Previously TPPs were required to Register with the Developer Portal to test their Applications against YBSG APIs - this is no longer the case, TPPs now need to register with YBSG's Test interface via the API.
Our Open Banking APIs
We want to make sure third-party developers can easily register their applications with us and access the standardised industry-wide Open Banking APIs (Application Programming Interfaces) we've helped to create. The sections below provide information on the Open Banking APIs that Yorkshire Building Society has implemented. These APIs provide a secure, coherent set of capabilities that you can use within your applications to deliver value to customers.
Developer Portal Services
The purpose of the Developer Portal is to help developers of client applications understand the APIs supplied by the YBS Group and to support them in building applications that use these APIs. To that end, the Developer Portal provides the following services:
You have to register with Open banking website to get access for the Sandbox API.
You will find detailed technical specifications of our APIs in this section.
Overview of YBS APIs
Our initial implementation focuses on PSD2 regulatory compliance for AISP and PISP. Our we have adopted the UK Open Banking specification standards for our APIs. A key aspect of these standards is the adoption of the open authorisation model based on the OAuth 2.0 Authorisation Framework in addition to adherence to the OWASP REST API guidelines.
There is an Authorisation Mock Page in the Sandbox that acts as the Authorisation Server a website that a human-user interacts with to authenticate and authorise the access request. It responds with an Authorisation Code when supplied with valid input parameters; authorisation is implicit and guaranteed for all valid input. This enables TPPs to automate the end-to-end flow without the need for managing additional credentials to authenticate or additional human intervention to manually authorise the access request.
For information about API releases and alignment with UK Open Banking, please refer to the FAQ section.
Discovery and Application Registration
The Open Banking specification for enrolling with the Open Banking Directory (Directory Specification) and then registering with Account Servicing Payment Service Providers (ASPSPs), like Yorkshire Building Society, is available on the central Open Banking website.
Yorkshire Building Society supports the following to enable discovery and registration for Open Banking with us:
- Use of this functionality is described in the ‘Register an application with an ASPSP using APIs’ section of the Directory Specification.
- We support TPP on-boarding application via APIs and does not provide this capability via a manual process.
The detailed Open Banking specification for the security model (Security Profile) is available on the central Open Banking website
Yorkshire Building Society supports the following to set up and enable secure use of Open Banking functionality:
POST / token
Get access token required to invoke APIs.
Supporting information for registration and security:
Client ID and Secret
Your client ID and secret that you use to access our APIs are important credentials which must be kept securely within your organisation, and must not be shared with other parties or lost.
Transport layer security mutual authentication (TLS MA)
We require Transport Layer Security Mutual Authentication (TLS MA) to all Yorkshire Building Society API endpoints except:
Support of algorithms
Yorkshire Building Society supports the PS256 algorithm for any signed JWTs provided by a Third Party. OIDC tokens that Yorkshire Building Society provide will be signed using the PS256 algorithm.
Security authorisation expiry & new intents
Where security authorisation has expired, a new intent is required to ensure continued access to the account information. Yorkshire Building Society will not allow an intent to be confirmed again.
Customers can only request the deletion of an authorised intent.
Token validity periods
Token life spans are as follows:
- Authorization code (AISP and PISP): 10 minutes, not reusable – as per OAUTH2 specification
- Access Token (Client Credentials Grant): 60 minutes
- Access Token (For Single AISP Intent ID): 30 minutes
- Refresh Token (For Single AISP Intent ID): ~90 days expected (multi-use Refresh Token)
- Access Token (For Single Immediate Payment): 24 hours – but payment submission only accepted within 1 hour of customer authorisation
- ID Tokens for an Intent ID (AISP and PISP): 30 minutes
- Please note these are not fixed and will change over time.
In addition to the response codes detailed in the Open Banking API specifications, we will return the following exception code:
- HTTP 503 (services unavailable or too busy).
API Call Limits
We will only process four requests for data from a third party where the customer are not present within a 24hr period; there is no restriction on requests where the customer is present.
To restrict the size of the data of transactions we will split the response messages into pages, pagination will operate with 100 rows per page.