{"openapi":"3.0.0","info":{"description":"Services needed to obtain tokens for OAuth 2.0 secured API's\n\n  ###### Error codes and their causes\n\n  In addition to the response codes that apply to all API's\n  the OAuth provider API's has some special error situations which are briefly explained below.\n  For more information regarding error handling see the page on error handling.\n  <table>\n    <tr>\n      <th>Situation</th>\n      <th>Results</th>\n    </tr>\n    <tr>\n      <td>Invalid redirect_uri query parameter provided</th>\n      <td>\n        This returns a HTTP 200 with an error message. See the page with\n        error explanations for more details.\n      </td>\n    </tr>\n    <tr>\n      <td>\n          The authorization server encountered an unexpected condition that prevented it from fulfilling the request\n      </td>\n      <td>\n          This returns a HTTP 302 redirect to the redirect_uri with query parameter `/?error=server_error`\n      </td>\n    </tr>\n    <tr>\n      <td>\n          The resource owner or authorization server denied the request.\n      </td>\n      <td>\n          This returns a HTTP 302 redirect to the\n          redirect_uri with query parameter `/?error=access_denied`\n      </td>\n    </tr>\n     <tr>\n        <td>\n            The requested scope is invalid, unknown, or malformed.\n        </td>\n        <td>\n            This returns a HTTP 302 redirect to the redirect_uri\n            with query parameter `/?error=invalid_scope`\n        </td>\n      </tr>\n  </table>\n\n  Next to the error query parameter that is added to the redirect uri during an error flow, a additional optional\n  query parameter called error_description can be added which a more human readable explanation on what went wrong.\n","title":"Access Authorization","version":"1.0.11","x-api-id":"90e882d6-22d0-4d5e-9d73-40aeefddc77d","x-ibm-name":"access-authorization"},"servers":[{"url":"https://oauth.rabobank.nl/openapi/oauth2-premium","description":"Production server"},{"url":"https://oauth-sandbox.rabobank.nl/openapi/sandbox/oauth2-premium","description":"Sandbox server"}],"paths":{"/authorize":{"get":{"parameters":[{"description":"The value `code` indicates the authorization grant flow. Other response types are currently not supported.","in":"query","name":"response_type","required":true,"schema":{"enum":["code"],"type":"string"}},{"description":"A space-separated list of scopes. Scopes represent permissions to resources which your application requests from the user. Your application can request multiple scopes using a space-separated list.","example":"bip.payments.write","in":"query","name":"scope","required":true,"schema":{"type":"string"}},{"description":"This ID uniquely identifies your registered application. The client_id is registered at Rabobank Developer Portal.","example":"3b912432-fb24-49dc-a28b-62f699215e8e","in":"query","name":"client_id","required":true,"schema":{"type":"string"}},{"description":"We do not support dynamic redirect URIs. Please make sure that you have provided the \"OAuth Redirect URI\" in your application settings. If you use this parameter it has to be exactly the same as the value in your application settings.","example":"https://developer.rabobank.nl/","in":"query","name":"redirect_uri","required":false,"schema":{"type":"string"}},{"description":"An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value as a request parameter when redirecting the user back to the redirect URI of the client. The parameter SHOULD be used for preventing cross-site request forgery.","in":"query","name":"state","required":false,"schema":{"type":"string"}}],"responses":{"200":{"description":"An HTML form for authentication or authorization of this request."},"302":{"description":"Redirect to the clients redirect_uri containing one of the following: **authorization code** for Authorization code grant, **access token** for Implicity grant or **error** in case of errors, such as the user has denied the request."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/error_400_response"}},"text/html":{"schema":{"$ref":"#/components/schemas/error_400_response"}}},"description":"Invalid request has been sent. Please make sure you are providing all the required parameters."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/error_401_response"}},"text/html":{"schema":{"$ref":"#/components/schemas/error_401_response"}}},"description":"The server denied your request. Most common causes are the following: The required client id or client secret has not been successfully provided. The application is not registered with the plan that is used. The application is not active. The TLS certificate was not provided in the developer portal. The TLS certificate does not match the one provided in the developer portal, or no certificate was added to the API call."},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/error_404_response"}},"text/html":{"schema":{"$ref":"#/components/schemas/error_404_response"}}},"description":"The API URL was not found. Please make sure you are calling the correct endpoint."},"405":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/error_405_response"}},"text/html":{"schema":{"$ref":"#/components/schemas/error_405_response"}}},"description":"The API URL was found, but no operation was found that supports the requested HTTP verb. Please make sure you are using the correct HTTP request method."},"406":{"description":"The API cannot produce any responses that are supported by the application. Please make sure your Accept header is set accordingly."},"429":{"description":"The rate limit has been exceeded for the plan or operation being used."},"500":{"description":"An error occurred while executing this request. Please try again later and contact support if the error persists."},"503":{"description":"An error occurred while executing this request. Please try again later and contact support if the error persists."}},"description":"Before you can request an access token you need to redirect your user to this endpoint to obtain consent. After giving consent the user will be redirected back to the \"OAuth Redirect URI\" that you provided in your application settings.","operationId":"getauthorize","summary":"Authorization code and implicit grants"}},"/token":{"post":{"parameters":[{"description":"To authenticate your application you need to use HTTP Basic Authentication. Which means you need to base64 encode the following string \"YOUR_CLIENT_ID:YOUR_CLIENT_SECRET\" and add it to the Authorization header.","example":"Authorization: Basic NGU5YmYwMDAtNDA3Zi00MWYwLTkyMWEtOWZkZTE3M2E2ODc0OkNMSUVOVF9TRUNSRVQ=","in":"header","name":"authorization","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/access_token_response"}}},"description":"json document containing token, etc."},"400":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/error_400_response"}}},"description":"Bad request  - Missing / invalid parameter or authorization code invalid / expired."},"401":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/error_401_response"}}},"description":"Unauthorized - Authorization header or refresh token is invalid."},"404":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/error_404_response"}}},"description":"The API URL was not found. Please make sure you are calling the correct endpoint."},"405":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/error_405_response"}}},"description":"The API URL was found, but no operation was found that supports the requested HTTP verb. Please make sure you are using the correct HTTP request method."},"429":{"description":"The rate limit has been exceeded for the plan or operation being used."},"500":{"description":"An error occurred while executing this request. Please try again later and contact support if the error persists."},"503":{"description":"An error occurred while executing this request. Please try again later and contact support if the error persists."}},"description":"This endpoint allows requesting an access token following one of the flows below:\n- Authorization Code (exchange code for access token)\n- Refresh Token (exchange refresh token for a new access token)\n\n\nThe table below indicates the required parameters for each specific grant_type options.\nEmpty cells indicate a parameter is ignored for that specific grant type.\n\n\nClient authentication:\nConfidential clients should authenticate using HTTP Basic Authentication,\nwhere the username is the client_id and password is the client_secret.\n\n\n|                      | Authorization code | Refresh token |\n|----------------------|--------------------|---------------|\n| grant_type           | authorization_code | refresh_token |\n| code                 | required           |               |\n| redirect_uri         | optional           |               |\n| refresh_token        |                    | required      |\n","operationId":"posttoken","requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"properties":{"code":{"description":"Authorization code provided by the /oauth2-premium/authorize endpoint","type":"string"},"grant_type":{"description":"Type of grant","enum":["authorization_code","refresh_token"],"type":"string"},"redirect_uri":{"description":"Required only if the redirect_uri parameter was included in the authorization request /oauth2-premium/authorize; their values MUST be identical.","type":"string"},"refresh_token":{"description":"The refresh token that the client wants to exchange for a new access token (refresh_token grant_type)","type":"string"}},"required":["grant_type"],"type":"object"}}}},"summary":"Request Access Tokens"}}},"components":{"schemas":{"access_token_response":{"additionalProperties":false,"properties":{"access_token":{"type":"string","x-example":"AAIkNzE1NDEzNDgtNTk0NS00ODljLWI5ODctM2QxZTY0ZWM1MzY5sseXICNKGv722yXB5Q16juPkn35vOkZGnBIPS5T5GUmswExIuRazAjb8DU25FcmkvR9a-VyFZ1xnmjdihJv4cbJV8QdvteEHGvIsfIX36NW0Ybgc4dphffUkwqUjagTaTPeGkxYSKBw_iSnQ3paNGBaTIvY1NO18Pp_PbWNpZa-GcUznf03Eizc7VIugBZmjhpv1fILWK-dqxLxHYRS2aBV46Sjkai5qy7pLlgzzNGZUUyXhNaxbzs8gWKe5bIBHbP4O8Rd_tH1ICNswWwTS--9jiPNbRe1L9KYa9XCm3RY"},"consented_on":{"description":"Epoch timestamp in seconds of the time when the consent was given.","type":"integer","x-example":1607249404},"expires_in":{"description":"The time in seconds left before the access token expires. Make sure to always use the expiry time from this response for each access token instead of hardcoding it, so that there is no consumer impact if this value changes.","type":"integer","x-example":86400},"metadata":{"description":"The metadata containing the consentId for the given consent. This consentId can be used to retrieve the consent from the consent Details API. This property will be returned only if the grant_type is authorization_code","type":"string","x-example":"a:consentId b75f5ee4-6b25-41af-bb9c-31128d09151b"},"refresh_token":{"type":"string","x-example":"AAIubtGDe9DOXl4IYFw5AZXMxr5A8d-_7i9TBAMEgbtkaFXiqzrqT2y3XTvuTEwhb5NB8INQEMTCpyJygVFDi_UoxkmFy6mobKgyzaHs79em4bWsHMFBDbJRsaM_6yMwPNI95nciF0LaGenXeczeGjpVVO4dfpEizFnclp0Z3eRgb8PckdNhNnUlJnHwEjpYHiPOOYfx_qmytKIG3QEY486Bi0FkYM6ZDP0yhucshj-9I6oDaRBPaHM9pgEBdwa-fuxc0q7t_wRS2I-H7p1M0rlvydDNWPYmRU_RduvT2th3joOrEg5_0ijWGgiC2Iw3PQc"},"refresh_token_expires_in":{"description":"The time in seconds left before the refresh token expires. Make sure to always use the expiry time from this response for each refresh token instead of hardcoding it, so that there is no consumer impact if this value changes.","type":"integer","x-example":2592000},"scope":{"description":"The scopes for consent has been given.","type":"string","x-example":"bip.payments.write 52807440-2c6a-4b23-9e17-ee34ea43b2f4_bip.payments.write"},"token_type":{"enum":["bearer"],"type":"string"}},"required":["access_token","expires_in","token_type"],"type":"object"},"error_400_response":{"additionalProperties":false,"properties":{"error":{"enum":["invalid_grant","unknown","invalid_request"],"example":"invalid_grant","type":"string"}},"required":["error"],"type":"object"},"error_401_response":{"additionalProperties":false,"properties":{"error":{"enum":["invalid_client","invalid_grant"],"example":"invalid_client","type":"string"}},"required":["error"],"type":"object"},"error_404_response":{"properties":{"httpCode":{"example":"404","type":"string"},"httpMessage":{"example":"Not Found","type":"string"},"moreInformation":{"example":"No resources match requested URI","type":"string"}},"type":"object"},"error_405_response":{"properties":{"httpCode":{"example":"405","type":"string"},"httpMessage":{"example":"Method Not Allowed","type":"string"},"moreInformation":{"example":"the method is not allowed for the requested URL","type":"string"}},"type":"object"}},"securitySchemes":{"basicAuth":{"description":"Basic authentication using clientId and clientSecret as provided by the Rabobank developer portal.","scheme":"basic","type":"http"},"clientId":{"description":"ClientId as provided by the Rabobank developer portal.","in":"header","name":"X-IBM-Client-Id","type":"apiKey"}}},"x-readme":{"explorer-enabled":false,"proxy-enabled":false}}