How to call our APIs
You can call Mediobanca Premier APIs on external-api.mediobancapremier.io domain. As a prerequisite, you should already have requested an Application in the Profile private section in the portal.
OAuth login
It's the standard OAuth 2.0 authentication flow.
At the end of the flow, the caller application server will obtain the OAuth access token, which will grant access to all the configured APIs.
See also OAuth2.0 - Flows
Headers
See also Headers&Cookies for details about the requested headers.
PSD2 specific headers
To implement the Payment Service Directive 2 (PSD2) we require the AISP/PISP to insert some specific headers in every API call. Following a short description:
| Header name | Description |
|---|---|
| Authorization | It contains the security token (Bearer < OAuth access token >) |
| TPP-Transaction-ID | Id of the entire transaction, determined by the TPP |
| TPP-Request-ID | Id of the single API request, determined by the TPP |
| TPP-Certificate | It contains the TPP certificate used to sign the HTTP request |
| Signature | Signature of the request, as defined in draft-cavage-http-signatures-09 |
| Digest | SHA256 of the request body |
| Date | Header containing the date and time of the request. It follows the RFC 7231 Full Dates specification |
These headers are also documented in each API reference.
You must pass these headers in every API request to external-api.mediobancapremier.io (in the following sections, for readability, the specific PSD2 headers will be omitted, but they have to be added in order to perform a real call).
Requests to external-api.mediobancapremier.io
First of all, you need an OAuth2.0 access token (see here).
Example request:
GET/POST/PUT/DELETE https://external-api.mediobancapremier.io/path/to/api
Headers:
Accept: application/json
Content-Type: application/json
CB-Trace-Id: viewId=<NAME_OF_CALLER_COMPONENT>
Accept-Language: <YOUR_LANGUAGE>
cb-apitrack-id: <CB_APITRACK_ID>
Authorization: Bearer <OAUTH_ACCESS_TOKEN>
TPP-Request-ID: <TPP_REQUEST_ID>
TPP-Certificate: <TPP_CERTIFICATE>
Signature: <SIGNATURE>
Digest: <DIGEST>
Date: <REQUEST_DATE>
Body:
{
json structure
}Access Control Lists (ACL)
A client application is subject to a set of ACL. Based on the third party PSD2 profile (AISP/PISP), when you request an application the ACLs will automatically be created. Basically, if you're an AISP, the ACLs will allow you to call only inquiry APIs, while if you're a PISP you will be allowed to call payment APIs.
If the application is requested for the Sandbox environment no ACL will be checked at runtime.
Required API Flow to obtain customer information
There is a fixed flow of operations to execute to obtain customer data and execute operations on his behalf. Note that the PSD2 headers will be omitted from the example for readability.
Step 1: Authentication
The login phase is explained here
Step 2: Get customer identifier
Call this API to get the identifier of the authenticated customer
GET /private/customers/customerid-infoHeaders
Accept: application/json
Content-Type: application/json
CB-Trace-Id: viewId=<NAME_OF_CALLER_COMPONENT>
Accept-Language: <YOUR_LANGUAGE>
cb-apitrack-id: <CB_APITRACK_ID>
Authorization: Bearer <OAUTH_ACCESS_TOKEN>{
"data": {
"customerid": "<CUSTOMER_ID>"
},
"result": {
"result": true,
"requestId": "<REQUEST_UNIQUE_ID>",
"outcome": "SUCCESS",
"flushMessages": true,
"messages": []
}
} Step 3: Get customer accounts
The accounts API returns the list of accounts of the customer.
GET /private/customers/{customerId}/accountsHeaders
Accept: application/json
Content-Type: application/json
CB-Trace-Id: viewId=<NAME_OF_CALLER_COMPONENT>
Accept-Language: <YOUR_LANGUAGE>
cb-apitrack-id: <CB_APITRACK_ID>
Authorization: Bearer <OAUTH_ACCESS_TOKEN>{
"data": {
"accounts": [
{
"accountId": "<PRODUCT_ID>",
"product": {
"code": "<PRODUCT_TYPE_CODE>",
"description": "<PRODUCT_TYPE_DESCRIPTION>"
},
"currency": "<CURRENCY>",
"iban": "<IBAN>",
"name": "<PRODUCT_NICKNAME>"
}
....
]
},
"result": {
"requestId": "<REQUEST_UNIQUE_ID>",
"outcome": "SUCCESS",
"flushMessages": true,
"messages": []
},
"_links": {
"self": {
"href": " ",
"method": "GET"
},
"curies": [
{
"href": "https://external-api.mediobancapremier.io/private/customers/3610569/accounts/{rel}",
"name": "accounts"
}
]
},
"_embedded": {}
}Step 4: Grant Consent
This step is required only the first time the customer logs in the TPP application or in case of modification to the given consent. You must specify a list of API categories you want the access to, and for each one a list of customer products (identified by a productId, returned by the /accounts API) that will be given the consent on. The possible API categories you can request access to are:
- ACCOUNT_INFO -> if you're an AISP
- FUNDS_AVAILABILITY -> if you're a PIISP or a PISP
- PAYMENTS -> if you're a PISP
The consent workflow consists of 3 steps:
- a consent request, with all the required details
- the authentication workflow, started by the /private/auth/security/sca/{resourceId}/approach API
- the consent request confirmation, after a successful customer authentication
In production, you can have a client_credentials application in addition to your authorization_code application. The consent can be given only with the user online, so you need to call the API to grant consent with the authorization_code client. The privileges will be automatically propagated to your client_credentials application. So, if a customer gives you the privilege to get the balance of his account n. 123456, you can read his balance both with your authorization_code application and with your client_credentials application (with the PSD2 directive limitations)
Important note: the consent given for a specific account is valid forever until explicitly revoked by the customer, so this is an operation to be performed usually only on the first access.
Consent request
POST /private/customers/{customerId}/consent/requestHeaders
Accept: application/json
Content-Type: application/json
CB-Trace-Id: viewId=<NAME_OF_CALLER_COMPONENT>
Accept-Language: <YOUR_LANGUAGE>
cb-apitrack-id: <CB_APITRACK_ID>
Authorization: Bearer <OAUTH_ACCESS_TOKEN>Request:
{
"data": {
"categories": [
{
"name": "ACCOUNT_INFO",
"products": [
"0001922365",
"0012558963"
]
},
{
"name": "PAYMENTS",
"products": [
"0001922365",
"0012558963"
]
}
]
}
}Response:
{
"data": {
"categoriesOutcome": [
{
"name": "ACCOUNT_INFO",
"outcome": true
},
{
"name": "PAYMENTS",
"outcome": true
}
]
},
"result": {
"requestId": "<REQUEST_UNIQUE_ID>",
"outcome": "SUCCESS",
"flushMessages": true,
"messages": []
},
"_links": {
"next": {
"href": "request/24ab6f20-24ff-403d-871c-f30de0d2802a/confirm",
"method": "PUT"
},
"self": {
"href": "request",
"method": "POST"
},
"curies": [
{
"href": "https://external-api.mediobancapremier.io/private/customers/<CUSTOMER_ID>/consent/{rel}",
"name": "consent"
}
]
},
"_embedded": {},
"resources": {
"resourceId": "24ab6f20-24ff-403d-871c-f30de0d2802a"
}
}Consent authorization
GET /private/auth/security/sca/{resourceId}/approachHeaders
Accept: application/json
Content-Type: application/json
CB-Trace-Id: viewId=<NAME_OF_CALLER_COMPONENT>
Accept-Language: <YOUR_LANGUAGE>
cb-apitrack-id: <CB_APITRACK_ID>
Authorization: Bearer <OAUTH_ACCESS_TOKEN>
TPP-Redirect-URI: <TPP_CALLBACK_AFTER_SCA>Response:
{
"resources": {
"resourceId": "24ab6f20-24ff-403d-871c-f30de0d2802a"
},
"result": {
"requestId": "<REQUEST_UNIQUE_ID>",
"outcome": "SUCCESS",
"flushMessages": true,
"messages": []
},
"_links": {},
"_embedded": {},
"data": {
"scaRedirectURL": "https://clienti.mediobancapremier.com/sca-authorize/?resourceId=<RESOURCE_ID>",
"chosenScaApproach": "REDIRECT"
}
}Then, the TPP must return to the browser a redirect to the scaRedirectURL returned by the previous API. The customer will be in charge of completing the SCA in the browser, and at the end the customer will be redirected to < TPP_CALLBACK_AFTER_SCA >, which is a TPP resource. After that, TPP will be able to call the confirmation API.
Consent confirmation
PUT private/customers/{customerId}/consent/request/{resourceId}/confirmHeaders
Accept: application/json
Content-Type: application/json
CB-Trace-Id: viewId=<NAME_OF_CALLER_COMPONENT>
Accept-Language: <YOUR_LANGUAGE>
cb-apitrack-id: <CB_APITRACK_ID>
Authorization: Bearer <OAUTH_ACCESS_TOKEN>Request:
{}Response:
{
"data": {},
"result": {
"requestId": "<REQUEST_UNIQUE_ID>",
"outcome": "SUCCESS",
"flushMessages": true,
"messages": []
},
"_links": {
"self": {
"href": "request/24ab6f20-24ff-403d-871c-f30de0d2802a/confirm",
"method": "POST"
},
"curies": [
{
"href": "https://external-api.mediobancapremier.io/private/customers/<CUSTOMER_ID>/consent/{rel}",
"name": "consent"
}
]
},
"resources": {
"resourceId": "24ab6f20-24ff-403d-871c-f30de0d2802a"
}
}Step 5: Call any other API
Now that you have the authentication token, the customerId and the productId, you can call any other API!
You can find the API reference here
For inquiry APIs, you should take a look at this page to understand the process to follow in case of PSD2_SCA_REQUIRED error code.
If you want to implement a payment with our APIs, you should also read here, where you can find more information about our payment workflow.