New SCA Oauth2 response in consent creation/payment submission - New version of the Sandbox


Dear Developers,


We want to inform you that the new release of the PSD2 APIs will be available on October 19th (date to be confirmed) on our production environment.

This version brings a breaking change for you in the creation of a consent or a payment submission.

For better understanding, this breaking change we invite you to read the new HowTo which is dedicated to it :


The current version, in production is described in this section : Build an authorize URL using the authorization URL

The new version describes all those changes in this section : Build an authorize URL using the well-known configuration link

On the sandbox environment, the well-known configuration has been deployed in advance in order for you to begin implementing the required changes for your application.

Here the "scaOauth" property of a consent creation (with header tppExplicitAuthorizationPreferred = false) or a POST /authorization endpoint is the following:

  "_links": {
    "scaOAuth": {

You have to call this URL and retrieve the “authorization_enpoint” property in the response:

  "scopes_supported": [
  "response_types_supported": [
  "grant_types_supported": [
  "code_challenge_methods_supported": [
  "subject_types_supported": [

With this property, you will be able to build your authorize URL with the following parameters:

URI parameter



This parameter corresponds to the consentId of the consent creation or the paymentId of the payment initiation


This parameter corresponds to your NCA id


Dynamic value that you have to set in order to prevent XSRF attacks


This parameter corresponds to the URI where the OAuth2 server is redirecting the PSU after the authorization.
NB : this redirect_uri has to be the same used for the consent creation or payment initiation


This parameter corresponds to PKCE challenge according to cryptographic RFC 7636 which is used to prevent code injection attacks


Type of the response. This value has to be set to “code


Optional parameter which corresponds to the code verifier transformation method ("S256" or "plain")


Following these instructions your authorize URL should look like this and is now valid to process the authorization of the PSU:[your_redirect_uri]&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&response_type=code&code_challenge_method=S256

This process to build the authorize URL is the same for a payment initiation.


The new version of the API has been released on the Sandbox environment for you to test.


Best regards,

Your bank support team