This guide explains how to test the Payments and Accounts APIs of the 'Payment and Accounts' API product. A Client ID and Client Secret has been included in the attached Postman collection for convenience. However, you should sign up to the portal, create an application and subscribe to the 'Payment and Accounts' API product. This will give you your own Client ID and Client Secret for invoking the APIs. Please refer to the Getting Started page for instructions on how to do this.
Postman collection to test STET Accounts APIs
Below you can find the link to a test suite with the steps required to test the STET Accounts APIs. It includes HTTP requests with sample headers and test data.
Postman is a free REST test tool, you can download if from here. Save the content of the link below as a .json file and then import it in the tool as a test collection.
Link to postman collection to test STET PSD2 APIs
The rest of this page explains the steps implemented in the test suite. You can use this information as a guidance for the logic you need to implement in your application to be able to execute a payment.
Steps to test STET Accounts APIs
1.Obtain consent from the customer to access accounts information
You start the three legged OAuth2.0 flow that will enable the ASPSP (the bank) to authenticate the customer and capture its consent to access accounts information.
Using a web browser, invoke the URL below to emulate the customer giving consent for accessing accounts information (changing the values as required).
https://api.eu.apiconnect.ibmcloud.com/cmarcoliukibmcom-open-banking-agg...
URL Parameters
| Parameter | Value | Description |
| response_type | code | The OAuth flow type being used |
| client_id | b299f9df-045a-43f4-a8b1-db58763c5f59 | The client ID of your application registered in the developer portal |
| state | 123456 | The state as specified by the TPP |
| scope | aisp openid | The scope being requested. Must match the scope of the POST open-banking/payment-submissions endpoint |
| redirect_uri | http://localhost/redirect | The redirect URL of the application registered in the developer portal |
| nonce | ABC-789 | The nonce as specified by the TPP |
First, as a Bank's account owner, you have to authenticate directly with your (favorite) bank. 2 accounts are provided for the test purpose. You can choose one of the them, the default is Jean Martin's account.
- login: Anne-Dubois - password: no specific password, enter any character
- login: Jean-Martin - password: no specific password, enter any character. This is the default account
If you use login 'Anne-Dubois' you are bound to Bank's account owner Anne Dubois (with accountId "100" and "101"), otherwise you are Jean Martin (with accountId "200" and "201")
A second authentication is required to access the consent page and give access to accounts information. A 6 digit code is enforced and you need to provide the right value. For this, you have to install (on Mac, Linux, Windows PC or Smartphone) the Authy app: 
.
Example of the Authy app UI:
Then, once you are "strongly" authenticated you can select the accounts you want to consent an access to for the TPP app (AISPapp in the following example):
Follow the UI flow and at the end, take note of the authorisation code appended to the URL (e.g. http://localhost/redirect?code=xxxxxxxxxxxxx).
2. Get the access token required to access accounts information
Following the OAuth2.0 protocol, you know exchange the access code for the access token required for step 4. If you want you can see, following the instruction of step 3, how is token is linked to the accounts information access approved by the customer.
Call the POST /oauth2/token endpoint in the StetAccountsPSUOAuth2Security API. The following must be passed in the headers and body of the HTTP request (changing the values as required).
Body
| Parameter | Value | Description |
| client_id | b299f9df-045a-43f4-a8b1-db58763c5f59 | Client id of your application |
| client_secret | rH5oA6lP6tV6lJ7qU6bK0yX0gE8fJ8wD1cH3uX7qJ6dM4iA5lE | Client secret of your application |
| grant_type | authorization_code | The grant type being requested |
| redirect_uri | http://localhost/redirect | The redirect URL which must match that of the application registered in the developer portal. |
| code |
AAINOPze9ca_secTAjtK7xfjYM3cuUR12Tqedf0mmCXx0K1viL8UQke3vb7Q65NegBoPN8GADS7- kVvJjLlUuwjb60mH09duTXxB2V49GD9jeJjOa8Idpz6JNCFukBBzA9W90JdKiEjMXQf6cM8QFqudNJ4jGQecmI_ JFWRwIcvXDeesKJlX4I_uSEzRbrZ2lmRk5R9o5-2sUCen_ vRgv8nxUh6u57OXp9gXZPzhzzDWe4bALn5kp6AoKcG9E7FBGWWZQDIF7D9cqz9LGXZIcT8 |
The authorisation code retrieved in step 1 |
Take note of the access token in the response data.
3. Introspect the access token (optional)
Note that this step is not required for accessing accounts information, however looking at the content of the access token wil help you understand how the system is working, behind the scenes.
Call the POST /oauth2/introspect endpoint in the StetAccountsPSUOAuth2Security API to obtain the data contained inside of the access token. The following must be passed in the headers of the HTTP request (changing the values as required).
Header
| Parameter | Value | Description |
| x-ibm-client-id | b299f9df-045a-43f4-a8b1-db58763c5f59 | Cliend id of your application |
| x-ibm-client-secret | rH5oA6lP6tV6lJ7qU6bK0yX0gE8fJ8wD1cH3uX7qJ6dM4iA5lE | Client secret of your application |
Body
| Parameter | Value | Description |
| token |
AAEkMjliM2Q5OGUtMjYxYy00NDE3LWFiNjItNTM2Mjg3YWVmNTE5eegFiXh16pNoEDwNfpByhJic3nZRikKL_ GwGgkmhYxMFPXRIu3cOmrcjCumaKttumnfZl6n0IO7pS0puWFuPVN5uDufH9zCzPfb_EKOC1Dj3G3ex0c4EG-UqiEffwb_B1Wf_S1XULelK-9EcNNVKh2jKCRkC-g3wIjllh3a9651sCChfpjsbjIbe0yofQnA21CjouEM8YtfkrSKHMYOZbu81yacMfljfQKrKZM-47HI |
The token obtained in step 2 |
| token_type_hint | access_token | Must be 'access_token' |
4. Access accounts information
You can now use the access token to access accounts information, as well as accounts related transactions, balances report and control coverage of an account.
Call the GET /v1/accounts endpoint in the PSD2 ASPSP services API to access accounts information. The following must be passed in the headers of the HTTP request (changing the values as required).
Headers
| Parameter | Value | Description |
| authorization |
Bearer AAEkMjliM2Q5OGUtMjYxYy00NDE3LWFiNjItNTM2Mjg3YWVmNTE5eegFiXh16pNoEDwNfpByhJic3nZRikKL_ GwGgkmhYxMFPXRIu3cOmrcjCumaKttumnfZl6n0IO7pS0puWFuPVN5uDufH9zCzPfb_EKOC1Dj3G3ex0c4EG-UqiEffwb_B1Wf_S1XULelK-9EcNNVKh2jKCRkC-g3wIjllh3a9651sCChfpjsbjIbe0yofQnA21CjouEM8YtfkrSKHMYOZbu81yacMfljfQKrKZM-47HI |
The token obtained in step 2 |
| x-ibm-client-id |
b299f9df-045a-43f4-a8b1-db58763c5f59 |
Client id of your application |
| accept |
application/hal+json |
HAL media type (Hypertext Application Language) |
5. Access transactions of an account
You can now use the access token to access accounts transactions.
Call the GET /v1/accounts/{accountId}/transactions endpoint in the PSD2 ASPSP services API to access transactions of an account. The following must be passed in the headers and body of the HTTP request (changing the values as required).
Headers
| Parameter | Value | Description |
| authorization |
Bearer AAEkMjliM2Q5OGUtMjYxYy00NDE3LWFiNjItNTM2Mjg3YWVmNTE5eegFiXh16pNoEDwNfpByhJic3nZRikKL_ GwGgkmhYxMFPXRIu3cOmrcjCumaKttumnfZl6n0IO7pS0puWFuPVN5uDufH9zCzPfb_EKOC1Dj3G3ex0c4EG-UqiEffwb_B1Wf_S1XULelK-9EcNNVKh2jKCRkC-g3wIjllh3a9651sCChfpjsbjIbe0yofQnA21CjouEM8YtfkrSKHMYOZbu81yacMfljfQKrKZM-47HI |
The token obtained in step 2 |
| x-ibm-client-id | b299f9df-045a-43f4-a8b1-db58763c5f59 | Client id of your application |
| accept | application/hal+json | HAL media type (Hypertext Application Language) |
6. Access balances report of an account
You can now use the access token to access accounts balances report.
Call the GET /v1/accounts/{accountId}/balances-report endpoint in the PSD2 ASPSP services API to access balances report of an account. The following must be passed in the headers of the HTTP request (changing the values as required).
Headers
| Parameter | Value | Description |
| authorization |
Bearer AAEkMjliM2Q5OGUtMjYxYy00NDE3LWFiNjItNTM2Mjg3YWVmNTE5eegFiXh16pNoEDwNfpByhJic3nZRikKL_ GwGgkmhYxMFPXRIu3cOmrcjCumaKttumnfZl6n0IO7pS0puWFuPVN5uDufH9zCzPfb_EKOC1Dj3G3ex0c4EG-UqiEffwb_B1Wf_S1XULelK-9EcNNVKh2jKCRkC-g3wIjllh3a9651sCChfpjsbjIbe0yofQnA21CjouEM8YtfkrSKHMYOZbu81yacMfljfQKrKZM-47HI |
The token obtained in step 2 |
| x-ibm-client-id |
b299f9df-045a-43f4-a8b1-db58763c5f59 | Client id of your application |
| accept | application/hal+json | HAL media type (Hypertext Application Language) |
7. Control coverage of accounts
You can now use the access token to control coverage of accounts.
Call the GET /v1/accounts/coverage-control endpoint in the PSD2 ASPSP services API to control coverage of an accounts. The following must be passed in the headers of the HTTP request (changing the values as required).
Headers
| Parameter | Value | Description |
| authorization |
Bearer AAEkMjliM2Q5OGUtMjYxYy00NDE3LWFiNjItNTM2Mjg3YWVmNTE5eegFiXh16pNoEDwNfpByhJic3nZRikKL_ GwGgkmhYxMFPXRIu3cOmrcjCumaKttumnfZl6n0IO7pS0puWFuPVN5uDufH9zCzPfb_EKOC1Dj3G3ex0c4EG-UqiEffwb_B1Wf_S1XULelK-9EcNNVKh2jKCRkC-g3wIjllh3a9651sCChfpjsbjIbe0yofQnA21CjouEM8YtfkrSKHMYOZbu81yacMfljfQKrKZM-47HI |
The token obtained in step 2 |
| x-ibm-client-id | b299f9df-045a-43f4-a8b1-db58763c5f59 | Client id of your application |
| accept | application/hal+json | HAL media type (Hypertext Application Language) |
| content-type | application/json | Content type of the payload |
Body
| Type | Value | Description |
| application/json | { "amount" : { "InstdAmt" : "1060", "Ccy" : "EUR" }, "accountId" : "100", "accountIdType" : "iban" } |
JSON request defining the amount and account to control. |
Take note of the result element in the response data (JSON): true or false