Testing Guide for STET Payments and Accounts APIs

This guide explains how to test the Payments and Accounts APIs of the 'Payment and Accounts' API product. A Client ID and Client Secret has been included in the attached Postman collection for convenience. However, you should sign up to the portal, create an application and subscribe to the 'Payment and Accounts' API product. This will give you your own Client ID and Client Secret for invoking the APIs. Please refer to the Getting Started page for instructions on how to do this.  

Postman collection to test STET Accounts APIs

Below you can find the link to a test suite with the steps required to test the STET Accounts APIs. It includes HTTP requests with sample headers and test data.

Postman is a free REST test tool, you can download if from here. Save the content of the link below as a .json file and then import it in the tool as a test collection.

Link to postman collection to test STET PSD2 APIs

The rest of this page explains the steps implemented in the test suite. You can use this information as a guidance for the logic you need to implement in your application to be able to execute a payment.

Steps to test STET Accounts APIs

1.Obtain consent from the customer to access accounts information

You start the three legged OAuth2.0 flow that will enable the ASPSP (the bank) to authenticate the customer and capture its consent to access accounts information.

Using a web browser, invoke the URL below to emulate the customer giving consent for accessing accounts information (changing the values as required).

      https://api.eu.apiconnect.ibmcloud.com/cmarcoliukibmcom-open-banking-agg...

URL Parameters

Parameter Value Description
response_type code The OAuth flow type being used

client_id b299f9df-045a-43f4-a8b1-db58763c5f59 The client ID of your application registered in the developer portal
state 123456 The state as specified by the TPP
scope aisp openid The scope being requested. Must match the scope of the POST open-banking/payment-submissions endpoint
redirect_uri http://localhost/redirect The redirect URL of the application registered in the developer portal
nonce ABC-789 The nonce as specified by the TPP

First, as a Bank's account owner, you have to authenticate directly with your (favorite) bank. 2 accounts are provided for the test purpose. You can choose one of the them, the default is Jean Martin's account.

        1. login: Anne-Dubois - password: no specific password, enter any character
        2. login: Jean-Martin - password: no specific password, enter any character. This is the default account

If you use login 'Anne-Dubois' you are bound to Bank's account owner Anne Dubois (with accountId "100" and "101"), otherwise you are Jean Martin (with accountId "200" and "201")

A second authentication is required to access the consent page and give access to accounts information. A 6 digit code is enforced and you need to provide the right value. For this, you have to install (on Mac, Linux, Windows PC or Smartphone) the Authy app: .

Example of the Authy app UI:

 
When creating a new account on the Authy app, you have to provide a private/secret key.
Use the following value as the private/secret key: aomv uryz ddbe eihf co5b qwy2 a7us wncl
From there, a 6 digit code is generated every 30 seconds on the Authy app for your Bank (My Favorite Bank)...
 
Copy/paste the 6 digit code when required :
 
 
 

Then, once you are "strongly" authenticated you can select the accounts you want to consent an access to for the TPP app (AISPapp in the following example):

Follow the UI flow and at the end, take note of the authorisation code appended to the URL (e.g. http://localhost/redirect?code=xxxxxxxxxxxxx).

2. Get the access token required to access accounts information

Following the OAuth2.0 protocol, you know exchange the access code for the access token required for step 4. If you want you can see, following the instruction of step 3, how is token is linked to the accounts information access approved by the customer.

Call the POST /oauth2/token endpoint in the StetAccountsPSUOAuth2Security API. The following must be passed in the headers and body of the HTTP request (changing the values as required).

Body

Parameter Value Description
client_id b299f9df-045a-43f4-a8b1-db58763c5f59 Client id of your application
client_secret rH5oA6lP6tV6lJ7qU6bK0yX0gE8fJ8wD1cH3uX7qJ6dM4iA5lE Client secret of your application
grant_type authorization_code The grant type being requested
redirect_uri http://localhost/redirect The redirect URL which must match that of the application registered in the developer portal. 
code

AAINOPze9ca_secTAjtK7xfjYM3cuUR12Tqedf0mmCXx0K1viL8UQke3vb7Q65NegBoPN8GADS7-

kVvJjLlUuwjb60mH09duTXxB2V49GD9jeJjOa8Idpz6JNCFukBBzA9W90JdKiEjMXQf6cM8QFqudNJ4jGQecmI_

JFWRwIcvXDeesKJlX4I_uSEzRbrZ2lmRk5R9o5-2sUCen_

vRgv8nxUh6u57OXp9gXZPzhzzDWe4bALn5kp6AoKcG9E7FBGWWZQDIF7D9cqz9LGXZIcT8

The authorisation code retrieved in step 1

 Take note of the access token in the response data.

3. Introspect the access token (optional)

Note that this step is not required for accessing accounts information, however looking at the content of the access token wil help you understand how the system is working, behind the scenes.

Call the  POST /oauth2/introspect endpoint in the  StetAccountsPSUOAuth2Security API to obtain the data contained inside of the access token. The following must be passed in the headers of the HTTP request  (changing the values as required).

Header

     Parameter     Value     Description
     x-ibm-client-id     b299f9df-045a-43f4-a8b1-db58763c5f59     Cliend id of your application
     x-ibm-client-secret     rH5oA6lP6tV6lJ7qU6bK0yX0gE8fJ8wD1cH3uX7qJ6dM4iA5lE     Client secret of your application

Body

Parameter Value Description
token

AAEkMjliM2Q5OGUtMjYxYy00NDE3LWFiNjItNTM2Mjg3YWVmNTE5eegFiXh16pNoEDwNfpByhJic3nZRikKL_

GwGgkmhYxMFPXRIu3cOmrcjCumaKttumnfZl6n0IO7pS0puWFuPVN5uDufH9zCzPfb_EKOC1Dj3G3ex0c4EG-UqiEffwb_B1Wf_S1XULelK-9EcNNVKh2jKCRkC-g3wIjllh3a9651sCChfpjsbjIbe0yofQnA21CjouEM8YtfkrSKHMYOZbu81yacMfljfQKrKZM-47HI

The token obtained in step 2
token_type_hint access_token Must be 'access_token'

4. Access accounts information

You can now use the access token to access accounts information, as well as accounts related transactions, balances report and control coverage of an account.

Call the GET /v1/accounts endpoint in the PSD2 ASPSP services API to access accounts information. The following must be passed in the headers of the HTTP request  (changing the values as required).

Headers

Parameter Value Description
authorization

Bearer AAEkMjliM2Q5OGUtMjYxYy00NDE3LWFiNjItNTM2Mjg3YWVmNTE5eegFiXh16pNoEDwNfpByhJic3nZRikKL_

GwGgkmhYxMFPXRIu3cOmrcjCumaKttumnfZl6n0IO7pS0puWFuPVN5uDufH9zCzPfb_EKOC1Dj3G3ex0c4EG-UqiEffwb_B1Wf_S1XULelK-9EcNNVKh2jKCRkC-g3wIjllh3a9651sCChfpjsbjIbe0yofQnA21CjouEM8YtfkrSKHMYOZbu81yacMfljfQKrKZM-47HI

The token obtained in step 2
x-ibm-client-id

b299f9df-045a-43f4-a8b1-db58763c5f59

Client id of your application
accept

application/hal+json

HAL media type (Hypertext Application Language)

5. Access transactions of an account

 You can now use the access token to access accounts transactions.

Call the GET /v1/accounts/{accountId}/transactions endpoint in the PSD2 ASPSP services API to access transactions of an account. The following must be passed in the headers and body of the HTTP request  (changing the values as required).

Headers

Parameter Value Description
authorization

Bearer AAEkMjliM2Q5OGUtMjYxYy00NDE3LWFiNjItNTM2Mjg3YWVmNTE5eegFiXh16pNoEDwNfpByhJic3nZRikKL_

GwGgkmhYxMFPXRIu3cOmrcjCumaKttumnfZl6n0IO7pS0puWFuPVN5uDufH9zCzPfb_EKOC1Dj3G3ex0c4EG-UqiEffwb_B1Wf_S1XULelK-9EcNNVKh2jKCRkC-g3wIjllh3a9651sCChfpjsbjIbe0yofQnA21CjouEM8YtfkrSKHMYOZbu81yacMfljfQKrKZM-47HI

The token obtained in step 2
x-ibm-client-id b299f9df-045a-43f4-a8b1-db58763c5f59 Client id of your application
accept application/hal+json HAL media type (Hypertext Application Language) 

6. Access balances report of an account

You can now use the access token to access accounts balances report.

Call the GET /v1/accounts/{accountId}/balances-report endpoint in the PSD2 ASPSP services API to access balances report of an account. The following must be passed in the headers of the HTTP request  (changing the values as required).

Headers

Parameter Value Description
authorization

Bearer AAEkMjliM2Q5OGUtMjYxYy00NDE3LWFiNjItNTM2Mjg3YWVmNTE5eegFiXh16pNoEDwNfpByhJic3nZRikKL_

GwGgkmhYxMFPXRIu3cOmrcjCumaKttumnfZl6n0IO7pS0puWFuPVN5uDufH9zCzPfb_EKOC1Dj3G3ex0c4EG-UqiEffwb_B1Wf_S1XULelK-9EcNNVKh2jKCRkC-g3wIjllh3a9651sCChfpjsbjIbe0yofQnA21CjouEM8YtfkrSKHMYOZbu81yacMfljfQKrKZM-47HI

The token obtained in step 2
x-ibm-client-id
b299f9df-045a-43f4-a8b1-db58763c5f59 Client id of your application
accept application/hal+json  HAL media type (Hypertext Application Language)

7. Control coverage of accounts

 You can now use the access token to control coverage of accounts.

Call the GET /v1/accounts/coverage-control endpoint in the PSD2 ASPSP services API to control coverage of an accounts. The following must be passed in the headers of the HTTP request  (changing the values as required).

 Headers

Parameter Value Description
authorization

Bearer AAEkMjliM2Q5OGUtMjYxYy00NDE3LWFiNjItNTM2Mjg3YWVmNTE5eegFiXh16pNoEDwNfpByhJic3nZRikKL_

GwGgkmhYxMFPXRIu3cOmrcjCumaKttumnfZl6n0IO7pS0puWFuPVN5uDufH9zCzPfb_EKOC1Dj3G3ex0c4EG-UqiEffwb_B1Wf_S1XULelK-9EcNNVKh2jKCRkC-g3wIjllh3a9651sCChfpjsbjIbe0yofQnA21CjouEM8YtfkrSKHMYOZbu81yacMfljfQKrKZM-47HI

The token obtained in step 2
x-ibm-client-id  b299f9df-045a-43f4-a8b1-db58763c5f59 Client id of your application
 accept  application/hal+json HAL media type (Hypertext Application Language)
 content-type  application/json Content type of the payload

Body

Type Value Description
application/json {
    "amount" : {
        "InstdAmt" : "1060",
        "Ccy" : "EUR"
    },
    "accountId" : "100",
    "accountIdType" : "iban"
}
JSON request defining the amount and account to control.

Take note of the result element in the response data (JSON): true or false