Account Broker
/
Microservices layer
/
Glossary
API Diagram
Decision Tree
Microservices layer
1

Summary

The microservice layer acts as the middle layer

plus

client apps (e.g. AHS frontend) and the core Open Banking account aggregation services.

Provides modular services to handle

User/Client App Registration

plus

Secure Authentication & Authorisation (OAuth 2.0)

plus

Account Broker Service to abstract away complex consent handling

plus

Consent Code Redirect URL service to process redirect callbacks from banks (ASPSPs)

2

Registration

Registration Request Initiated

A registration request is received via Registration API.

plus

The request could be for

plus

a user registering with the system

plus

a client application registering to use the platform

Perform KYC Validation

KYC check is triggered for the incoming registration data (either user or company).

plus

If KYC fails, the registration is rejected with appropriate error response.

plus

If KYC passes, proceed to persist the data.

If User Registers (not client app)

The user’s details are saved into the User table.

plus

The user is automatically associated with the default organisation (entry from Organisation table).

plus

The response to the registration request includes:

plus

Default Organisation Details

plus

Generated UserID

System Deployment Phase – Default Client Setup

At system deployment, a default client entry is auto-populated into the Client table in the Registration Database.

plus

This acts as a fallback organisation for new user registrations.

If Client App Registers

The client application's details are stored in the Client table.

plus

No user-related data (like personal data of the client app's users) is stored or managed.

plus

As a result, our platform is not liable for any user-related regulations such as GDPR.

3

Authentication and Authorisation (oAuth2.0)

Secure Channel Establishment

Every request from client app or user to Account Broker API must be over TLS 1.2 or above.

plus

In production, enforce Mutual TLS (mTLS)

plus

Client presents a certificate for authentication.

plus

Server validates the client certificate and vice versa.

plus

In staging/testing, allow one-way TLS (server certificate only).

Authentication & Token Issuance (OAuth 2.0 Flow)

Client or user authenticates with OAuth 2.0 Authorisation Server using appropriate grant type (e.g. client credentials or authorisation code).

plus

On successful authentication, an Access Token is issued.

Token-Based API Access

For each request to the Account Broker API, the client/user must include the Access Token in the header.

plus

The API verifies:

plus

Token validity

plus

Token scope and permissions

plus

Expiry time

plus

If valid, the request proceeds; else, access is denied with an appropriate error.

Final Secure Request Flow

Client App/User (TLS/mTLS)

plus

Account Broker API (Validates OAuth 2.0 Token)

plus

Core Open Banking Platform

plus

ASPSP APIs (via secured Open Banking channels)

4

Account Broker

Client App Requests Account Data

Client app sends a request to Account Broker API to retrieve user bank data.

Broker API Checks Consent

Account Broker API checks for existing user consent in the Consent Database.

plus

Consent is identified using Organisation ID + User ID + ASPSP ID

Consent Not Found

If no consent is found for the user

plus

Account Broker API returns

plus

HTTP 202 Accepted

plus

Message: "Consent Required"

plus

The request is halted until consent is granted and persisted.

Consent Found

If valid consent exists

plus

The broker uses internally stored consent code and access token to call the core platform API.

plus

This ensures client apps do not directly access or store consent tokens, maintaining security.

Core Platform Retrieves Account Data

Account Broker API forwards the request to

plus

Core Platform Account-Aggregation-Consumer API

plus

The core platform interacts with

plus

ASPSP APIs using stored credentials and tokens

Response to Client App

The aggregated account data is returned back to the Client App via the Account Broker API.

5

Consent Code Redirect URL

1. Consent Request Initiated

Client App requests account access via Account Broker API.

plus

Broker checks for consent

If not available, broker returns 202 Consent Required.

plus

Broker initiates consent journey using ASPSP’s consent URL.

plus

Consent request includes a service URL (redirect URI) pointing to Consent Callback Service.

2. User Authenticates with ASPSP

User is redirected to ASPSP’s authentication page.

plus

Upon successful login and approval, ASPSP sends authorisation code to the embedded service URL (callback endpoint).

3. Callback Service Receives Authorisation Code

The Consent Callback Service receives the code from ASPSP.

plus

It triggers a token exchange request to

core-platform/account-aggregation-consumer/consent API

plus

Using the received authorisation code.

4. Token Stored on Core Platform

Core platform successfully exchanges code for access token.

plus

Access token is persisted securely in the Consent Database.

plus

Consent is linked to

Organisation ID

plus

User ID

plus

ASPSP ID

5. Ready for Account API Requests

Once consent and token are stored, Account Broker API can now

plus

Seamlessly forward client app requests to the core platform.

plus

Fetch account data from ASPSPs using valid stored tokens.