000Unique transaction identifier used for providing an end to end traceability.
f35761ac-4a18-11e8-96ff-0277a9fbfedcThis block would contain the information about the customer including the identifiers & the customer address at the AA
List of financial information types.
This API will be used for initiating an account link request to link selected account/s with the AA customer address. Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
aa_api_key is provided to FIP by the AA
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver (recipient-id) to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Current Timestamp
2023-06-26T17:51:18.412ZUnique transaction identifier used for providing an end to end traceability.
f35761ac-4a18-11e8-96ff-0277a9fbfedcCustomer identifiers including AA virtual address.
This API will be used to delete a previously established account link to the user's profile. Once deleted, the financial information can not be retrieved for that account through Account Aggregator.
Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
aa_api_key is provided to FIP by the AA
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver (recipient-id) to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message.
2023-06-26T17:51:18.412ZUnique transaction identifier used for providing an end to end traceability.
f35761ac-4a18-11e8-96ff-0277a9fbfedcThis API is used to submit the token/OTP(received from the customer) back to FIP so that account linkage can be completed. It is used only in case of token-based authentication for linking accounts. Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
aa_api_key is provided to FIP by the AA
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver (recipient-id) to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message.
2023-06-26T10:27:17.699+0000Unique transaction identifier used for providing an end to end traceability.
410c2d2e-4a1e-11e8-960e-0277a9fbfedcTemporary reference number generated by FIP for account linking request
f6b1482e-8f08-11e8-862a-02552b0d3c36The token that was sent to the customer by the FIP to confirm account link activity
999999This API is used by the AA to request for financial information from the FIP. The FIP will validate the request against the signed consent and return a sessionID which can then be used by the AA to fetch the required data.
Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
aa_api_key is provided to FIP by the AA
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver (recipient-id) to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message.
2023-06-26T09:58:50.505ZUnique transaction identifier used for providing an end to end traceability.
c4a1450c-d08a-45b4-a475-0468bd10e380Consent Artefact details.
Specifies the date time range for which the financial information is requested
Contains the cryptographic parameters that are required to perform End-to-End encryption for sharing the financial information between the producer and the consumer in a secure manner. Please refer this link for more information: https://tools.ietf.org/html/rfc4492
This API is used to fetch financial information from FIP once AA recieves the data ready notification.
Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
aa_api_key is provided to FIP by the AA
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver (recipient-id) to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message.
2023-06-26T06:41:34.904+0000Unique transaction identifier used for providing an end to end traceability.
af5b8023-aabc-4a46-8f37-d3c167129b1eA session ID is a base-64 encoded UUID number that FIP returns to the AA for each financial information access request.
caa2f259-2dc2-4075-87aa-6d81018b6183FIP ID as defined in the Account Aggregator Ecosystem.
FIP-1Reference number assigned by FIP as part of Account Linking Process.
This API is intended to be used by AA to notify the change in consent status due to the consent management operations performed by the customer. For more details about consent notification flow, please refer FAQ section. Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
aa_api_key is provided to FIP by the AA
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver (recipient-id) to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message.
2023-06-26T11:39:57.153ZThe unique transaction identifier used for providing an end to end traceability.
0b811819-9044-4856-b0ee-8c88035f8858Information about the notifier
Contains the Consent ID and Consent Status details.
This API will be used by the AA to send the consent artefact to the FIP on creation.
Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
aa_api_key is provided to FIP by the AA
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver (recipient-id) to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0The unique transaction identifier used for providing an end to end traceability.
0b811819-9044-4856-b0ee-8c88035f8858Unique ID generated by AA after consent approval is given by the customer.
XXXX-XXXX-XXXX-XXXXSpecifies the status of consent artefact
Creation time of the Consent Artefact
2023-06-26T11:39:57.153ZConsent artefact signed using JWS. See SignedConsentDetail model for consent format.
eyJhbGciOiJSUzI1NiIsImtpZCI6IjQyNzE5MTNlLTdiOTMtNDlkZC05OTQ5LTFjNzZmZjVmYzVjZiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19.ew0KICAgICAgICAiY29uc2VudFN0YXJ0IjogIjIwMTktMDUtMjhUMTE6Mzg6MjAuMzgwKzAwMDAiLA0KICAgICAgICAiY29uc2VudEV4cGlyeSI6ICIyMDIwLTA1LTI4VDExOjM4OjIwLjM4MSswMDAwIiwNCiAgICAgICAgImNvbnNlbnRNb2RlIjogIlZJRVciLA0KICAgICAgICAiZmV0Y2hUeXBlIjogIk9ORVRJTUUiLA0KICAgICAgICAiY29uc2VudFR5cGVzIjogWw0KICAgICAgICAgICAgIlBST0ZJTEUiLA0KICAgICAgICAgICAgIlNVTU1BUlkiLA0KICAgICAgICAgICAgIlRSQU5TQUNUSU9OUyINCiAgICAgICAgXSwNCiAgICAgICAgImZpVHlwZXMiOiBbDQogICAgICAgICAgICAiREVQT1NJVCIsDQogICAgICAgICAgICAiVEVSTS1ERVBPU0lUIg0KICAgICAgICBdLA0KICAgICAgICAiRGF0YUNvbnN1bWVyIjogew0KICAgICAgICAgICAgImlkIjogImNvb2tpZWphci1hYUBmaW52dS5pbiIsDQogICAgICAgICAgICAidHlwZSI6ICJBQSINCiAgICAgICAgfSwNCiAgICAgICAgIkRhdGFQcm92aWRlciI6IHsNCiAgICAgICAgICAgICJpZCI6ICJCQVJCMEtJTVhYWCIsDQogICAgICAgICAgICAidHlwZSI6ICJGSVAiDQogICAgICAgIH0sDQogICAgICAgICJDdXN0b21lciI6IHsNCiAgICAgICAgICAgICJpZCI6ICJkZW1vQGZpbnZ1Ig0KICAgICAgICB9LA0KICAgICAgICAiQWNjb3VudHMiOiBbDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImZpVHlwZSI6ICJERVBPU0lUIiwNCiAgICAgICAgICAgICAgICAiZmlwSWQiOiAiQkFSQjBLSU1YWFgiLA0KICAgICAgICAgICAgICAgICJhY2NUeXBlIjogIlNBVklOR1MiLA0KICAgICAgICAgICAgICAgICJsaW5rUmVmTnVtYmVyIjogIlVCSTQ4NTk2NDU3OSIsDQogICAgICAgICAgICAgICAgIm1hc2tlZEFjY051bWJlciI6ICJVQkk4NTIxNzg4MTI3OSINCiAgICAgICAgICAgIH0sDQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgImZpVHlwZSI6ICJERVBPU0lUIiwNCiAgICAgICAgICAgICAgICAiZmlwSWQiOiAiQkFSQjBLSU1YWFgiLA0KICAgICAgICAgICAgICAgICJhY2NUeXBlIjogIlNBVklOR1MiLA0KICAgICAgICAgICAgICAgICJsaW5rUmVmTnVtYmVyIjogIlVCSTQ4NTk2NDUiLA0KICAgICAgICAgICAgICAgICJtYXNrZWRBY2NOdW1iZXIiOiAiVUJJODUyMTc4ODEyIg0KICAgICAgICAgICAgfQ0KICAgICAgICBdLA0KICAgICAgICAiUHVycG9zZSI6IHsNCiAgICAgICAgICAgICJjb2RlIjogIjEwMSIsDQogICAgICAgICAgICAicmVmVXJpIjogImh0dHBzOi8vYXBpLnJlYml0Lm9yZy5pbi9hYS9wdXJwb3NlLzEwMS54bWwiLA0KICAgICAgICAgICAgInRleHQiOiAiV2VhbHRoIG1hbmFnZW1lbnQgc2VydmljZSIsDQogICAgICAgICAgICAiQ2F0ZWdvcnkiOiB7DQogICAgICAgICAgICAgICAgInR5cGUiOiAicHVycG9zZUNhdGVnb3J5VHlwZSINCiAgICAgICAgICAgIH0NCiAgICAgICAgfSwNCiAgICAgICAgIkZJRGF0YVJhbmdlIjogew0KICAgICAgICAgICAgImZyb20iOiAiMjAxOS0wNS0yOFQxMTozODoyMC4zODMrMDAwMCIsDQogICAgICAgICAgICAidG8iOiAiMjAyMC0wNS0yOFQxMTozODoyMC4zODErMDAwMCINCiAgICAgICAgfSwNCiAgICAgICAgIkRhdGFMaWZlIjogew0KICAgICAgICAgICAgInVuaXQiOiAiTU9OVEgiLA0KICAgICAgICAgICAgInZhbHVlIjogNA0KICAgICAgICB9LA0KICAgICAgICAiRnJlcXVlbmN5Ijogew0KICAgICAgICAgICAgInVuaXQiOiAiSE9VUiIsDQogICAgICAgICAgICAidmFsdWUiOiA0DQogICAgICAgIH0sDQogICAgICAgICJEYXRhRmlsdGVyIjogWw0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICJ0eXBlIjogIlRSQU5TQUNUSU9OQU1PVU5UIiwNCiAgICAgICAgICAgICAgICAib3BlcmF0b3IiOiAiPiIsDQogICAgICAgICAgICAgICAgInZhbHVlIjogIjIwMDAwIg0KICAgICAgICAgICAgfQ0KICAgICAgICBdDQogICAgfQ.O3KPh-eTpW2w47QXYidOBe1Hk2y7djVAEcOnZyRRvxQ3cY18-9ZWiodF16jff-e7yNQgsYZpAy95Fx2Fft8LoYugkYh9_6qHiG_7LCtW8Ng4nCMgZM3Wwsj11ks1msrK5C1ksPrGlTkFhm9-FufNkPTAlW76_5Sb8G_lOsIj1lB8TrvKpOvPlhEIgsS4WBNdPfv3SBqTV2suw2LvkX3QTilqwuMgXMkrm9-RYL90fweX_yyoyaBWHOJNQaKNuQWPpoRRNHGOx3v4_QiwgrELdfeTVtKn6R_AsfaBoEthQ3wrc8tY1q0Wx5j0x18NdU2R2C26dHyZ9M11dEH99psA1ASection defining the parameters for consent tracking
How to create a certificate using https://mkjwk.org/
To generate a certificate, follow these steps:
Go to https://mkjwk.org/
Select the required fields:
Key Use (use): Choose sig (for signature).
Algorithm (alg): Select RS256 (RSA Signature with SHA-256).
Key ID (kid): This is a unique identifier for the key. You can enter any random string or a specific identifier that you would like to use.
Key Type (kty): RSA is recommended, so ensure RSA is selected.
Modulus (n): This will be automatically generated when you create the key.
Exponent (e): This will also be generated automatically.
Generate the Key Pair:
Click the โGenerateโ button to create your public and private key pair. Make sure to save both the public and private keys securely as the private key will be required later for signing requests.
Validate the certificate: Ensure the generated certificate contains the following properties:
kty: Key Type (e.g., RSA)
e: Exponent (e.g., AQAB)
use: Key Use (e.g., sig)
kid: Key ID (your unique key identifier)
alg: Algorithm (e.g., RS256)
n: Modulus (the base64 encoded string representing the modulus of the RSA key)
Example json output:
Screenshot for your reference
This API can be used by FIPs and FIUs to check availability of AA Application.
Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
client_api_key is provided to AA by the AA Client or the FIU
fip_api_key is provided to AA by the FIP
This API is intended for AA Client to request generation of digitally signed consent artefacts. The customer has to use the AA application to select accounts and approve consent generation. Once the customer approves the consent request on the AA application, AA generates the digitally signed consent artefacts. Note - The AA Client never sees the account of the customer or directly participates in consent generation.
Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
client_api_key is provided to AA by the AA Client or the FIU
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message
2023-06-26T11:39:57.153ZThe transaction identifier generated by the requester for providing an end to end traceability. The AA should use this transaction identifier in the responses and notifications for FIU to correlate response with the request. The transaction identifier will be a UUID generated string.
4a4adbbe-29ae-11e8-a8d7-0289437bf331Specify the financial information types that customer wants to access
This API is intended to be used by FIU/AA Client to check the consent status and retrieve the consent ID from AA once the consent is approved by customer. Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
client_api_key is provided to AA by the AA Client or the FIU
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver (recipient-id) to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message
2023-06-26T11:39:57.153ZThe unique transaction identifier used for providing an end to end traceability.
795038d3-86fb-4d3a-a681-2d39e8f4fc3cUnique ID generated by AA after receiving the consent request. Consent Handle can be used by FIU/AA Client to check the consent status and retrieve the consent ID once the consent is approved by customer.
39e108fe-9243-11e8-b9f2-0256d88baae8This API is intended for fetching the information associated with the specific consent. Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
client_api_key is provided to AA by the AA Client or the FIU
fip_api_key is provided to AA by the FIP
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message
2023-06-26T11:39:57.153ZThe unique transaction identifier used for providing an end to end traceability.
0b811819-9044-4856-b0ee-8c88035f8858Unique ID generated by AA after consent approval is given by the customer.
654024c8-29c8-11e8-8868-0289437bf331This API is used by the FIU to request for financial information from the AA. The AA will validate the request against the signed consent and return a sessionID which can then be used by the FIU to fetch the required data. Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
client_api_key is provided to AA by the AA Client or the FIU
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message
2023-06-26T11:39:57.153ZThe unique transaction identifier used for providing an end to end traceability.
e8cc6822-d4bb-4eb1-9e1b-4996fbff8acbSpecifies the date time range for which the financial information is requested
Contains the cryptographic parameters that are required to perform End-to-End encryption for sharing the financial information between the producer and the consumer in a secure manner. Please refer this link for more information: https://tools.ietf.org/html/rfc4492
This API is used to fetch financial information from AA once FIU recieves the data ready notification. Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
client_api_key is provided to AA by the AA Client or the FIU
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message.
2023-06-26T11:39:57.153ZUnique transaction identifier used for providing an end to end traceability.
3dd436f8-0747-4a8f-9001-375e419430beA session ID is a base-64 encoded UUID number that an AA returns to the FIU or AA Client for each financial information access request.
caa2f259-2dc2-4075-87aa-6d81018b6183FIP ID as defined in the Account Aggregator Ecosystem.
FIP-1Reference number assigned by FIP as part of Account Linking Process.
This API can be used by AA Client, FIU and FIP to place a request for consent status update to AA in specific use cases. For more details, please refer FAQ section. Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
client_api_key is provided to AA by the AA Client or the FIU
fip_api_key is provided to AA by the FIP
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message
2023-06-26T11:39:57.153ZThe unique transaction identifier used for providing an end to end traceability.
0b811819-9044-4856-b0ee-8c88035f8858Information about the notifier
Contains the Consent ID and Consent Status details.
This API can be used by AA Client, FIU and FIP to send notifications related to Financial Information (FI) fetch to AA. Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
client_api_key is provided to AA by the AA Client or the FIU
fip_api_key is provided to AA by the FIP
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message
2023-06-26T11:39:57.153ZThe unique transaction identifier used for providing an end to end traceability.
0b811819-9044-4856-b0ee-8c88035f8858Information about the notifier
Contains the financial information fetch session id and session status details.
This API can be used by FIP to send account linking related notifications to AA in case of direct authentication method of account linking. Note: "Request Body Example Value" and "Responses Example Value" given below is for illustrative purposes only.
fip_api_key is provided to AA by the FIP
Detached JWS of the body
It is the Base64 encoded JSON object having the identifier of the receiver to whom the API call needs to be forwarded. Ex: x-request-meta: [Base64 of {"recipient-id": "SIMULATOR"}] i.e x-request-meta: eyJyZWNpcGllbnQtaWQiOiAiU0lNVUxBVE9SIn0K
API version
2.0.0Creation timestamp of the message
2023-06-26T11:39:57.153ZThe unique transaction identifier used for providing an end to end traceability.
0b811819-9044-4856-b0ee-8c88035f8858Information about the notifier
