Natixis Wealth Management Luxembourg

Natixis Wealth Management Luxembourg XS2A (STET)

Version:  1.1413.037.011
State:  Published
Environment: Production
Base URI:
Authorization Endpoint:
Token Endpoint:
Types: PSD2
Passport :

Account Information Services (AIS)

All APIs are protected by OAuth2 authorization. To receive authorization & access tokens, the PSU has to give consent for the application to access his resources - in case of Account Information Services (AIS) these are: accounts, balances and transaction history. The PSU authentication is required to be a Strong Customer Authentication (SCA), i.e. at least two factors, and to be done in the ASPSP (bank) realm.

Depending on each bank, the application might have to implement a different consent management flow. Please refer to the API documentation to discover which consent flow is supported by the Bank you have chosen.

According to PSD2 directive, it is the TPP’s (this means “your”) responsibility to ensure that a PSU has all required information when he gives consent to an application to access his financial data.


To access a PSU’s account, you have to obtain the PSU’s consent beforehand, in order to access his accounts.

First, the PSU has to select a bank in your application. Once this is done, you have to show to the PSU a clear description of which data you would like to access from his bank.
This is what we call the scope of the consent.

Next, the PSU has to authorize this consent. This process depends on the API specification and consent model implemented by the PSU’s bank.
Below, you will find the required requests to be executed until you have a valid consent to access a PSU’s account data.

These requests are not directly covered by the PSD2 Specification, but they are derived from other standards such as OAuth2.
For the actual PSD2 requests, you can look at the API specifications and at the official documentation of the PSD2 API standards supported by the LUXHUB platform:

STET - current supported version is

STET: Full AISP Model and Mixed Model

This schema shows the requests to be performed in the case where an API requires the STET Full AISP. The requests shown in yellow are explained in detail below.



The flow presented below in details, and in the diagram above, is a reference flow suggested by LUXHUB and not the only possible one.

  1. Request an authorization code for the AIS API access. After calling below URL, the PSU will be redirected to SCA of the chosen bank.

    example request:

    curl \
    -X GET 'https://<Authorization Endpoint>?response_type=code&scope=aisp&client_id=<client_id>&redirect_uri=http%3A%2F%2F127.0.0.1%3A9003%2Fredirect&state=12345678-1234-1234-1234-1234567890ab&code_challenge=<code_challenge_pkcs>&code_challenge_method=S256'


2. Once the PSU has done SCA with the bank, he will be redirected to your redirect URL. The following request has to be served by your application.


example request:


 -X GET '<authorization_code>'​


3. Once you have received the authorization code, you can ask for access and refresh tokens.

      • example request:

        curl \
                     -H 'Authorization: Basic ' \
                     -H 'Content-Type : application/x-www-form-urlencoded' \
                     -d 'grant_type=authorization_code&redirect_uri=http%3A%2F%2F127.0.0.1%3A9003%2Fredirect&code=<authorization_code>&scope=aisp' \
                     -X POST 'https://<Token Endpoint>' \
                     --cert QWAC-cert.pem --key QWAC-key.pem​


4. You are now ready to call the /accounts resource with all details according to the scope of the TPP’s consent.

      • example request:

        curl \
                     -H 'Signature: ' \
                     -H 'Authorization: Bearer ' \
                     -H 'X-Request-ID: 123456-1234-1234-1234567890ab' \
                     -X GET 'https://<Base URI>/accounts' \
                     --cert QWAC-cert.pem --key QWAC-key.pem​


5. (mixed model only) Finally, if the selected bank implements the mixed consent model, you have to inform the bank about the accounts and scopes you would like to access.

      • example request:

        curl \
                     -H 'Signature: ' \
                     -H 'Authorization: Bearer ' \
                     -H 'Content-Type : application/json' \
                     -H 'X-Request-ID: 123456-1234-1234-1234567890ab' \
                     -X PUT 'https://<Base URI>/consents' \
                     -d '{"balances": [{"Iban": "YY64COJH41059545330222956960771455"}],"transactions": [{"Iban": "YY64COJH41059545330222956960771455"}],"trustedBeneficiaries": true,"psuIdentity": true}' \
                     --cert QWAC-cert.pem --key QWAC-key.pem​



This website uses cookies. By continuing to use our website, you accept the use of these cookies.