PSD2 API
Build secure banking integrations with myPOS using our PSD2-compliant API. Access account information and initiate payments on behalf of your users with industry-standard OAuth2 authentication.
What is PSD2?
The Payment Services Directive 2 (PSD2) is an EU regulation (Directive 2015/2366) that enables third-party providers to access banking services securely. Administered by the European Commission, it applies across the EU and EEA.
Key benefits:
- Open Banking: Authorized providers can access banking services with user consent
- Fair Competition: Creates opportunities for banks and non-bank payment providers
- Consumer Protection: Harmonized standards for user rights and security
- Innovation: Standardized access enables new financial services
PSD2 replaced the original Payment Services Directive (PSD, Directive 2007/64/EC) to modernize payment services across Europe.
Additional Resources:
- Service Availability Reports - Quarterly statistical data
Security Requirements
TLS Encryption
All API connections require TLS 1.2 or higher with mandatory client authentication.
Certificate Requirements
Your application must present a qualified certificate for website authentication:
| Requirement | Details |
|---|---|
| Issuer | Must be issued by a Qualified Trust Service Provider (QTSP) |
| Standard | Compliant with eIDAS regulation and EBA-RTS requirements |
| Scope | Must include all TPP (Third-Party Provider) roles you're authorized to use |
Connections without valid qualified certificates will be rejected by the API.
API Overview
Our PSD2 API follows a RESTful, resource-oriented design based on the Berlin Group XS2A v1.3 specification.
Base Endpoint
All API requests use this base URI structure:
https://{provider}/v1/{service}{?query-parameters}
Example:
https://api.mypos.com/v1/accounts?withBalance=true
Understanding the URI
| Component | Description | Examples |
|---|---|---|
{provider} | API host (may include version info) | api.mypos.com |
v1 | Berlin Group XS2A v1.3 specification | Always v1 |
{service} | The resource you're accessing | consents, payments, accounts |
{?query-parameters} | Optional filters or flags | ?withBalance=true |
Available Services
| Service | Endpoint | Purpose |
|---|---|---|
| Consents | /v1/consents | Manage account access permissions |
| Payments | /v1/payments | Initiate and track payments |
| Accounts | /v1/accounts | Access account information |
| Card Accounts | /v1/card-accounts | Access card account data |
| Funds Confirmation | /v1/funds-confirmation | Verify available funds |
Request & Response Format
All requests and responses use JSON format and are structured with these elements:
Path Parameters
- Resource identifiers in the URL (e.g.,
/payments/sepa-credit-transfers/{paymentId})
Query Parameters
- Filters and flags added after
?in the URL - Example:
GET /accounts?withBalance=true - Boolean values must be explicit:
parameter=trueorparameter=false(never omit the value)
Headers
- HTTP headers for authentication, content type, and metadata
- Required:
Authorization,Content-Type
Request Body
- JSON payload with request parameters
- Used for POST and PUT methods
Response Body
- JSON payload with the response data
- Includes requested information or error details
Account Information Services (AIS)
Access your users' account data, balances, and transaction history through our Account Information API. We use OAuth2 for secure authentication and Strong Customer Authentication (SCA).
Integration Flow
Step 1: User Grants Permission
Your user (the Payment Service User - PSU) agrees to share their account information with your application (the Account Information Service Provider - AISP).
Step 2: Create Consent
Create a consent resource to formally request access.
Endpoint: POST /v1/consents
What to include:
- Permissions: Specify what data you need (accounts, balances, transactions)
- Expiration date (optional): When access should expire
- Accounts (optional): Specific accounts to access
What you get back:
consentId: Unique identifier to track this consent- Authorization URL: Where to redirect the user
{
"consentId": "1234-5678-90ab-cdef",
"authorizationUrl": "https://mypos.com/oauth/authorize?..."
}
Step 3: User Authorizes Access
Redirect your user to the authorization URL:
- User logs into their myPOS account
- User reviews the requested permissions
- User selects which accounts to share
- User approves or declines the request
- User is redirected back to your application
After approval, you'll receive an authorization code in the callback URL.
Step 4: Retrieve Account Data
Once you have a valid access token, you can access account information.
Always start by calling GET /v1/accounts to retrieve the valid account IDs for this consent. Use these IDs for subsequent requests.
Available endpoints:
GET /v1/accounts # List accessible accounts
GET /v1/accounts/{accountId} # Get specific account details
GET /v1/accounts/{accountId}/balances # Check account balance
GET /v1/accounts/{accountId}/transactions # View transaction history
Payment Initiation Services (PIS)
Initiate payments on behalf of your users with support for SEPA and cross-border transfers.
Integration Flow
Step 1: User Initiates Payment
Your user agrees to make a payment through your application (the Payment Initiation Service Provider - PISP).
Optional: You can specify the debtor account at this stage, or let the user select it later.
Step 2: Create Payment
Create a payment resource with the payment details.
Endpoint: POST /v1/payments/{payment-product}
Payment products:
sepa-credit-transfers- SEPA paymentscross-border-credit-transfers- International payments
What to include:
- Creditor information (recipient)
- Amount and currency
- Payment reference/description
- Debtor account (optional)
What you get back:
paymentId: Unique identifier for this payment- Authorization URL: Where to redirect the user
{
"paymentId": "payment-xyz-789",
"authorizationUrl": "https://mypos.com/oauth/authorize?..."
}
```Quick Start Guide
Get started with myPOS PSD2 API in 8 steps:
### Prerequisites
Before you begin, you'll need:
- A [myPOS Developer Portal](https://developers.mypos.eu/) account
- A qualified certificate for production use (testing can use sandbox credentials)
### Step 1: Create Your Application
1. Log into the [Developer Portal](https://developers.mypos.eu/)
2. Create a new application
3. Note your **Client ID** and **Client Secret**
4. Configure your **Redirect URI** (where users return after authorization)
### Step 2: Get Initial Access Token
Generate an access token using your application credentials.
```http
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=your_client_id
&client_secret=your_client_secret
Response:
{
"access_token": "eyJhbGc...",
"token_type": "Bearer",
"expires_in": 3600
}
Step 3: Create a Consent or Payment
Use your access token to create a consent (for AIS) or payment (for PIS).
For Account Information:
POST /v1/consents
Authorization: Bearer {ACCESS_TOKEN}
Content-Type: application/json
{
"access": {
"accounts": [],
"balances": [],
"transactions": []
},
"recurringIndicator": false,
"validUntil": "2026-12-31",
"frequencyPerDay": 4
}
For Payments:
POST /v1/payments/sepa-credit-transfers
Authorization: Bearer {ACCESS_TOKEN}
Content-Type: application/json
{
"instructedAmount": {
"currency": "EUR",
"amount": "100.00"
},
"creditorAccount": {
"iban": "DE89370400440532013000"
},
"creditorName": "Recipient Name"
}
Step 4: Redirect User for Authorization
The response includes an authorization URL. Redirect your user there:
// From the response
const authUrl = response._links.scaRedirect.href;
window.location.href = authUrl;
Step 5: Handle the Callback
After authorization, the user returns to your redirect_uri with a code:
https://your-app.com/callback?code=AUTH_CODE_12345
Step 6: Exchange Code for Access Token
Trade the authorization code for an access token:
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code=AUTH_CODE_12345
&client_id=your_client_id
&client_secret=your_client_secret
&redirect_uri=https://your-app.com/callback
Continue your PSD2 integration journey:
- **[API Reference](/apis/psd2/reference)** - Complete endpoint documentation with request/response schemas
- **[OAuth2 Authentication](/guides/authentication)** - Detailed guide on authentication flows and token management
- **[Code Examples](/guides/examples)** - Sample implementations in JavaScript, Python, PHP, and more
- **[Sandbox Environment](/get-started/sandbox)** - Test your integration risk-free before going live
- **[Error Codes](/guides/error-codes)** - Troubleshoot common issues and error responses
- **[Compliance Guide](/guides/compliance)** - Ensure your integration meets PSD2 regulatory requirementsformation:**
```http
GET /v1/accounts
Authorization: Bearer {NEW_ACCESS_TOKEN}
Payment Status:
GET /v1/payments/sepa-credit-transfers/{paymentId}/status
Authorization: Bearer {NEW_ACCESS_TOKEN}
Step 8: Handle Token Refresh
Access tokens expire. Use the refresh token to get a new one:
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token={REFRESH_TOKEN}
&client_id=your_client_id
&client_secret=your_client_secret
Service Abbreviations
Understanding the terminology:
| Abbreviation | Full Name | Description |
|---|---|---|
| PSU | Payment Service User | Your end user (the account holder) |
| TPP | Third-Party Provider | Your application (can be AISP, PISP, or both) |
| AISP | Account Information Service Provider | Apps that read account data |
| PISP | Payment Initiation Service Provider | Apps that initiate payments |
| ASPSP | Account Servicing Payment Service Provider | The bank (myPOS in this case) |
| AIS | Account Information Services | Read-only account access |
| PIS | Payment Initiation Services | Payment creation and execution |
| COF | Confirmation of Funds | Check if funds are available |
| SCA | Strong Customer Authentication | Multi-factor authentication required by PSD2 |
After confirmation, the client will be redirected back to the specified redirect_uri of the application with a GET parameter code.
https://your-app.com/callback?code={AUTHORIZATION_CODE}
7. Exchange Code for Access Token
Use the returned code parameter to generate an OAuth token with grant type authorization_code.
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code={AUTHORIZATION_CODE}
&client_id={YOUR_CLIENT_ID}
&client_secret={YOUR_CLIENT_SECRET}
&redirect_uri={YOUR_REDIRECT_URI}
8. Access PSD2 Services
Use the returned OAuth token to access:
- AIS - Account Information Services
- PIS - Payment Initiation Services
- COF - Confirmation of Funds functionalities
GET /accounts
Authorization: Bearer {ACCESS_TOKEN}
Next Steps
Continue your PSD2 integration journey:
- API Reference - Complete endpoint documentation with request/response schemas
- OAuth2 Authentication - Detailed guide on authentication flows and token management
- Code Examples - Sample implementations in JavaScript, Python, PHP, and more
- Sandbox Environment - Test your integration risk-free before going live
- Error Codes - Troubleshoot common issues and error responses
- Compliance Guide - Ensure your integration meets PSD2 regulatory requirements