BalanceCheck CZ API Flow

Onboarding your user

Before your first call to balanceCheck API your user should authorize you to access user's personal data.

  1. Giving consent from your user to you to access his/her personal banking data

    1) Your application initiates the flow by directing your user browser to the authorization endpoint. Initiation is carried out by making a GET /oauth2/authorize request.

    2) The bank authenticates your user and establishes whether the user grants or denies your access request.

    3) Assuming your user grants access, the bank server redirects the user browser back to your application using the redirection URI provided during your application registration. The redirection URI includes an authorization code.

    4) Your application requests an access token from the bank server's token endpoint by including the authorization code received in the previous step. The authorization code exchange is carried out by making a POST /oauth2/token request.

    5) The bank server authenticates your application, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect your application in step 3. If it is valid, the bank server responds back with an access token and a refresh token. Issued refresh token doesn't expire.

    After token revocation

    Issued token will not expire, but can be revoked by your user. In this case the bank server responses with HTTP 401 Unauthorized to your API call. In this case you need to start the giving consent flow again.

  2. Get Confirmation of Sufficient Balance

    1) Your application initiate POST /accounts/balanceCheck request with valid access token.

    2) The bank server validates access token and transaction details. If all data in the request are correct, bank will return response APPR (for sufficient balance) or DECL (for insufficient balance)

  3. Refresh Expired Access Token

    When an access token obtained through an authorization code grant expires, your application should attempt to get a new access and refresh token by calling POST /oauth2/token. For more information see Section 6 Refreshing an Access Token in of the OAuth 2.0 specification.
    OAuth 2.0 specification

    If your application fails to get an access token using a refresh token (ie due to removed consent by the user), you need start consent flow from Step 1 again.